Assignment: Job Functions: Database Administrator vs. HIM Department Manager TIP: Please see the Lesson Content and Rubric in the attachment for additional information. Professionals working in the HI
Week 8-Assignment, Rubric, & Lesson Content Assignment: Job Functions: Database Administrator vs. HIM Department Manager TIP: Please see the Lesson Content and Rubric in the attachment for additional information. Professionals working in the HIM field find that some of their job functions relate to or are similar to those of a database administrator. This assignment explores the functions of these two positions. Clearly, the positions are not the same, you will, however, see some crossover of function when the assignment is complete. The assignment is outlined in three (3) steps below. Step 1: Create a table like the one below into a Word document and then fill in the information you gather in Step 2.   HIM Technician Database Administrator Primary Job Functions     Job Outlook (expected growth)     Approximate number of jobs in the field     Educational requirements and qualities to possess for the job     Step 2: Visit the U.S. Bureau of Labor Statistics’ Occupational Outlook Handbook webpage https://www.bls.gov/ooh. Look up the description for the following job titles and enter the information in the Table you created in Step 1: Database Administrator Medical Records/Health Information Technician Step 3: Finally, compare and contrast the job functions listed for these titles. Using complete paragraphs or another table if you like, identify and highlight differences you see in the job functions and then identify and highlight similarities you note in the job functions. Your paper should use proper spelling/grammar and be at least two (2) pages long. APA format with In-Text citation. Save your assignment as a Microsoft Word document. Rubric: Criteria Points Completed comparison table for jobs. 12 Identified differences of the job functions. Identified similarities of the job functions. Presentation, grammar, spelling, flow, format, citations, etc. Total 30 Lesson Content: Why Does an Organization Need a Database Administrator? Large databases are extremely complicated systems. They include interactions of hardware, software, and database structures/schema. Each database has its own unique features and platforms, including the database management system (DBMS). Database Administrator Tasks The list below contains some of the common tasks for a database administrator. You’ll see that they are quite varied and potentially time-consuming ones, as well. Maintaining table structures/database schema Using SQL to maintain and create data objects and tables Formulating storage solutions Deciding upon physical storage locations and characteristics Deciding on backup strategies and locations for backups Monitoring performance and speed of the database response Controlling access via establishing User IDs and password system Assuring data security within the context of the database Assuring data integrity (accuracy and completeness) Applying system upgrades Space and Performance Needs A database application such as a new EHR may start out with a certain amount of expected data and space needs. Soon though, the system “outgrows” the initial plans. The capacity of the server hardware for storage and structures, along with the configuring of the database software and operating system, have to be adjusted and fine-tuned. Most database systems have monitoring “tools” that help the database administrator (DBA). They can tell where some bottlenecks are developing and starting to hit the limits of what this particular configuration can handle. Reliability and Availability of the Database Every database has maintenance and changes/updates that need to be administered. In a 24/7 environment like healthcare, the downtime for the database will be especially concerning. The database administrator needs to determine what tasks can be performed for maintenance while the database is up and running and which maintenance tasks will require downtime. Perhaps the downtime can be managed to a point where the database is always “on” except for a couple of two-hour windows twice a month. During those times, a backup redundant software and hardware system might be employed so that data can be entered, and then the database fully updated when the maintenance period is over. A reliable data application can make or break a practice or business. Imagine this scenario: The patient was registered, the vital signs taken and then… the EHR computerized database went down so the patient’s history could not be brought up on screen or allow the vital signs to be documented. Do we make the doctor and patient both wait for the system to get up and running again? Does the nurse or medical assistant write the vital signs on a piece of paper to enter later? Finally, can the physician safely prescribe a new medication if the history of current medications is unavailable? This is what makes having a reliable system so important. Storage Methods The database administrator has to make sure the storage method is adequate and reliable. Sometimes a new server is acquired to expand space or to correct reliability concerns. The DBA needs to move the data over from the old server to the new server! They configure the server for the ways that it can accept the new data. Databases may be “indexed” to help requests run efficiently. Just as having an index for a phone book or textbook helps, this index helps the software quickly find what is needed. Interaction between HIM and Database Administrators Certainly it is the job of all database administrators to be concerned with keeping all data secure in the technological environment. The DBA or other person in the IT department will need to implement user authentication, such as User IDs and password authentication systems. The HIM professional, as an expert on HIPAA rules and guidelines, can also help the DBA to consider other areas where information and data security should apply. For example, the HIM manager may ask, if remote backups are kept on the patient care data, where will they be kept? Does a contractor who keeps those remote backups comply with HIPAA guidelines? Would the backup data of our own organization become inter-mingled with that from other organizations, or not? Data Security Features and Functions Information and data security have become quite complex functions in the modern networked computer environment. The HIPAA security rule covers PHI in all forms: paper, oral and electronic. In many respects, a computerized system can offer greater security than mere paper. However, when a breach does happen to a computerized system, it is more likely for that access to involve multiple patients or individuals. The information security officer, along with the database administrator, must work to ensure that data are kept private and used only for allowed purposes. As new technology emerges and is acquired, the security needs and features will change. Looking at the security needs via an information Life Cycle approach can assure that the organization will keep reviewing security measures periodically and appropriately. Breach Threats and Methods Breaches can occur from various causes including: Computer Viruses: Malicious software used to infect a system. The virus can wreak havoc with the computer’s normal operations, as well as potentially expose routes for further access from unauthorized individuals or infection by other viruses. Some viruses even turn a computer into a “bot” that is then used by unauthorized individuals to run unauthorized tasks and procedures on the computer’s processors. This is actually “stealing time” of the computer’s processors. Computer Worms: Computer worms are similar to viruses. They self-replicate, spreading across entire networks. Then, the individual computers in the network may be used to conduct unauthorized tasks or simply encounter interference with normal processes and functioning. Ransomware: According to Kaspersky Lab’s (2017) Ransomware & Cyber Blackmail webpage, ransomware is particularly malicious and has the aim of profit to individuals who imposed it. Ransomware will demand payments in order to undo unwanted changes to an organization’s or individual’s computer. It can encrypt the data so that they are not available until the ransom amount is paid. It can also block normal access to a victim’s system. Infected websites and responding to “phishing” emails seeking personal information by masquerading as a legitimate request or site can lead to ransomware. Several very prominent ransomware attacks have been experienced by hospitals. Man-in-the-Middle Attacks: The Open Web Application Security Project (OWASP, 2015) explains that man-in-the-middle attacks occur when a program or machine inserts itself in between the computer being used and a network connection. The connection between the client computer and the network or server is vulnerable to attack. The transfer protocols (TCP/IP) are the weak point. This is particularly true of wireless networks that do not require strong router passwords and security mechanisms such as WPA. Logging onto any non-secured network entails a high risk of encountering man-in-the-middle attacks. Every keystroke could be monitored and logged when using a successful attack. There is even a risk of compromising individual passwords used to access websites, banking sites and credit card accounts via this mode. Internal Breaches Organizations attempt to reduce unauthorized access to data by conducting employee background checks, audit logs of system access, and other methods. However, unscrupulous people can fall prey to the lure of “easy money.” Any employer that maintains Social Security Numbers as well as addresses and other identifying information on individuals needs to maintain alertness against internal breaches, as well as external threats. “Spoofing” of IRS tax returns using the SSN to gain access to tax refunds has become a serious threat in the United States, enabled by those who have access to multiple SSNs. Besides those breaches used to obtain money illegally, the healthcare organization, of course, should also be on lookout for unauthorized access to private medical information. Preventing Breaches Technological approaches to preventing breaches include: strong passwords, role-based access privileges, requirements to periodically reset passwords, anti-virus software, automatic logoffs and forced time-outs, firewalls, and encryption of data on laptops and mobile devices. Additionally, a very strong training program for each new employee and refresher courses for all employees on safe and ethical use of computers should be conducted. Any time that remote access is allowed to the computer network, special precautions and methods are needed to assure that these entry points are secured, as well. A Virtual Private Network (VPN) establishes a secured kind of information “tunnel” by which data can travel through the internet safely to its destination. The healthcare organization may require that only devices that are owned and controlled by the organization, not by an individual, are used to access its network via VPN. Or, it may make additional security software mandatory for use in individually-owned mobile devices. HIPAA Security Requirements The Health Insurance Portability and Accountability Act (HIPAA) includes substantial requirements for administrative safeguards of healthcare data and information. Risk analysis is a required task, as is risk management and review of information systems activity. Workforce security steps that are addressable include: authorization and supervision of individuals, workforce clearance procedures (such as background checks), and termination procedures. For example, if an employee is terminated and that position involved access to ePHI, the employee’s access to systems containing ePHI should be immediately terminated, as well. Information access management includes: isolating healthcare clearinghouse functions, access authorization, and access management/establishment and modification. Providing for the appropriate, role-based access to ePHI in our systems is one of the most critical items that the IT department and HIM department can work on and assure, together. Security awareness and training involves: security reminders, protection from malicious software, log-in monitoring, and password management. Security reminders might include popup windows when a user goes to access a website outside the organization as well as general reminders to remain vigilant about email phishing efforts and threats. Protection from malicious software involves the protection from virus and various malware efforts as described earlier. Log-in monitoring means that there should be routine, regular reviews of accesses to the ePHI data, and the system might flag trigger events — such as efforts to access sensitive records — to be followed up on. Password management goes beyond just establishing an initial password for authorized employees. Employees should be required or counseled to create adequate passwords: to not use just a word in the dictionary or a name but to include, for example, both uppercase and lowercase letters, special characters, and numbers. Passwords might be required to be changed periodically, too, such as every 30 days. Security Incident Procedures There should be a plan and procedure for following up and appropriately reporting and mitigating loss when any security breach has happened. Contingency plans involve: data backup plans, disaster recovery plans, emergency mode operations plan, testing, and revisions. Every healthcare organization needs to have a disaster recovery plan. It should specify what should happen, identify who is in charge of various functions, and be taught and practiced in the organization. You may have worked on disaster plan elements in other courses. Disaster recovery in the sense of HIPAA means disasters that affect the data and operations of the healthcare organization. It does not mean citizens are flooding into the hospital due to natural or man-made tragedies, although the hospital needs to serve injured individuals from actual disasters, too. Business associate contracts need to be covered by written contract and other arrangements by the healthcare organization in a way that ensures the data will remain private. Business associates do not include physicians, other hospitals, or long-term care institutions to which we simply transfer and refer patients. Other HIPAA requirements under Administrative Safeguards include facility access controls and device and media controls for actively-used and discarded media. References Kaspersky Lab’s (2017). Ransomware & Cyber Blackmail. Retrieved March 29, 2017, from https://usa.kaspersky.com/resource-center/threats/ransomware. OWASP (2015). Man-in-the-middle attack. Retrieved March 29, 2017, from https://www.owasp.org/index.php/Man-in-the-middle_attack.