The Challenges Of Protecting Personal Information Information Technology Essay

The aim of this paper is to review the importance of personal data, also known as sensitive data that are actually used virtually by any organisation in this 21st century. Personal information has become the biggest issue around the world, either processing or protecting it. But, in this article, the focus is on the health care system which is the Electric Health Record system (EHR), it is a system use to record health information electronically. Having the legislation, rules and regulation in place, it is found that this system has failed to provide protection on personal data. As a matter of fact, this system has managed to be exploited by unauthorised people. The EHR system was not fully tested accordingly to meet the end-users requirement, but released to the health service for use. The growth of data loss is increasingly common among the organisations in day to life and challenges in protecting personal data have emerged. It is therefore essential that health care service establish a better security policy to protect the personal data. This research paper will explain the security issues need to be enforced in order to protect data from the vulnerabilities.

1. INTRODUCTION

One of the most significant current discussions in legal and moral philosophy is the security of data. It has become a central issue for many organisations to achieve a successful information system within defined scope, quality, time and cost constraints in order to protect privacy, confidentiality and security. Researchers like Olvingson et al. (2003) suggest that there have been drastic changes in the provision of health services since the introduction of computers about three decades ago and issues related to the protection of personal health information have resulted in both technical research and political debate.[1] Thus, it can be justified that security of data is still the leading cause of failure in software system development.

The main issues addressed in this paper are personal information, data protection and security. It has been divided into four parts. The first one deals with the explanation of personal data, data protection and disclosure of data. The second part is to evaluate the risks and the impact on information system. The third one is to present different approaches to counter these risks. The forth one is to provide a summary of findings that can be use as lessons in the future.

The purpose of this paper is to review the latest years of research into these parts and critically evaluate and validate this case study.

1.1 What is personal data?

Personal data can be classified into three main categories; these are contact, profile and behavioural information. It contains the detail information of a living person that is unique to each individual. In this scenario, the personal data reveals the information of individual’s health such as name, racial origin ,blood group, sex, DNA, contact details, next of kin, illnesses, treatment and General Practitioner’s detail. Therefore, EHR system functions at its best to record and transmit this information throughout the health service organisations. But, the biggest challenge of this system is to protect the privacy of patients’ health information. The main question addressed in this paper is how to protect this sensitive data. According to Croll.P.R (2010), he discusses that the effectiveness of Privacy and security measures depend mostly on the policies adopted by the healthcare organisation.[2] It can be argued that research shows that there is inadequate policies enforce by the government and the medical organisation to prevent further harm on personal data. It can just be suggested that future research should determine how to address these issues effectively and generate effective security policies in IS project development

1.2 Data Protection Act is a legislation that has been established since 1984 and replaced in 1998, it is an Act to protect personal data. The principles of this Act are to make sure that data is accurate and correct. Information should be fairly and lawfully processed. Personal data should not be kept longer than necessary and processed for limited purposes. It should be adequate, relevant and up to date. The most important ones are not to reveal personal data in any manner and should be secure. Personal data should be processed in accordance with the data subject’s rights. This Data Act also emphasizes on the accessibility of data, that is to say who is allowed to access to the data and under what conditions. Liability is crucial because it is about who is responsible if the data is abused. Haasa S. et al (2010), they argue that even if the providers’ policy states that data protection regulations and legislation are met, patients cannot control the EHR provider’s usage of their data. [3] Thus, it can be discussed that EHR system is not a single medical institution anymore and it is run by other enterprises who maintain the electronic records system where they have access to the personal data and able to disclose private information to other third parties. According to this article, the National Health Information Network (NHIN) and Health Insurance Portability and Accountability Act (HIPPA) cannot guarantee the security of health records because they are not sure people working within the medical organisation will abide by the rule.

1.3 Disclosure of Data is the revelation of data; it can be either wanted or unwanted disclosure. This means that one can either reveal the personal data to the authorised party or to the third party that could be unauthorised without any conditions. But, this paper focuses on the risks that are associated with the data that is disclosed inappropriately. Researchers have found that the in-house sabotage is the leading cause of sharing information to the third parties. It is the most common risk factor that has been identified by recent studies so far. An example of this potential risk of harvesting personal data for commercial purposes is the ‘CAMM scam’ in Australia, 2003. It is a company promoting pharmaceutical activities and manages to upload the EHR system where they extract the personal data with some doctors’ approval. [4] Later, it was found that CAMM did not just use it for the pharmaceutical purposes, but also sold it to many insurance companies and to other organisations that wanted to buy the data. Hence, it can be argued that this can cause significant threats to patient’s privacy. Concerns have been raised by several bodies about the poor regulatory structures and policies implementing by the government in protecting personal data. The other associated risks are hackers, natural disaster, terrorism and viruses. According to the case study, the fact and figures shows that 99% were the staff that had the opportunity to target the system and 88% of the organisations had lost money between 500 dollars to 10 millions of dollars.[5] The most surprising fact is when staff leaves the organisation, they are the one who become the attackers of the company. Security breaches mostly when there is lack of access control which leads to information technology sabotage. Angus N (2005) argues that if it is for the benefit of the patient, information can be shared within the multidisciplinary team caring for the patient and does not apply to research, teaching or other unqualified members.[6] Thus, it can be justified that information should only be disclosed appropriately and safely to the people required or authorised by the legislation and hence this will improve the security issues.

2. Evaluation of the risks and impact on information systems

This part of the discussion is about the evaluation of the risks listed above and the impact on information systems in terms of storage, transport, access management and disclosure are as follows:

Storage -The idea of the freedom people working anywhere has in fact increase the ability to carry data on portable hard drives, laptops and USB sticks. Recent report has confirmed that data leakage have become very common among the organisations and has great impact on the relationship to customer due to the loss of laptops and USB. For example the case of the PA consulting who transferred the personal data of 84,000 prisoners in England and Wales to a memory sticks that gone missing. [7] This was a total disaster in terms of money loss and identity frauds. There is increasing concern of shopping on line because of security which is the major perception whether to buy or not to on line. Recent developments in using credit cards have heightened the need for better security policy to protect personal bank details from hackers. Transport -The crucial thing is when electronic data is carrying insecurely in public domain and from one domain to another. That has an inverse impact on information systems such as people will lose confidence in using the system. Economically speaking, the risks to organisations have grown immensely where consumers and businesses suffer from loss of availability, integrity and confidentiality. If any of these is loss either accidentally or deliberately, this will affect the organisation’s productivity, popularity and much more. According to this case study, the health service system is more networked and that lead to an increase of intrusion and malware. The statistic research shows that health care companies in United States had an average of 13,400 attacks per day at the end of 2009, according to the Secure Works where some of these attacks are hacking credit card and others are automated attacks from malware which infect computers via networks and USB sticks. [8] In UK, late 2009, there were three London Hospitals that were forced to shut down their computer networks due to the infected malware known as Mytob. [9] It can be argued that has an adverse impact on NHS because 4,700 computers were infected and it took about two weeks to eliminate the virus which was cost-effective and data loss.[10] These attacks can also result in wrong diagnosis of patients and even cause death if the patient’s information have been erased or mislead by the malicious attack. Access Management – is about the authentication process which deals with the authorization of user s’ID and password to have access to the data. Concerns have been raised by several bodies about the poor password management. This means that passwordword is not changed regularly and has the same default fixed password which in turn makes the system vulnerable to most attacks. In fact, this scenario states that the user do not need to have administrator access to do serious damage to the health records. McSherry (2004) suggests that with the growing effectiveness of data retrieval engines and data mining techniques, personal data has become vulnerable to unauthorised people. [11] It can be argued that data kept electronically makes it easier to exploit by data thieves and other intruders. Disclosure – this explains to whom information should be disclosed to, that is to say who is liable to receive this information and on what conditions. The employees have a key role to play regarding this because whether they are liable under the Data Protection Act, company rules and regulation or not. But in most cases as mentioned above, it is found that mostly the staff that breaches the contract while dealing with personal information.

3. Controls and countermeasures

Presentation of different approaches will be discussed in this part of the paper to counter these risks listed above. Recent developments in the field of security issues have led to a renewed interest in encryption. Encryption is the process of converting information into codes. It is in the form of computer programs software used to secure data. That is to say, a sender enters his / her personal data, it is first get encrypted and then decrypted before it reach to the receiver. It is one of the best solutions to all of these potential threats. Encryption is distinguished to protect communications and secure data effectively and safely, thus it can be justified that encryption should be enforced by the organisations internally and externally. This also applies on mobile devices, such as mobile phones and laptops where data are stored. Good and effective password management policy should be implemented at workplace. As a matter fact, authentication is the key factor of security issues, thus it is important to have strong methods, for example change password regularly and change the default. Staff should not bypass password in any manner. Education and training regarding data protection should be continuously adhered to employees. Public key infrastructure should be implemented as it provides a means to generate, administer and revoke digital certificate. It works similar to personal IDs, public key provides authentication where as the private key provides confidentiality. Therefore, encryption should be critically put in force when data is transmitted from one place to another, for passwords to limit unauthorised access and while storing data in databases and files. Firewall and other anti -virus software are also countermeasures that are needed to deploy by organisation to protect, detect and remove virus infection. However, a major problem with this kind of application is organisation often focus on security issues and forget the safety issues when it comes to the rules and regulations, thus medical system should emphasise on safety measures. Standards need to be followed to enable security protection. It is important that information is disclosed appropriately and safely to the required people on conditions. Some other measures that need to be considered are check has to be made with Internet Service Provider whether personal details are protected and shopping online should take place only through secure server which is https and not http. It is important to delete the browsing details after the transactions are completed and that helps protecting the online privacy. The most important one is for staff to abide by the rules and regulation in the organisation to successfully protect the personal data. However, Guarda P and Zannone N (2009), they suggest that it is difficult for an organisation to assure data subjects about the correct execution of data processing. [12] It can thus be argued that data processing is a very delicate activity which need better assurance policy. According to the case study, an automated security testing tool was used in OpenEMR application and discovered about 400 vulnerabilities. Implementation bugs are code-level security problems. [13]. It was found that EHRs did not manage to keep up with discretion of patients records. An SQL injection attack was performed in OpenEMR and enabled to log in as the Front Office user without administravive’s authorization. Using this technique, it is established that any table in the database could be exploited, but the Proprietary Med application was safe. A Cross-site scripting attack is when malicious script is entered into the webpage. It was also successful and managed to exploit six in each application. It can thus be justified that the best way to test web application is to have the cross-site script applied correctly. Cookies- are small text files contain information such as username, start page, user preferences and contents of a shopping cart, they are use to analyse the user and support junk mail.