Good day all,
I am a CISSP, trained in HIPAA, and familiar with security methods.
I have an interesting situation at my workplace. This situation is nothing new, but the response of the organization I am working for is very odd to me.
Situation:
A nurse shared her LAN ID and password with some patients. She claims this is in an attempt to increase patient satisfaction. The medical institution does not have a network system available for patients. Her sharing her ID has allowed the patient access to internal systems and confidential information. She has shared her ID was several patients.
Conditions:
Her actions do not seem to be malicious. She does seem genuinely interested in patient care and the fact she was doing something wrong did not occur to her. She has been on staff since 1989.
She has completed annual HIPAA training that stresses confidentiality and security. The entire organization is continually briefed on network security and patient confidentiality. A complete organization wide campaign on password security was completed in 2006.
Please give me some recommendations as to what actions, if any, you would take against this person for this infraction. Once some people have replied, I will share what my organization did.
Thank you.
I am a CISSP, trained in HIPAA, and familiar with security methods.
I have an interesting situation at my workplace. This situation is nothing new, but the response of the organization I am working for is very odd to me.
Situation:
A nurse shared her LAN ID and password with some patients. She claims this is in an attempt to increase patient satisfaction. The medical institution does not have a network system available for patients. Her sharing her ID has allowed the patient access to internal systems and confidential information. She has shared her ID was several patients.
Conditions:
Her actions do not seem to be malicious. She does seem genuinely interested in patient care and the fact she was doing something wrong did not occur to her. She has been on staff since 1989.
She has completed annual HIPAA training that stresses confidentiality and security. The entire organization is continually briefed on network security and patient confidentiality. A complete organization wide campaign on password security was completed in 2006.
Please give me some recommendations as to what actions, if any, you would take against this person for this infraction. Once some people have replied, I will share what my organization did.
Thank you.