I haven’t had an experience of unable to preserve the CIA of my workplace’s information system. But there was an incidence that someone from other department misused their access authority of EMRs, had tried to access e-PHI of a very important celebrity patient.
We, as a physician, can normally access our patients’ EMR for in-charge services. We do have some IT security training session and I think most of us aware of its importance. For specific group of patients, they will be assigned different name (not the real one) in the system for regular access, only assigned staffs will know and there will be a close monitoring in the system.
Without awareness of the issue and also different level of protection policy for those specific group of patients, someone accessed EMR by searching from the real name but it was not found. So, in terms of access control technique, their every activity had been recorded in the system. They ended up with admonition from the board and IT team.