Introduction
Health informatics is the use of informational science and computers for the advancement of health care. Utilizing computers, medical technology, and communications infrastructure the goal of the field is the advancement of health care and the better delivery of health care services. Many fields fall under the purview of health informatics including: medicine, dentistry, nursing, pharmacology, occupational therapies, and medical research.
Health management information systems combines “people, data, processes and health information technologies to collect, process, store, and provide needed results – all in support of healthcare” (Tan, 2010, p. 71). Several enterprise level software packages exist in order to promote healthcare services. They include systems that manage supply chain, customer relations, and enterprise resource planning (Tan, 2010, p.72). Due to the advancement of the internet, the possibilities of health informatics are constantly increasing and individual access via web based resources in allowing for ever greater control and understanding of the lay person over their health care.
With ever increasing levels of information that is becoming available digitally, threats to the security of that information increase. A myriad of threats exist, from hackers and cyber-attacks to power outages and hardware failure. Securing information is key to the further adoption of structural informatics systems. Hackers stealing medical information present a significant threat insofar as that information can be used in sophisticated identity theft arrangements. Hardware failures and power outages threaten the delivery of healthcare when records are increasingly kept in a digital medium. In the United States, the Health Insurance Portability and Accountability Act (HIPAA) governs the privacy and protection of medical related data. HIPPA requires that there be administrative, physical, and technical security measure in place to safeguard the confidentiality and security of patient information. Thus, understanding the best systems available for securing the data is necessary.
Statement of Problem
As the levels of connectivity of patient’s sensitive medical data increases, it is reasonable to assume that there will be increased efforts by cyber criminals to access that data. Furthermore, with increased utilization of informatics information, the level of human error subjecting the information to a security breech will also increase. Finally, power outages and hardware failure threaten the appropriate delivery of healthcare insofar as they may render a patients history and data completely inaccessible for significant periods of time. Without security measures in place to ensure that medical records remain confidential they will be left open to infiltration and misappropriation. Also, in the case of power and equipment failure, patient’s health may be left at serious grave risk. Without adequately addressing system security issues, adoption of health informatics systems would be severely hindered due to user hesitance.
Summary of Research Sources
In an article written by Cucoranu, et al, of the University of Pittsburgh Pathology department, the requirements of data protection and security were written about extensively (2013). They note that in the United States security of online systems must conform to the requirements of HIPPA, and that other countries have developed similar regulations for securing patient records. The Office of the National Coordinator for Health Information Technology suggested five basic steps that were necessary to perform a risk analysis. 1) Review current health information security, 2) identify any threats and vulnerabilities, 3) Asses risks for likelihood and impact, 4) Mitigate security risks, and 5) Monitor results. All systems that perform a function in patient data acquisition and storage require review (Cucoranu, et al, 2013).
Data protection in the case of downtime is a key element and requires the formulation of strategies of data protection. Considerations regarding backups include the type of backup (periodic vs. real-time), scope of the backup, the frequency of the backup, location of backups, media that contains the backup, and personnel competent to perform recovery. Hardware security is also an important consideration and the physical safety of computer systems must be insured. Fire protection methods must be undertaken, adequate power supplies maintained, and procedures for the safe destruction of data must also be created. Endpoint security must be accounted for, and the authors state that most institutions make local policies that limit the ability of employees from making unauthorized copies of data and records. Software security policy must be made and the use of passwords for authentication, single sign-on protocols, biometric devices, access control, and periodic auditing will guarantee that the software platforms are secure. The data itself must also be secured, and data integrity must be maintained. Furthermore, strategies of data protection should be developed, data recovery accounted for, and data encryption should be used so in the case of breach, individuals do not need to be notified of lost or stolen data (HIPPA requires notification of patients if health related personal identifiable information is lost). Furthermore, adequate Internet security must be maintained through the use of firewalls and antivirus software (Cucoranu, et al, 2013). All of this must be extended to every point on the system, including instruments that automatically digitize information and mobile devices that are used in patient care. In sum, this article reviews the basic outline of creating a fully secure system to implement when creating a health informatics system.
In a series of case studies conducted in Iran and reported by Hajrahimi, Dehaghani, and Sheiktaheri, indicators were ranked by effectiveness (2013). Using questionnaires answered by IT management staff in medical centers the study sought to assess the safety of patient data in several medical centers. Based on the answers of 40 engineers, 27 indicators of information security were found. Using statistical analysis which included fuzzy theoretical methods, ultimately seven of those 27 were found to have a major impact. The seven significant measures included: Safety equipment, verification and system design, user access management, network access control, cryptographic controls, safety in the development and support processes, and access control system. This study is valuable because of the potential cost of creating redundant security systems. If methods can be streamlined to only the most effective, perhaps costs can be controlled in a better way.
Using a retrospective cohort study design Shimada, et al, investigated the adoption of secure messaging conducted between the patient and the provider (2013). Using Veterans Health Administration hospitals, the investigators sough to measure the levels of adoption of secure messaging and to characterize the facilities that had increased adoption of these systems. Furthermore, they sought to understand the association of secure messaging and the utilization of urgent care services. Using 132 facilities they combined cross-sectional and longitudinal data to conclude that access to human resources, computer resources, and leadership support all lead to higher rate of implementation of these systems. Higher usage of secure messaging lead to decreased rates of urgent care use. Essentially, this study is important because it links the use of messaging with decreased use of expensive urgent care. This important benefit is only attainable under secured systems though. Were the system not secure, then it would fall afoul of HIPPA regulations and it’s utility and thus usage would be severely limited.
Yoo, et al, performed a study that researched user requests of electronic health records at the Seoul National University Bundang Hospital. The authors categorized requests as program modification/development, data request, insurance fee identification/generation, patient-record merging, or other. Using 11,400 record requests from end users of the electronic health records system that were made between the years 2008 and 2010, the authors found that 49.2% were involved in program modification/development, 33.9% were data requests, insurance fee identification/generation constituted 11.4% of requests, 4% of the requests were patient-record merging, and 1.5% were related to other issues. Users of the system were divided into four basic categories, direct care, care support, administrative/insurance, and general management. The most common problem that the users of this system had were ease of use and task-oriented functionality. The constant requests for enhancement resulted in a more complex system, but one that was better suited to the actual daily use of the system. This study is important in terms of the construction of network architecture that hospitals utilize to create informatics systems. The implications for security are also important insofar as every enhancement to the system must be analyzed to ensure that it conforms to the security measures in place and required by the national health regime in any given country.
In a study performed by Kwon and Johnson of the security practices and regulatory compliance in the healthcare industry they attempted to identify the practices that improved compliance with regulatory regimes (2013). Using Ward’s cluster analysis on the adoption of security measures, variance between organizations was measured. T-tests were employed to identify the relationship between security and compliance. The researchers used the results of the Kroll/Healthcare Information and Management Systems Society telephone survey of 250 American healthcare institutions. Ultimately, three clusters were identified, leaders, followers, and laggers, which was based on how they utilized security practices. Technical practices were statistically insignificant between the groups, however the non-technical practices varied greatly. The highest levels of compliance with data security regulations occurred in institutions that employed balanced approaches of technical and non-technical practices. In the highest levels of compliance, institutions were managing third party breach of data and training. In the followers cluster, audit practices were particularly important. The utility of this study was the identification and creation of benchmarks to be utilized by hospital data administrators in the managing of their networks
Carrión Señor, Fernández-Alemán, and Toval performed a study to verify the security of personal health records available via the web (2012). The researchers sought to investigate the privacy and security features of personal health record privacy policies. Using the principal databases regarding health and computer sciences, they looked for personal health record systems that were free and mentioned in published articles. Each personal health record system was reviewed to identify its privacy and security characteristics. Ultimately 52 systems were found of which 24 met the author’s inclusion criteria, which required that the system be free, web-based, and patient-centered with a privacy policy. They found that 71% allowed the end-user to manage their data. Only 38% allowed users to check who had actually accessed their data. 50% of systems aggregated data on user information to publish trends. 80% used multilayered security protocols and 63% utilized systems that were based on regulations from HIPPA and the Health on the Net Foundation Code of Conduct. Ultimately, they found that most privacy policies of the systems do not offer any meaningful description of the security measures employed by them and that compliance with standards was still unacceptably low (Carrión Señor, Fernández-Alemán, Toval, 2012). The implications of this study are manifold. Firstly, if patients perceive that their personal details are not secure, they are less likely to adopt electronic health records and to use them for maximal benefit with their healthcare providers. Secondly, if a large number of systems in place are not actually complying with the codes established in HIPPA or by the Health on the Net Foundation Code of Conduct, this represents a significant lapse in the security of extant patient records. Ultimately, the significance of this study to the central problem of security of health information systems lies in stating the necessity of creating a robust security policy that is integrated in the privacy policy of the software package.
Electronic health records are important in the ever forward march of improving patient safety (Sitting, Singh, 2012). Since 2008 the number of vendors selling systems has increased more than fifteen-fold and there is no reason to believe that this increase will abate any time soon. However, along with the amazing pace of development of these system, there is an increasing level of safety risks that they introduce (Sitting, Singh, 2012). Sitting and Singh propose that in order to augment patient safety that clear guidance ought to be given to institutions that employ them, modeled on the Joint Commission’s National Patient Safety Goals (2012). Due to the heterogeneity of platforms across the country, they propose a three phase system to improve safety. The first phase, aimed at all users, includes goals to mitigate risks. The second phase accounts for the failure to adequately use technology or the misuse of technology. The third phase would monitor healthcare processes and outcomes and attempt to identify safety issues before they arise and cause harm to a patient. Ultimately, this synchronization is important from the perspective of security because it would provide a level playing field of set standards that will ultimately improve patient safety and increase utilization of these systems.
Conclusion
In sum, Health Information Systems have changed the way that medicine is being practiced. However, medicine is not like every other industry, and there is a special humanitarian interest that does not exist in other fields. Furthermore, there is a particular privacy concern and an accessibility issue that must be maintained in order to deliver the patient the best possible care that he can receive. Systems must be put in place to both ensure the security of his data so that it is not misappropriated and misused towards nefarious ends. Furthermore, the information must be constantly accessible by the patient and the healthcare provider in order to deliver healthcare when it is needed. Digitization of the records can prove to cause unforeseeable levels of harm if they are not accessible when needed and in the event of catastrophic failures, it could leave physician, patient, and the patient’s family alike, wishing for a bygone day when records were kept on pen and paper and not subject to data or power failure.
Works Cited:
Carrión Señor, I., Fernández-Alemán, J.L., Toval, A. (2012). Are personal health records
safe? A review of free web-accessible personal health record privacy policies. Journal of Medical Internet Research, 14(4), e114. doi: 10.2196/jmir.1904.
Cucoranu, I.C., et al., (2013). Privacy and security of patient data in the pathology
Hajrahimi, N., Dehaghani, S.M.H., Sheikhtaheri, A. (2013). Health Information Securtiy:
A Case Study of Three Selected Medical Centers in Iran. Acta Informatica Medica, 21(2), 42-45. doi: 10.5455/AIM.2012.21.42-45.
Kwon, J., Johnson, M.E. (2013). Security practices and regulatory compliance in the
healthcare industry. Journal of the American Medical Informatics Association, 20(1), 44-51. doi: 10.1136/amiajnl-2012-000906
Shimada, S.L., et al. (2013). Patient-provider secure messaging in VA: variations in
adoption and association with urgent care utilization. Medical Care, 51(3), s21-28. doi: 10.1097/MLR.0b013e3182780917
Sitting, D.F., Singh, H. (2012). Electronic Health Records and National Patient-Safety
Goals. The New England Journal of Medicine, 367(19), 1854-1860. DOI: 10.1056/NEJMsb1205420
Tan, J. (2010). Adaptive Health Management Information Systems. Sudbury, MA: Jones
and Bartlett.
Yoo, S., et al. (2013). A study of user requests regarding the fully electronic health record
system at Seoul National University Bundang Hospital: Challenges for future electronic health record systems. International Journal of Medical Informatics, 82(5), 387-397. doi: 10.1016/j.ijmedinf.2012.08.004.
