Scenario:
You
are part of a group practice that has decided to implement an electronic
solution for clinical documentation. However, you have come across many horror
stories regarding health information security that have led to failed clinical
information system implementations. How would you prevent this from happening
to your group practice?
When
it comes to healthcare, the overall service to the people that comes with it
may be the most important role. However, protection of the patient’s privacy
and confidentiality plays vital. Maintaining privacy and confidentiality helps
to protect participants from potential harms including psychological harm such
as embarrassment or distress; social harms such as loss of employment or damage
to one‘s financial standing; and criminal or civil liability.1 The importance of this
domain is sometimes neglected due to the unforeseeable hazards that it impose. However,
in this environment where change is constant, personal data can be an attack
point of malicious people that might lead to enormous damage not only to the
patient but to the institutions as well. In line, the value of personal data
restrictions became a subject of fortification in the medical world especially
on health IT.
Going
back to the case, the integration of an electronic solution for documentation may
be the best or most beneficial intervention the institution to improve their
services or eradicate the issues of good quality data. However, this might pose
issues on certain grounds that might garner negative or positive outcomes.
Overall, the solution will provide a lot of pores that the group might want to
cover. Aside from the workflow integration, security is the next topic that the
group should focus to in order to address the threats to patients’ privacy and
confidentiality. To repulse the threats that the solution might get, I formulated
some steps that can help counteract these issues before acquiring the product that
will be used as an intervention.
Establishment
of the security baseline
Implementing
a decision that might affect the workflow of a medical institution through
incorporating/ altering the normal scenarios requires a validation not only
from the top-level decision makers but also from the workers as well. A
technical working group (TWG) might be essential to gather all the necessary
consensus and issues. All the departments should be engaged and represented. A
part of the group will be the lead on data security (Data Security team) and
should be responsible in consolidating the security baseline from all the
members by using these guide questions:
1.
If your department/ group manual operations will be converted to electronic,
what is the most effective security that you can suggest?
2.
What would be your suggested methods for optimum data security?
After
consolidation, the Data Security team will summarize the results and present it
on the TWG. The TWG will then vote for the most appropriate data security
method. Through this the whole institution will agree and support the method
since it is a consensus. Shooting two birds with one bullet, the baseline was
also established.
Imposing the
baseline while selecting the best product
From
the baseline, the security criteria can be set and should be satisfied to the
software development team or the vendor. Upon inquiry for possible companies
that will sell their products or development services, the group may ask the
following:
1.
Does/Can your product meet the security requirements the TWG is suggesting?
2.
If not, what other plausible methods that can replace the features set by the
TWG?
From
here the developers or vendor will design the most effective security providing
the framework, network structure, levels of protection and additional security
features. The criteria should match the output of the TWG. All of the changes
should be consulted to the technical working group before giving the “GO”
signal to the developer or vendor. Selection of the best product that can cater
all the needs (aside from security) will commence.
Using the
product
By
providing risk assessment and analysis, potential threats can be counteracted. Risk
analysis is the process of identifying the risks to system security and
determining the likelihood of occurrence, the resulting impact, and the
additional safeguards that mitigate this impact. Parts of risk management are
synonymous with risk assessment.
A.
Server and Network Infrastructure- The server is the main brain of any
electronic solution (i.e EMR, EHR, PHR, etc.). May it be a localhost, cloud
server or in-house server, the set-up may still be breached.
1.
What are the protection methods in place? (i.e. Firewall, decryption,
antimalware, antivirus, intensive authentications)
2.
Who will be authorized to access the server? (i.e. upgrades, archiving, release
of patient data)
3.
Who are given the authority to access administrative access? (i.e. generation
of reports, adding/ removing user accounts, checking data duplicates, etc.)
4.
Are security questions available for changing username/ passwords?
5.
Is the server accessible through a public LAN or WAN?
6.
Who will be providing maintenance to the server?
7.
Where will be the server placed? In what section or department?
B.
Hardware and software- can be a vital part of any information system. As discussed,
the terminals, units or lines can be vantage point of an attacker or a person
with malicious intent.
1.
What will be the operating system of the server? of terminals or relay
stations?
2. Does
the operating system have internal security/ protection? Is the OS vulnerable
to malware/ virus/ adware attacks?
3.
Will terminals have an OS log-in for added protection?
4.
What are the accessories allowed to be attached in the terminals?
C.
Health workers- are the primary users of the product and should be given
extensive precautions.
1.
Who will be the primary users of the software in each department?
2.
Will a regular account be given to visiting physicians/ health workers?
3. Who
will provide technical support in case of issues or technical problems?
4.
Are users in the department allowed to give personal data of clients to
requestors such as the police, other regulatory authority or the patients
themselves? If not, who are allowed?
D. Policies-
Policies will give a strong foundation for the standard operating procedures
that may strengthen the protection of patient’s personal data.
1.
Does frequent password change occur?
2.
Are the users allowed to share their account details such as username or
password?
3.
Will an encoder be allowed for computer illiterate health workers?
4.
Is insertion of flash disks allowed in the terminals?
5.
What are the steps needed by patients or authorities in acquiring personal
data?
6.
Who will be the person liable in case of breaches? What are the actions/
penalties that will be imposed?
Note:
The above questions were just formulated. One may add or remove queries
accordingly to suit their needs.
1 "Privacy and
Confidentiality." Privacy and Confidentiality. Web. 20 Mar. 2016.
<http://www.research.uci.edu/compliance/human-research-protections/researchers/privacy-and-confidentiality.html>.