You are the CEO of a large health services organization (HSO) in Florida. Your HSO has inpatient and outpatient facilities, home healthcare services, and every other service your patient population needs. You also have a world-renowned AIDS treatment center that has been considered by many to be a model for the rest of the United States. Your HSO has always enjoyed an excellent reputation, and your quality of care is known to be excellent. You have been very happy in your work, knowing that your HSO provides good care to people who truly need it in a caring and cost-effective manner.

Your HSO has recently been featured in every media vehicle known to every man, woman, and child in the United States and beyond. The reason: someone downloaded the names of 4,000 HIV+ patients who had been seen in your world-renowned HIV clinic and sent the list to newspapers, magazines, and the Internet.

You and your board of trustees are completely blown away. The board is furious and wants to fire you. You have been able to convince them that they need to keep you on to fix the HSO’s management information system (MIS). Their last words to you were “You had better come back with plans for building a better MIS, or you’re fired!”

You hire a computer security consultant, and she comes into your organization under disguise as a nurse manager to help you determine where the security leak might be. She returns to you in three days with the following report.

“While I was undercover in your organization for a mere three days, I observed the following breaches in computer security. These are the highlights (or lowlights):

· ■ Nurses log in with their passwords, walk away, and leave the system open and up and running;

· ■ Dr. Jones leaves his password taped to the PC on a piece of paper;

· ■ Fax machines and printers are often in areas of high traffic and in rooms without locks;

· ■ With my one password, I had remote access to every database in the hospital, including Human Resources, from my home;

· ■ There are no programs reminding people to change their passwords on a regular basis;

· ■ When I pretended to forget my password, other nurses gave me theirs; and

· ■ When I requested sensitive patient files on flash drive, even after this incident, people rarely questioned me.

In short, you have a major problem with your MIS—and your staff!” What should you do?

DISCUSSION QUESTIONS

1. What law is being violated by the employees at this health services organization?

2. Why was this law enacted?

3. What are the penalties for violating this law?

4. If an employee shares confidential medical information about a celebrity and is caught, what should the penalty be?

5. Do you think you should be updating your resume and looking for a new job?