"

Chapter 6: Security of Electronic Records and Health Information Privacy

Learning Objectives:

  • Understand the importance of electronic record security in the healthcare industry and identify the potential consequences of a data breach or security incident.
  • Gain a comprehensive understanding of the HIPAA Privacy and Security Rules, including their requirements for handling and protecting patient health information.
  • Identify the key security vulnerabilities associated with protected health information and develop strategies to mitigate these vulnerabilities.
  • Learn how to enter and manage data in relational data systems with a focus on maintaining the security and integrity of the data.
  • Develop an understanding of best practices for maintaining electronic record security in healthcare organizations and apply these practices to real-world scenarios.

In today’s healthcare industry, the security of electronic health records (EHR) and compliance with the Health Insurance Portability and Accountability Act (HIPAA) are paramount to maintaining patient trust and safeguarding sensitive information. This chapter delves into the critical aspects of EHR security and HIPAA privacy regulations, providing readers with a comprehensive understanding of best practices for protecting patient data. By examining real-world case studies and current industry standards, this chapter aims to discuss the measures necessary to prevent security incidents, ensure regulatory compliance, and foster a culture of privacy and security in healthcare organizations. Through a detailed exploration of security measures, readers will gain insights to enhance their practice and uphold the highest standards of patient confidentiality.

Potential Consequences of a Data Breach or Security Incident

A data breach or security incident in the healthcare industry can have far-reaching implications, affecting multiple aspects of an organization’s operations. The following sections detail the four primary types of potential consequences: financial losses, reputational damage, legal liabilities, and compromised patient care (Table 1).

Financial Losses
The potential financial loss resulting from a data breach or security incident in the healthcare industry can be significant. Healthcare organizations can face legal fees, penalties, and damages, leading to a financial burden that can negatively impact their operations. The costs associated with a data breach often include forensic investigations, notification and credit monitoring services for affected patients, legal fees, and regulatory fines. Moreover, the organization may also experience loss of revenue due to reputational damage, loss of customers and patient trust. Therefore, it is essential for healthcare organizations to implement robust security measures and regularly audit and monitor their systems to prevent and mitigate the impact of a data breach or security incident.

Reputational Damage
Reputational damage is a critical consequence of a security incident in the healthcare industry. Patients trust healthcare organizations to protect their sensitive health information, and a breach of this trust can have severe consequences. When a security incident occurs, patients may lose confidence in the organization’s ability to safeguard their information, leading to a loss of business and revenue. Additionally, patients may choose to seek care elsewhere, further damaging the organization’s reputation and revenue. The damage to the organization’s reputation can be long-lasting and challenging to overcome, making it essential for healthcare organizations to prioritize electronic record security to maintain patient trust and confidence.

Legal Liabilities
Legal liabilities are a significant consequence of a data breach or security incident in the healthcare industry. Healthcare organizations have a legal responsibility to protect patient information, and failure to do so can result in substantial legal and financial penalties. A data breach or security incident can lead to lawsuits from affected patients, resulting in significant legal fees, settlements, and damages. Additionally, healthcare organizations can face fines and penalties from government regulatory bodies, such as the Department of Health and Human Services’ Office for Civil Rights (OCR), which enforces HIPAA regulations related to electronic record security. These fines and penalties can be costly and can further damage the organization’s reputation. Therefore, it is crucial for healthcare organizations to implement robust security measures to protect patient information and avoid legal liabilities.

Compromised Patient Care
Compromised patient care is another critical consequence of a data breach or security incident in the healthcare industry. A security incident can lead to the exposure of sensitive patient information, including medical histories, diagnoses, and treatments, compromising patient privacy and confidentiality. Additionally, security incidents can disrupt critical healthcare services, such as electronic health record systems, affecting patient care and treatment. This disruption can lead to delays in care, misdiagnoses, and other adverse patient outcomes, which can have serious consequences for patient health and safety. Therefore, it is essential for healthcare organizations to prioritize electronic record security to protect patient information and maintain the integrity of critical healthcare services.

Table 1: Potential Consequences of a Data Breach

Consequence

Description

Examples

Impact

Prevention Measures

Financial Losses

Significant monetary costs resulting from a data breach.

Legal fees, penalties, forensic investigations, notification and credit monitoring services, regulatory fines.

Financial burden that negatively impacts operations, potential loss of revenue, increased operational costs.

Implementing robust security measures, regular system audits and monitoring, ensuring compliance with regulations.

Reputational Damage

Damage to the organization’s reputation and trust with patients.

Loss of patient trust, patients seeking care elsewhere, long-lasting negative perception.

Loss of business and revenue, long-lasting damage to reputation, challenging to overcome.

Prioritizing electronic record security, transparent communication with patients, effective incident response strategies.

Legal Liabilities

Legal and financial consequences due to failure to protect patient information.

Lawsuits from affected patients, fines and penalties from regulatory bodies like OCR.

Significant legal fees, settlements, and damages, costly fines and penalties, further reputational damage.

Adhering to HIPAA and other regulations, implementing strong security protocols, ensuring legal compliance and proper incident documentation.

Compromised Patient Care

Negative impact on patient care due to disruption of healthcare services and exposure of sensitive information.

Exposure of medical histories, diagnoses, treatments; disruption of electronic health record systems.

Delays in care, misdiagnoses, adverse patient outcomes, compromised patient privacy and confidentiality.

Ensuring the integrity of electronic health record systems, protecting patient information, maintaining seamless healthcare services.

Discussion Questions

  • What are some examples of financial costs a healthcare organization might face after a data breach?
  • How can a data breach damage a healthcare organization’s reputation with its patients?
  • What legal consequences might a healthcare organization encounter if patient information is not properly protected?
  • In what ways can a data breach affect the quality of patient care provided by a healthcare organization?

Best Practices for Electronic Record Security in Healthcare

Ensuring the security of electronic health records (EHR) is crucial for healthcare organizations to protect patient information and maintain trust. The following sections detail four best practices for enhancing electronic record security: implementing strong security measures, employee training and awareness, regular auditing and monitoring, and developing an incident response plan (Table 2).

Implementing Strong Security Measures

Implementing strong security measures is critical for healthcare organizations to protect patient information from potential security incidents or data breaches. Access controls can limit access to sensitive patient information to only authorized personnel, which helps prevent unauthorized access to the data. Encryption is another vital security measure, as it protects data by encoding it in a way that can only be read by authorized parties. Additionally, firewalls can protect networks from unauthorized access by monitoring and blocking incoming traffic. Implementing these and other security measures helps healthcare organizations safeguard patient information and maintain the confidentiality, integrity, and availability of critical healthcare services.

Employee Training and Awareness

In addition to technical measures, healthcare organizations should provide ongoing security training for employees to raise awareness about security threats and best practices for preventing security incidents. Employee training on security best practices and the proper handling of confidential patient information is critical for maintaining electronic record security in healthcare organizations. Employees are often the first line of defense against security incidents and data breaches, so they need to be aware of the best practices for protecting patient information. These practices include creating strong passwords, avoiding phishing scams and other email-based attacks, and properly disposing of confidential patient information. Employees should also be trained to recognize security threats and how to report them to the appropriate authorities.

Regular Auditing and Monitoring

Regular auditing and monitoring of systems is an essential practice for maintaining the security of any organization’s information systems. By conducting regular audits and monitoring activities, organizations can proactively identify vulnerabilities and weaknesses in their systems, assess their security posture, and take corrective actions to prevent security incidents before they occur. Auditing involves reviewing the systems and processes used to secure an organization’s information assets, such as reviewing access controls, monitoring network activity, and testing system configurations for vulnerabilities. Monitoring involves continuously tracking system activity, including user activity, network traffic, and system logs, to detect unusual or suspicious activity that may indicate a security incident or breach. By monitoring systems in real-time, organizations can quickly respond to security incidents and prevent them from causing further damage.

Developing an Incident Response Plan

Developing an incident response plan is an essential component of any organization’s security strategy. An incident response plan outlines the steps that an organization will take to identify, contain, and remediate a security incident. The purpose of an incident response plan is to minimize the impact of security incidents on an organization’s operations, reputation, and bottom line. By having a well-defined plan in place, organizations can quickly respond to security incidents and limit their scope and severity. An incident response plan typically includes procedures for identifying and reporting security incidents, assessing their severity and scope, and containing and remediating them. It also defines the roles and responsibilities of various stakeholders, such as the incident response team, IT personnel, and senior management. Effective incident response plans also include provisions for communication and collaboration with internal and external stakeholders, such as customers, vendors, and law enforcement agencies, ensuring all parties are informed and appropriate actions are taken to address the situation.

Table 2: Key Components and Primary Benefits of Best Practices for Electronic Record Security in Healthcare

Best Practice

Description

Key Components

Benefits

Implementing Strong Security Measures

Involves using various technical tools and protocols to safeguard electronic records from unauthorized access and breaches.

Access controls, encryption, firewalls

Prevents unauthorized access, protects data integrity and confidentiality, blocks malicious traffic from entering the network

Employee Training and Awareness

Ensures that staff are knowledgeable about security threats and how to handle confidential information correctly.

Regular training sessions, best practice guidelines, recognizing and reporting threats

Empowers employees to act as the first line of defense, reduces risk of human error-related breaches, enhances overall organizational security awareness

Regular Auditing and Monitoring

Involves continuous review and observation of system activities to detect and address vulnerabilities and suspicious behaviors.

System audits, network activity monitoring, reviewing access controls

Identifies security gaps early, allows proactive management of security risks, ensures compliance with security standards and regulations

Developing and Incident Response Plan

Establishes a structured approach for identifying, managing, and mitigating security incidents.

Procedures for incident identification and reporting, roles and responsibilities for incident management, communication and collaboration protocols

Minimizes impact of security incidents, ensures swift and effective response to breaches, maintains operational continuity and protects organizational reputation

Discussion Questions

  • Why are strong security measures like access controls, encryption, and firewalls important for protecting electronic health records?
  • How can regular training and awareness programs for employees help prevent security incidents in healthcare organizations?
  • What are the benefits of conducting regular audits and monitoring of healthcare systems?
  • Why is it important for healthcare organizations to have an incident response plan in place? How does it help during a security incident?

Understanding HIPAA Privacy and Security Rules

The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule sets national standards for protecting individuals’ medical records and other personal health information (PHI). This rule applies to healthcare providers, health plans, healthcare clearinghouses, and their business associates, ensuring that PHI is handled with strict confidentiality. PHI includes any information that identifies an individual and relates to their past, present, or future health condition, healthcare services received, or payment for healthcare services (Table 1). Under the Privacy Rule, healthcare providers can use and disclose PHI for treatment, payment, and healthcare operations without obtaining patient authorization. Additionally, PHI can be disclosed for public health activities, law enforcement purposes, and research studies.

Patients have certain rights under the HIPAA Privacy Rule. They are entitled to access their PHI, request amendments, and receive an accounting of disclosures of their PHI. If patients believe their privacy rights have been violated, they have the right to file a complaint (Table 2). This regulation is crucial for maintaining trust between patients and healthcare providers, as it ensures the privacy and security of sensitive health information. The Privacy Rule is a key component of HIPAA, which was enacted in 1996 to protect patient privacy and promote the secure handling of health information.

The HIPAA Security Rule complements the Privacy Rule by establishing standards to protect electronic protected health information (ePHI). This rule mandates that healthcare providers, health plans, and healthcare clearinghouses implement administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of ePHI. Administrative safeguards involve policies, procedures, and training programs to protect ePHI, while physical safeguards include measures like locks and access controls to secure physical devices containing ePHI. Technical safeguards, such as encryption and firewalls, are used to protect ePHI transmitted or stored electronically.

One critical requirement of the HIPAA Security Rule is conducting regular risk analyses and implementing risk management plans to identify and mitigate potential security risks. In the event of a security breach or unauthorized disclosure of ePHI, healthcare organizations are required to notify affected individuals, the Department of Health and Human Services, and, in some cases, the media. Failure to comply with HIPAA regulations can lead to severe consequences, including fines, lawsuits, and loss of reputation and business. Organizations must ensure compliance through employee training, ongoing monitoring, and updating policies and procedures to align with technological advancements and regulatory changes.

Table 3: Examples of HIPAA PHI Identifiers

PHI Identifier

Description

Name

Any part of an individual’s name

Address

Street address, city, county, precinct, ZIP code

Dates

Birth date, admission date, discharge date

Telephone Numbers

Any telephone number associated with the patient

Email Addresses

Personal or work email addresses

Social Security Numbers

Unique identification number

Medical Record Numbers

Identifiers assigned by healthcare providers

Health Plan Beneficiary Numbers

Numbers associated with health plans

Account Numbers

Financial account information

Biometric Identifiers

Fingerprints, voiceprints, retina scans

Full Face Photographic Images

Identifiable images of a patient

Any Other Unique Identifying Number or Code

Any number, characteristic, or code that can identify an individual

Table 4: Examples of Privacy Rule Violations

Violation

Description

Unauthorized Access to PHI

Accessing PHI without authorization or a legitimate purpose

Improper Disposal of PHI

Disposing of PHI without following proper procedures

Failure to Provide Access to PHI

Not allowing patients to access their own health information

Failure to Provide Breach Notification

Not informing affected individuals of a breach in a timely manner

Inadequate Safeguards

Lack of sufficient measures to protect PHI from unauthorized access

Disclosure of PHI without Consent

Sharing PHI with unauthorized individuals or entities without consent

Table 5: Examples of HIPAA Security Rule Violations

Violation

Description

Lack of Risk Analysis

Failure to conduct regular risk assessments to identify vulnerabilities

Inadequate Security Measures

Not implementing necessary safeguards like encryption and firewalls

Unsecured Transmission of ePHI

Sending ePHI without encryption or other protective measures

Insufficient Employee Training

Not training staff on how to handle ePHI securely

Delayed Breach Notification

Failing to notify affected individuals and authorities promptly

Improper Access Controls

Allowing unauthorized access to systems containing ePHI

These tables provide a comprehensive overview of HIPAA regulations, highlighting the importance of protecting patient information and ensuring compliance with legal standards.

Discussion Questions

  • What are the key differences between the HIPAA Privacy Rule and the HIPAA Security Rule? How do they work together to protect patient information?
  • Why is it important for patients to have rights, such as accessing their health information and requesting amendments, under the HIPAA Privacy Rule?
  • What are some common examples of Protected Health Information (PHI) identifiers? Why is it important to protect these identifiers?
  • What steps should healthcare organizations take in the event of a security breach involving electronic protected health information (ePHI)?

Security Vulnerabilities Associated with Protected Health Information

Protected Health Information (PHI) is vulnerable to various security threats, including unauthorized access, theft, and loss. These vulnerabilities can arise from human error, insider threats, cyberattacks, physical theft or loss, and improper disposal. Each of these factors presents unique challenges and risks to the security of PHI, making it essential for healthcare organizations to implement comprehensive security measures to protect patient information.

Human error is a common security vulnerability associated with PHI. This can include incidents such as accidentally sending PHI to the wrong recipient, failing to properly secure PHI, and not following established security policies. To mitigate the risk of human error, healthcare organizations should invest in employee training, establish clear security policies and procedures, and regularly conduct audits and assessments to identify and address vulnerabilities. Training helps ensure that staff are aware of best practices for handling PHI and understand the importance of maintaining confidentiality and security.

Table 6: Examples of Human Errors

Example of Human Error

Description

Sending PHI to the Wrong Recipient

Accidentally emailing or faxing PHI to an unintended recipient due to a typo or incorrect address

Failure to Secure PHI

Leaving PHI in unsecured locations, such as unlocked offices or desks, where unauthorized individuals can access it

Not Following Security Protocols

Bypassing or ignoring established procedures for handling and storing PHI, such as sharing passwords or failing to log out of secure systems

Improper Storage of PHI

Storing PHI in non-secure digital or physical locations, such as personal devices or open filing cabinets

Negligence in Handling Devices

Misplacing or losing devices that contain PHI, such as laptops or USB drives, without proper encryption or security measures

Insider threats refer to security breaches caused by individuals within an organization, whether intentional or unintentional. These can include actions such as theft, sabotage, or negligence. To reduce the risk of insider threats, healthcare organizations should conduct thorough background checks on employees, limit access to PHI based on the need-to-know principle, and monitor employee behavior for any suspicious activity. Regularly updating access controls and maintaining vigilance against potential insider threats are crucial steps in protecting sensitive information.

Cyberattacks are another significant threat to PHI, encompassing malware, phishing attacks, and ransomware. These attacks can severely compromise the confidentiality, integrity, and availability of PHI. To mitigate these risks, healthcare organizations should implement robust cybersecurity measures, including firewalls, antivirus software, and encryption, and ensure that systems and software are regularly updated to address any vulnerabilities. Educating employees about phishing and other cyber threats is also vital to prevent them from inadvertently compromising security.

Physical theft or loss of PHI can occur through the theft of devices, such as laptops or mobile phones, or through the loss of physical records. To protect against physical theft or loss, healthcare organizations should implement physical security measures such as access controls, surveillance cameras, and secure storage solutions for both digital and physical records. Additionally, proper protocols must be in place for the secure disposal of PHI, ensuring that physical records are shredded and electronic data is permanently erased. This prevents unauthorized access to sensitive information that is no longer needed.

In summary, the security vulnerabilities associated with PHI pose significant risks to patient privacy and can lead to legal and financial consequences for healthcare organizations. By taking proactive steps, such as implementing strong security measures, training employees, and regularly assessing and auditing their security practices, healthcare organizations can effectively mitigate these vulnerabilities and protect patient information.

Discussion Questions

  • What are some common examples of human error that can lead to security breaches involving PHI? How can healthcare organizations prevent these errors?
  • Why are insider threats a concern for healthcare organizations, and what steps can be taken to reduce the risk of these threats?
  • How can cyberattacks compromise the security of PHI, and what cybersecurity measures should be in place to protect against these attacks?
  • What are the risks associated with the physical theft or loss of PHI, and how can organizations ensure the secure disposal of sensitive information?

Entering Data into Relational Data Systems

Entering data into a relational data system begins with the creation of a table and the definition of columns that will store the data. This structured organization allows for efficient data management and retrieval. Each table consists of rows and columns, where rows represent individual records and columns represent data attributes. The first step in entering data is to define these columns, specifying the type of data they will hold, such as integers, strings, or dates. Once the table structure is established, data can be inserted using Structured Query Language (SQL), a standardized language for managing and manipulating relational databases. Ensuring the accuracy and completeness of the data during this process is crucial to maintaining the integrity and reliability of the information stored.

Managing data in a relational data system involves various tasks such as updating, deleting, and querying data. SQL commands facilitate these operations; for instance, the UPDATE command modifies existing records, while the DELETE command removes data from the table. Querying data, an essential aspect of data management, involves using SQL to retrieve specific information based on certain criteria, thus enabling users to access the needed data efficiently. Regular data management practices, including updates and audits, help maintain data accuracy and relevance, ensuring that the system remains reliable over time. Security measures, such as access controls and data encryption, are essential to protect sensitive information and maintain data integrity, while constraints like primary keys and foreign keys ensure the data’s consistency and reliability.

Table 7: Basics on Relational Data

Key Components

Details

Table Creation and Column Definition

The first step in data entry is creating a table and defining columns to organize data.

Data Entry Using SQL

SQL is used to insert data into tables, ensuring data accuracy and completeness.

Data Management Tasks

Includes updating, deleting, and querying data to maintain system accuracy and relevance.

Security Measures

Access controls, user permissions, and data encryption protect data from unauthorized access.

Data Integrity and Constraints

Primary keys, foreign keys, and unique constraints ensure data accuracy and reliability.

Importance of Regular Management

Regular updates and audits are essential for maintaining the accuracy and integrity of data.

Discussion Questions

  • Why is it important to carefully define columns and use SQL when entering data into a relational data system? How does this help in maintaining data integrity?
  • What are some key security measures that need to be implemented in relational data systems to protect sensitive information? How do these measures help ensure the system’s reliability?

Real World Scenarios and Data Breach Statistics

In 2015, Anthem Inc., a major health insurance company, experienced one of the largest healthcare data breaches in history. Hackers gained unauthorized access to the personal information of approximately 78.8 million people, including names, dates of birth, Social Security numbers, and health information. The breach resulted in significant consequences for Anthem, including a loss of trust among customers, reputational damage, and substantial legal liabilities. In response to a class-action lawsuit, Anthem settled for $115 million, highlighting the severe financial repercussions that can follow such breaches.

In another instance, a former employee of the University of Pittsburgh Medical Center (UPMC) was charged in 2021 with stealing the personal information of more than 65,000 UPMC employees. The employee had accessed sensitive data, such as names, birth dates, and Social Security numbers, and subsequently sold this information on the dark web. This incident underscores the threat posed by insider attacks and the critical importance of implementing strong access controls and monitoring systems to prevent unauthorized access to sensitive data.

In 2020, Universal Health Services (UHS), a major healthcare provider, faced a ransomware attack that severely disrupted operations at more than 250 facilities. The attack forced UHS to divert ambulances and transfer patients to other hospitals, causing significant interruptions to patient care and administrative functions. This incident not only damaged UHS’s reputation but also highlighted the potential legal and financial liabilities associated with cyberattacks in the healthcare sector. It underscores the necessity of robust cybersecurity measures to protect against such threats.

Data from the HIPAA Journal, which tracks healthcare data breach statistics, reveals the prevalence and impact of large-scale data breaches in the healthcare industry. Since October 2009, the journal has documented breaches involving 500 or more records, reported to the U.S. Department of Health and Human Services’ Office for Civil Rights. This data emphasizes the importance of stringent data protection measures to safeguard sensitive patient information. For more detailed insights, you can explore the HIPAA Journal’s healthcare data breach statistics. Additionally, the YouTube video 1 titled “How the HIPAA Security Rule Can Help Defend Against Cyber-Attacks,” released on October 23, 2023, offers valuable information on the role of the HIPAA Security Rule in protecting against cyber threats.

“Video 1: How the HIPAA Security Rule Can Help Defend Against Cyber-Attacks: October 23, 2023” by U.S. Department of Health and Human Services is in the Public Domain, CC0

Discussion Questions

  • What are some of the key lessons that healthcare organizations can lean from the data breaches experienced by Anthem Inc. and Universal Health Services? How can these lessons help in preventing future breaches?
  • Why is it important for healthcare organizations to implement strong access controls and monitoring systems, especially in light of insider threats? How do these measures protect sensitive information?

Key Terms

Protected Health Information (PHI): Any information about health status, healthcare, or payment for healthcare that can be linked to an individual.

HIPAA: The Health Insurance Portability and Accountability Act, a U.S. law designed to protect patient information and ensure the privacy and security of health data.

Data Breach: An incident where sensitive, protected, or confidential data is accessed, disclosed, or stolen by unauthorized individuals.

Encryption: A security method that involves encoding data so that only authorized parties can access and read it.

Access Controls: Security measures that restrict who can access certain data or systems, often based on user roles and permissions.

Ransomware: A type of malware that encrypts a victim’s data, with the attacker demanding a ransom payment to restore access.

Insider Threats: Security risks posed by individuals within an organization, such as employees or contractors, who have access to sensitive information.

Data Integrity: The accuracy and reliability of data, ensuring it is not altered or tampered with improperly.

Incident Response Plan: A set of procedures and guidelines that an organization follows to respond to and manage the aftermath of a security breach or cyberattack.

Risk Management: The process of identifying, assessing, and prioritizing risks, followed by coordinated efforts to minimize, monitor, and control the probability or impact of unfortunate events.

Exercises

Scenario Analysis Questions

Scenario 1: Unauthorized Access

Question: A healthcare worker accidentally sends an email containing a patient’s PHI to the wrong recipient. What steps should the healthcare organization take to address this situation?

Scenario 2: Insider Threat

Question: An employee is suspected of accessing patient records without a legitimate reason. What actions should the healthcare organization take to investigate and respond to this potential insider threat?

Scenario 3: Ransomware Attack

Question: A healthcare facility experiences a ransomware attack that encrypts patient records and disrupts operations. What should be the organization’s immediate response?

Scenario 4: Physical Theft of Data

Question: A laptop containing unencrypted PHI is stolen from a hospital. What are the key steps the hospital should take to handle this breach?

References

U.S. Department of Health & Human Services. (2022). Health Information Privacy: HIPAA Overview. Retrieved from https://www.hhs.gov/hipaa/for-professionals/privacy/index.html

O’Brien, G., Lesser, N., Pleasant, B., Wang, S., Zheng, K., Bowers, C., & Kamke, K. (2018). Securing Electronic Health Records on Mobile Devices. National Institute of Standards and Technology, U.S. Department of Commerce. Retrieved from https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1800-1.pdf

Brooks, S., Garcia, M., Lefkovitz, N., Lightman, S., & Nadeau, E. (2017). An Introduction to Privacy Engineering and Risk Management in Federal Systems. National Institute of Standards and Technology, U.S. Department of Commerce. Retrieved from https://nvlpubs.nist.gov/nistpubs/ir/2017/NIST.IR.8062.pdf

U.S. Department of Health & Human Services. (2019). A Cost Analysis of Healthcare Sector Data Breaches. Health Sector Cybersecurity Coordination Center (HC3). Retrieved from https://www.hhs.gov/sites/default/files/cost-analysis-of-healthcare-sector-data-breaches.pdf

Office for Civil Rights (OCR), U.S. Department of Health & Human Services. (2007). Security Series: Security 101 for Covered Entities. Retrieved from https://www.hhs.gov/guidance/document/security-series-security-101-covered-entities

Watt, A., & Eng, N. (n.d.). Database Design – 2nd Edition. BCcampus Open Education. Chapter 1: Before the Advent of Database Systems and Chapter 7: The Relational Data Model. Retrieved from https://opentextbc.ca/dbdesign01/chapter/chapter-1-before-the-advent-of-database-systems/

HealthITSecurity, Xtelligent Healthcare Media. Cybersecurity News. Retrieved from https://www.techtarget.com/healthtechsecurity/resources/Cybersecurity-strategies

HealthITSecurity, Xtelligent Healthcare Media. Latest Health Data Breaches News. Retrieved from https://www.techtarget.com/healthtechsecurity/resources/Healthcare-data-breaches

The HIPAA Journal. Healthcare Data Breach Statistics. Retrieved from https://www.hipaajournal.com/healthcare-data-breach-statistics/