Knowing the security risks

Scenario:

You are part of a group practice that has decided to implement an electronic solution for clinical documentation. However, you have come across many horror stories regarding health information security that have led to failed clinical information system implementations. How would you prevent this from happening to your group practice?

When it comes to healthcare, the overall service to the people that comes with it may be the most important role. However, protection of the patient’s privacy and confidentiality plays vital. Maintaining privacy and confidentiality helps to protect participants from potential harms including psychological harm such as embarrassment or distress; social harms such as loss of employment or damage to one‘s financial standing; and criminal or civil liability.¹ The importance of this domain is sometimes neglected due to the unforeseeable hazards that it impose. However, in this environment where change is constant, personal data can be an attack point of malicious people that might lead to enormous damage not only to the patient but to the institutions as well.  In line, the value of personal data restrictions became a subject of fortification in the medical world especially on health IT.

Going back to the case, the integration of an electronic solution for documentation may be the best or most beneficial intervention the institution to improve their services or eradicate the issues of good quality data. However, this might pose issues on certain grounds that might garner negative or positive outcomes. Overall, the solution will provide a lot of pores that the group might want to cover. Aside from the workflow integration, security is the next topic that the group should focus to in order to address the threats to patients’ privacy and confidentiality. To repulse the threats that the solution might get, I formulated some steps that can help counteract these issues before acquiring the product that will be used as an intervention.

   

Establishment of the security baseline

Implementing a decision that might affect the workflow of a medical institution through incorporating/ altering the normal scenarios requires a validation not only from the top-level decision makers but also from the workers as well. A technical working group (TWG) might be essential to gather all the necessary consensus and issues. All the departments should be engaged and represented. A part of the group will be the lead on data security (Data Security team) and should be responsible in consolidating the security baseline from all the members by using these guide questions:

1. If your department/ group manual operations will be converted to electronic, what is the most effective security that you can suggest?

2. What would be your suggested methods for optimum data security?

After consolidation, the Data Security team will summarize the results and present it on the TWG. The TWG will then vote for the most appropriate data security method. Through this the whole institution will agree and support the method since it is a consensus. Shooting two birds with one bullet, the baseline was also established.

Imposing the baseline while selecting the best product

From the baseline, the security criteria can be set and should be satisfied to the software development team or the vendor. Upon inquiry for possible companies that will sell their products or development services, the group may ask the following:

1. Does/Can your product meet the security requirements the TWG is suggesting?

2. If not, what other plausible methods that can replace the features set by the TWG?

From here the developers or vendor will design the most effective security providing the framework, network structure, levels of protection and additional security features. The criteria should match the output of the TWG. All of the changes should be consulted to the technical working group before giving the “GO” signal to the developer or vendor. Selection of the best product that can cater all the needs (aside from security) will commence.

Using the product

By providing risk assessment and analysis, potential threats can be counteracted. Risk analysis is the process of identifying the risks to system security and determining the likelihood of occurrence, the resulting impact, and the additional safeguards that mitigate this impact. Parts of risk management are synonymous with risk assessment.

A. Server and Network Infrastructure- The server is the main brain of any electronic solution (i.e EMR, EHR, PHR, etc.). May it be a localhost, cloud server or in-house server, the set-up may still be breached.

1. What are the protection methods in place? (i.e. Firewall, decryption, antimalware, antivirus, intensive authentications)

2. Who will be authorized to access the server? (i.e. upgrades, archiving, release of patient data)

3. Who are given the authority to access administrative access? (i.e. generation of reports, adding/ removing user accounts, checking data duplicates, etc.)

4. Are security questions available for changing username/ passwords?

5. Is the server accessible through a public LAN or WAN?

6. Who will be providing maintenance to the server?

7. Where will be the server placed? In what section or department?

B. Hardware and software- can be a vital part of any information system. As discussed, the terminals, units or lines can be vantage point of an attacker or a person with malicious intent.

1. What will be the operating system of the server? of terminals or relay stations?

2. Does the operating system have internal security/ protection? Is the OS vulnerable to malware/ virus/ adware attacks?

3. Will terminals have an OS log-in for added protection?

4. What are the accessories allowed to be attached in the terminals?

  

C. Health workers- are the primary users of the product and should be given extensive precautions.

1. Who will be the primary users of the software in each department?  

2. Will a regular account be given to visiting physicians/ health workers?

  

3. Who will provide technical support in case of issues or technical problems?

4. Are users in the department allowed to give personal data of clients to requestors such as the police, other regulatory authority or the patients themselves? If not, who are allowed?

D. Policies- Policies will give a strong foundation for the standard operating procedures that may strengthen the protection of patient’s personal data.

1. Does frequent password change occur?

2. Are the users allowed to share their account details such as username or password?

3. Will an encoder be allowed for computer illiterate health workers?

4. Is insertion of flash disks allowed in the terminals?

5. What are the steps needed by patients or authorities in acquiring personal data?  

6. Who will be the person liable in case of breaches? What are the actions/ penalties that will be imposed?

Note: The above questions were just formulated. One may add or remove queries accordingly to suit their needs.  

1           "Privacy and Confidentiality." Privacy and Confidentiality. Web. 20 Mar. 2016. <http://www.research.uci.edu/compliance/human-research-protections/researchers/privacy-and-confidentiality.html>.