Posted at 10.13.2018
The aim of this paper is to examine the importance of personal data, also called sensitive data that are in reality used almost by any organisation in this 21st century. Private information is among the most biggest issue round the world, either processing or protecting it. But, in this article, the focus is on the health care system which is the Electric Health Record system (EHR), it is something use to record health information electronically. Getting the legislation, rules and regulation set up, it is found that this system has didn't provide protection on personal data. As a matter of known fact, this technique has managed to be exploited by unauthorised people. The EHR system was not fully tested accordingly to meet up with the end-users requirement, but released to medical service for use. The growth of data loss is increasingly common amongst the organisations in day alive and challenges in protecting personal data have emerged. Hence, it is essential that healthcare service establish a better security policy to protect the non-public data. This research paper will clarify the security issues need to be enforced to be able to safeguard data from the vulnerabilities.
One of the most significant current discussions in legal and moral philosophy is the security of data. It has turned into a central issue for most organisations to accomplish an effective information system within defined scope, quality, time and cost constraints to be able to protect privacy, confidentiality and security. Researchers like Olvingson et al. (2003) claim that there have been drastic changes in the provision of health services because the introduction of computers around three decades ago and issues related to the protection of personal health information have resulted in both technical research and political debate.  Thus, it can be justified that security of data continues to be the leading cause of failure in software system development.
The main issues addressed in this paper are private information, data protection and security. It's been divided into four parts. The first one deals with the reason of personal data, data protection and disclosure of data. The next part is to judge the risks and the effect on information system. The 3rd one is to present different methods to counter these risks. The forth is to provide a summary of findings that can be use as lessons in the foreseeable future.
The reason for this paper is to examine the latest years of research into these parts and critically evaluate and validate this case study.
Personal data can be classified into three main categories; they are contact, profile and behavioural information. It contains the detail information of a full time income person that is unique to each individual. With this scenario, the non-public data reveals the information of individual's health such as name, racial origin, blood group, sex, DNA, contact details, next of kin, illnesses, treatment and General Practitioner's detail. Therefore, EHR system functions at its better to record and transmit this information throughout the health service organisations. But, the largest challenge of this system is to safeguard the privacy of patients' health information. The primary question addressed in this paper is how to protect this sensitive data. According to Croll. P. R (2010), he discusses that the effectiveness of Privacy and security measures depend mostly on the policies adopted by the healthcare organisation.  It can be argued that research shows that there exists inadequate policies enforce by the government and the medical organisation to prevent further harm on personal data. It can just be suggested that future research should determine how to address these issues effectively and generate effective security policies in IS project development
1. 2 Data Protection Act is a legislation that is established since 1984 and replaced in 1998, it can be an Act to safeguard personal data. The principles of the Act are to be sure that data is accurate and correct. Information should be fairly and lawfully processed. Personal data shouldn't be kept longer than necessary and processed for limited purposes. It ought to be adequate, relevant and up to date. The main ones aren't to reveal personal data in virtually any manner and really should be secure. Personal data should be processed relative to the info subject's rights. This Data Act also emphasizes on the accessibility of data, that is to say who is permitted to access to the data and under what conditions. Liability is crucial because it is approximately who's responsible if the info is abused. Haasa S. et al (2010), they argue that even if the providers' policy states that data protection regulations and legislation are met, patients cannot control the EHR provider's usage of their data.  Thus, it can be discussed that EHR system is not a single medical institution any more and it is run by other enterprises who maintain the electronic records system where they get access to the non-public data and able to disclose personal information to other third parties. According to this article, the National Health Information Network (NHIN) and Health Insurance Portability and Accountability Act (HIPPA) cannot guarantee the security of health records because they're not sure people working within the medical organisation will follow the rule.
1. 3 Disclosure of Data is the revelation of data; it can be either wanted or unwanted disclosure. This means that one can either reveal the non-public data to the authorised party or to the third party that might be unauthorised with no conditions. But, this paper focuses on the potential risks that are associated with the data that is disclosed inappropriately. Researchers have found that the in-house sabotage is the leading cause of sharing information to the third parties. It really is the most typical risk factor that is identified by recent studies up to now. A good example of this potential threat of harvesting personal data for commercial purposes is the 'CAMM scam' in Australia, 2003. It is a business promoting pharmaceutical activities and manages to upload the EHR system where they extract the personal data with some doctors' approval.  Later, it was discovered that CAMM did not only make use of it for the pharmaceutical purposes, but also sold it to many insurance companies and also to other organisations that wished to buy the data. Hence, it could be argued that this can cause significant threats to patient's privacy. Concerns have been raised by several bodies about the indegent regulatory structures and policies implementing by the federal government in protecting personal data. The other associated risks are hackers, natural disaster, terrorism and viruses. According to the case study, the fact and figures shows that 99% were the staff that had the opportunity to target the machine and 88% of the organisations had lost money between 500 dollars to 10 huge amount of money.  The most surprising fact is when staff leaves the organisation, they will be the one who become the attackers of the business. Security breaches mostly when there is insufficient access control which contributes to information technology sabotage. Angus N (2005) argues that if it's for the advantage of the individual, information can be shared within the multidisciplinary team looking after the patient and does not connect with research, teaching or other unqualified members.  Thus, it could be justified that information should only be disclosed appropriately and safely to the people required or authorised by the legislation and therefore this will increase the security issues.
This part of the discussion is approximately the analysis of the risks listed above and the impact on information systems in conditions of storage, transport, access management and disclosure are as follows:
Storage -The notion of the freedom people working anywhere has in fact raise the ability to transport data on portable hard disks, laptops and USB sticks. Recent report has confirmed that data leakage have become very common one of the organisations and has great impact on the partnership to customer due to the loss of laptops and USB. For example the case of the PA consulting who transferred the personal data of 84, 000 prisoners in England and Wales to a memory sticks that gone missing.  This was a complete disaster in terms of money loss and identity frauds. There may be increasing concern of shopping online because of security which is the major perception whether to buy or never to online. Recent developments in using credit cards have heightened the need for better security policy to protect personal bank details from hackers. Transport -The crucial thing is when electronic data is carrying insecurely in public domain and in one domain to another. That has an inverse effect on information systems such as people will eventually lose confidence in using the system. Economically speaking, the risks to organisations have become immensely where consumers and businesses suffer from lack of availability, integrity and confidentiality. If these is loss either accidentally or deliberately, this will affect the organisation's productivity, popularity and much more. According to this case study, the health service system is more networked and this lead to a rise of intrusion and malware. The statistic research demonstrates health care companies in United States had an average of 13, 400 attacks per day by the end of 2009, in line with the Secure Works where a few of these attacks are hacking credit card and more are automated attacks from malware which infect computers via networks and USB sticks.  In UK, late 2009, there were three London Hospitals which were forced to shut down their computer networks due to the infected malware known as Mytob.  It can be argued that comes with an adverse impact on NHS because 4, 700 computers were infected and it took about two weeks to eliminate the virus that was cost-effective and data loss.  These attacks can also cause wrong diagnosis of patients and even cause death if the patient's information have been erased or mislead by the malicious attack. Access Management - is about the authentication process which handles the authorization of user s'ID and password to have access to the data. Concerns have been raised by several bodies about the poor password management. This means that passwordword is not changed regularly and gets the same default fixed password which makes the machine vulnerable to most attacks. Actually, this scenario states that the user need not have administrator usage of do serious damage to medical records. McSherry (2004) suggests that with the growing effectiveness of data retrieval engines and data mining techniques, personal data has become vulnerable to unauthorised people.  It could be argued that data kept electronically makes it much easier to exploit by data thieves and other intruders. Disclosure - this explains to whom information should be disclosed to, in other words who is liable to receive this information and on what conditions. The employees have a key role to experience regarding this because if they are liable under the Data Protection Act, company rules and regulation or not. But in most cases as mentioned above, it is available that mostly the staff that breaches the contract while dealing with personal information.
Presentation of different approaches will be discussed in this part of the paper to counter these risks in the above list. Recent developments in the field of security issues have resulted in a renewed involvement in encryption. Encryption is the process of converting information into codes. It really is by means of computer programs software used to secure data. That is to say, a sender enters his / her personal data, it is first get encrypted and then decrypted before it reach to the receiver. It is among the finest solutions to many of these potential threats. Encryption is distinguished to protect communications and secure data effectively and safely, thus it could be justified that encryption should be enforced by the organisations internally and externally. This also applies on mobile devices, such as mobile phones and laptops where data are stored. Good and effective password management policy should be implemented at workplace. As the matter fact, authentication is the key factor of security issues, thus it's important to get strong methods, for example change password regularly and change the default. Staff should not bypass password in any manner. Education and training regarding data protection should be continuously adhered to employees. Public key infrastructure should be implemented as it offers a means to generate, administer and revoke digital certificate. It works comparable to personal IDs, public key provides authentication where as the private key provides confidentiality. Therefore, encryption should be critically devote force when data is passed from one spot to another, for passwords to limit unauthorised access and while storing data in databases and files. Firewall and other anti -virus software are also countermeasures that are had a need to deploy by organisation to safeguard, find and remove virus infection. However, a major problem with this kind of application is organisation often focus on security issues and forget the safety issues when it comes to the rules and regulations, thus medical system should emphasise on safety precautions. Standards need to be followed to enable security protection. It's important that information is disclosed appropriately and safely to the required people on conditions. Various other measures that need to be considered are check has to be made with ONLINE SITES Provider whether personal details are protected and shopping online should happen only through secure server which is https rather than http. It's important to delete the browsing details following the transactions are completed which helps protecting the online privacy. The main you are for staff to abide by the rules and regulation in the organisation to successfully protect the non-public data. However, Guarda P and Zannone N (2009), they suggest that it is difficult for an organisation to make sure data subjects about the correct execution of data processing.  It could thus be argued that data processing is a very delicate activity which need better assurance policy. According to the research study, an automated security testing tool was used in OpenEMR application and uncovered about 400 vulnerabilities. Implementation bugs are code-level security problems. . It had been found that EHRs did not manage to match discretion of patients records. An SQL injection attack was performed in OpenEMR and enabled to log in as the Front Office user without administravive's authorization. Using this system, it is established that any table in the database could be exploited, however the Proprietary Med application was safe. A Cross-site scripting attack is when malicious script is entered into the webpage. It had been also successful and managed to exploit six in each application. It can thus be justified that the best way to test web application is to really have the cross-site script applied correctly. Cookies- are small text files contain information such as username, start page, user preferences and contents of an shopping cart, they are simply use to analyse the user and support junk mail.