A Case Study On It Issues Information Technology Essay

This case is a description of the privacy issues contiguous to Giant Food’s decision to subcontract a compliance program for drug prescription to Elensys. Under the contract, Elensys are required to send refill reminders to Giant Food’s pharmacy customers. Since, it is approximated that half of all patients usually stop taking their medication within six months of prescription, compliance programs are necessary to remind patients to refill their prescriptions. Thus, compliance programs help to tackle a major public health problem, patient’s forgetting to take medication. However, as it is observed, these programs raise privacy issues, as they give room for the reuse of sensitive personal information. This case presents a good opportunity for students to assess the issues of privacy as raised by this situation. In addition, the case also presents students with an opportunity of coming to grips with the various challenges involving the implementation of a “privacy sensitive” strategy for Giant Foods and CRM programs in general.

The case depicts a number of internal threats, they include: Intentional malicious behavior where characteristically, dissatisfied or malicious employees who have internal access to an organization’s information systems decisively giving away private information for retribution purposes; and carelessness that is associated with unawareness of, or disinterest in, security policies. The case presents both Giant and Elensys as organizations that had put a heavy emphasis on the security of their information. It is highly likely that the internal threat was caused by intentional malicious behavior. Since, severe consequences can result from information breaches within an organization, internal or external threat, it is imperative for companies to step up their guard against these incidences to their level best. This is because; the consequences and repercussions of information security breaches can have long-term, devastating effects on an organization. Nevertheless, company information system security is not an IT problem per se; rather, it is an issue that involves all operational and general managers. Managers play a critical role in the planning of an information system this include; funds allocation, ensuring that IT plans are in-line with organizational objectives, determining how processes can be enhanced, and deciding on the level of security that needs to be implemented and the type of data that needs to be secured. Therefore, if organizations or customer information is breached, CEO’s, functional managers and IT teams are responsible for reconciling the situation.

HIPAA regulations in relation to Case

With reference to HIPAA regulations, Giant Food, Inc. is characteristically the covered entity, whereas Elensys Care Services, Inc. is the business associate. For that reason, according to HIPAA regulations, Giant’s approach towards the issue of launching similar programs is unethical and a violation of the HIPAA regulation. As Piccoli notes that, “since many other pharmacies were already participating in similar programs, they decided the downside risks were manageable” (Piccoli 456). The fact that, other pharmacies had already participated in similar programs was did not suffice Giant’s participation in the programs without deeper consideration of privacy. Giant Food did worry enough about privacy issue. HIPAA regulations clearly state that “Entities…may disclose health information to a business associate, and may allow a business associate to create or receive health information on its behalf if the entity obtains satisfactory assurance that the business associate will appropriately safeguard the information” (Piccoli 458).

Elensys Care proprietary database was structured into two distinct parts: patient demographics regarding their prescription and information analysis. Giant Food’s customers were not aware of the company’s relationship with Elensys Care. Customers HIPAA rights had been violated, as they did not consent to this relationship. The customers had been registered into an opt-out program with Elensys Care, implying that they would continuously receive mail unless they choose to “opt-out” of the program. If the customers had been fully informed about the program; by being having the option to “opt-in”; then maybe Giant Food and Elensys Care would have avoided this incident.

LIJ

In as much as the rationale behind health promotion programs may be altruistic, the reality is that members’ data is put at risk. LIJ’s wellness program just like other wellness programs has two main characteristics; it is employee-sponsored, and is Web-based. The case for LIJ differs significantly from that of Giant Food, at least in terms of incidence. However, the companies face the common challenge in terms of maintaining privacy of members/customers information. Wellness program’s site will tell try to assure their members of the security of their personal information, that nobody else can access their health information. However, the truth is that no data is entirely safe on the Internet. Thus, privacy risks are byproducts of the benefits reaped by firms from the use of information technology and the development of e-commerce (Piccoli 443). Users of websites are susceptible to threats from hackers; phishing attempts and malware whenever they access the Internet. The issue of personal health information is rather exclusive; the trade-off might not be worth the risk to some, yet others may not really have a choice. For instance, at North Shore-LIJ Health System, enrolling in the health promotion program is a basic requirement for the 2011 benefit package. Pragmatically, electing to take part in this program attracts a $10 credit in employees’ paychecks every fortnight. Thus, opting to abstain from the program due to privacy risks intrinsic in the Web-based wellness program implies that they are essentially missing out on the benefits.

Employee privacy in the case of North Shore-LIJ is exacerbated by the fact that, the health promotion program is run by a third-party company, ActiveHealth. This literally implies that, employees must not only worry about the security of their personal information, but also that of another company. Nevertheless, in a survey conducted in 2006, about 50 percent of employees had confidence in their organization’s security systems (Piccoli 425). However, this sentiment is lower for non-management employees, especially when it comes to dealing with a third party company who are likely to get involved in unsavory practices like selling personal information to other companies. These companies usually state that patient information is not for sale, but patients cannot be certain. For instance, patients that received pharmaceutical mailings from Elensys did not have any slightest hint that their personal information was being sold to a third-party company that issued mailings on pharmacy letterhead (Piccoli 453).

From these cases, it is clear that employees can never be truly sure that their health information is completely private. North Shore-LIJ has stated in a message to its employees that “…this information is only between you, ActiveHealth and your doctor, and is NEVER shared with North Shore-LIJ” (North Shore-LIJ Health System, 2010). However, no matter how much of a premium is placed on employee and patient privacy, there are no guarantees. This raises ethical concerns, where these companies are guaranteeing customers of their privacy, something that they cannot really deliver with certainty.

Facebook

Privacy and ethical issues associated to Facebook, as well as other social websites such as Tweeter, MySpace, and Flicker, slightly differ from those in the case study but are definitely within the scope of privacy and ethical issues. Facebook’s case is akin to the case study with regard to function creep. Users of the social network are significantly part of the growing proliferation of data sources and technologies that generate customer data (Piccoli, 445). Facebook users are voluntarily providing their personal information which can be easily accessed by companies and consequently be used for function creep. However as Piccoli notes, “Navigating this landscape in a legal and ethical manner without missing opportunities for business success is becoming increasing difficult” (Piccoli, 445). This difficulty to navigate the legal and ethical implications as FB’s has exposed tens of millions of users unknowingly to sharing of personal data with advertisers.

Issues of security, privacy, and ethics regarding Facebook are shaping networking spaces especially when it comes to commodification and the exploitation of user generated content. With regard to privacy, users often assume that Facebook is a safe and closed where they can even publish offensive and controversial content, without much regard to the potential consequences. For instance, Facebook asks for one to confirm their email address by following a particular link which directs them to the Facebook site. In the main site, one finds a notification message informing them that someone/thing wants to be added as a friend. In 2007, Facebook initiated a controversial program referred to as Beacon. The program was aimed at converting each user’s personal information into an advertisement, enhancing connectivity between the site’s members. The developers of this program failed to create an opt-in system that would give users the chance to participate out of their own volition. Beacon ethical concerns related to the pulling of information from Facebook profiles, literally breaking down privacy walls that universally exist. In addition, Facebook’s ethical issue is the level of security used when registering members. As a result of heated debates (some frivolous), and intervention by authorities, Facebook dropped eventually dropped the service as it was violating user’s privacy.

The controversy has had some experts suggesting that the government must regulate privacy on FB. In the latest controversy, popular third-party apps including Farmville violated policy and transmitted data to advertisers, including user IDs and the names of friends. One implication is that FB needs to better regulate the third-party developers they allow on their site. Even though user information was transmitted to advertising firms by the third-party site, it is FB who has the responsibility of reconciling the conflict as it is the FB site that users signed up for. FB will also bear the brunt of the negative press and regulations. This relates directly to why security is not an IT problem but a problem for all functional and general managers as the responsibility of resolving and overcoming a conflict that involves the business in order to continue normal operation rests solely on them as managers.

Relate case to course and textbook

Giant Food, Inc. unarguably violates user’s privacy regarding the use of their personal medical information according to HIPAA. There was no privacy in terms of patient information and confidentiality. Disclosures were also not provided, who accessed the information, why they accessed it, and what they accessed it for was not available for consumers. Patient information was easily accessible with little to no effort. Giant Food’s privacy standards had not been carefully established. In the United States, concern for medical records by patients created a need for the HIPAA law to be enacted. Prior to HIPAA there were no standards for electronic transfers of medical information. HIPAA sets a national standard for transferring medical information electronically. Giant Food as a health care service provider failed to operate by the minimum standards set by HIPAA. The main ethical concerns regarding Giant Food was when it did not allow consumers to make the decision on whether or not their personal information were to be included in mailing list. The company did not take adequate measures to ensure that users’ personal information was secure.

Thus, with HIPAA regulations in place, Giant Food should have considered the many possible potential security and privacy risk before outsourcing the program to Elensys. The later was required to send refill reminders to Giant Food’s pharmacy customers. Apparently, security threats along with internet crimes are more prevalent especially with the involvement in exchange of personal data. Since 80% of security threats occur internally, there must be established accountability for the use and release of protected health information. The seriousness of internal security threats such as disgruntled employees is also an issue of concern, as they are the most culpable when it comes to leaking of information. HIPPA stresses that “entities covered by the regulation must adopt written privacy policies, train employees, designate a privacy officer, and establish grievance processes for patient” (Piccoli, 458). In addition, it is imperative for organizations and “entities covered” to properly implement their security policies in order to reduce security risk. The most preventable risks are usually those caused by ignorance of security policies. Negligence in proper storage of passwords and the measures taken by employees when they leave their premises contributes to possible security risks. Regarding the safeguarding of privacy, HIPAA regulation states that, “Fair information practices are based on the five principles of notice, choice, access, security and enforcement” (Piccoli 446).

Conclusion

In an effort to safeguard security, fair information practices have been proposed as a basis for privacy governance. Moreover, noted privacy expert Mary Culnan offers the following guidelines for organizations that seek to comply with the fair information practices: Say what you do, do what you say, and be able to prove it (Culnan 13). In summary, develop a set of policies and procedures for safeguarding privacy and communicate these policies to affected individuals (e.g., customers, employees), make sure those that represent the firm know, understand, and can enact the policies the firm has developed, and firm must document its policies and the processes it has developed to ensure privacy.