Ethics and Health Information

Managing Medical Records and the Implementation of Tools and Safeguards Required within HIS
Introduction
Few practices are more important in managing health information systems than managing medical records, safeguarding patients’ medical history, and ensuring that all end users of medical information technology are approved and trained. Some of the biggest factors in security breaches are end users themselves (Rhee, Kim & Ryu, 2009). This is why training of staff on how to use equipment and the importance of protecting passwords is so important (Jackson, 2018). However, the system itself should have system protections built-in that can protect against end user mistakes—protections such as double security via multi-factor authentication (Crossler & Posey, 2017). This paper will discuss the programming language and relational databases that should be used to accommodate security needs for the HIS, the information tools and safeguards required to protect it, the security needed for electronic health records, an applicable code of ethics, and proposals for training staff.
HIS Programming Language and Relational Databases to Accommodate the Task
As Prince (2013) notes, “some programming languages are more susceptible to specific security flaws than others”—which means that some programming languages need to be avoided when it comes to HIS. Those languages include C and C , even though they are commonly used elsewhere. Their commonality is actually part of the problem. Because so many people are familiar with them, it is easier to hack one’s way into systems written in those languages. The issue with them systematically is that they are not type safe languages. In other words, the programmer is responsible for where the type and data go, how information is compiled and arranged, and so on. This makes it far more likely that errors will creep into the programming, errors that can then be exploited by hackers (Prince, 2013). For HIS, a type safe language should be used that reduces the likelihood of such errors occurring. A type safe language is one in which the language itself tracks integers, strings and space amount allotted to information inputs. Languages like .Net are much more preferable for HIS than C because .Net is type safe and thus provides buffers for programmers (Prince, 2013). If HIS security is going to be improved, the programming language has to be one that has improved since C was first unveiled, and that is the case with .Net. The language itself will not solve all the problems—developers will still bear some responsibility in developing a program that is secure; but starting with a language that can help minimize the risk of human error is preferable.
As for databases, the most common database used in health care is the relational database (Campbell, 2004). These are the most commonly used because they allow for the tracking of patient care, such as treatments, outcomes, heart rate, and so on. The relational database can connect to various other systems already in place—i.e., they are compatible with other systems—so, for example, patient information entered into the system in the emergency department can be linked to billing and so on. Or the registration system can be linked to it so that immediately upon registering a patient’s information is available to the nurses in the department he or she will be accessing at the facility (Campbell, 2004). The good thing about relational databases is that it means data only has to be entered in once.
Information Tools and Security Safeguards Needed for the HIS
Reeder, Ion and Consolvo (2017) point out that there is no single, universal way to guarantee 100% security of health information systems. While end user training is really the first line of defense against data breaches, there are other ways that the system can be developed to ensure protection. One of the most important ways is through multi-factor authentication, which offers at least two layers of protection of data whenever it is being accessed by end users. However, even this level of protection is not 100% guaranteed, as there are other ways for hackers to steal data. Data breaches can occur by hacking into the centralized identity repository; surveillance can be conducted of all data and patients’ privacy can be compromised (Crossler & Posey, 2017). Denial of service attacks can occur, eavesdropping, spoofing and tampering can all be ways that hackers meddle, and there are virtually myriad other ways that hackers can penetrate a system—and most of them rely upon end user negligence or upon the end user not being trained to recognize suspicious activity (Vanguard Communications, 2015).
That is why training employees on how to manage information securely is just as important as setting up a secure system by using a solid programming language and relying on intelligent developers who can test their software as they are developing it to make sure it is rigorous and will stand up to any penetration test. Essentially, one needs to construct an impenetrable fortress around patient data—but if the staff inside the fortress leave the front gate open or allow a Trojan Horse to come through the gate, they are inviting a world of pain and suffering for one and all. Indeed, a type of virus that hackers often use has been named a Trojan Horse after the famed myth of ancient Greek history. It is called the Trojan Horse because it comes in a friendly guise: a user may click on a link that is infected by the virus, thinking the link will provide some helpful information: instead it allows hackers to gain control of the system. Thus, it is important to remember that no system is ever going to be 100% safe and secure, because technology is always evolving and hackers are always learning new tricks to invade systems or find loopholes in programs that they can exploit and penetrate. However, they are still going to have to rely 99% of the time on end user mistakes and errors—i.e., like leaving the doors of the castle unlocked, a window open, or a turret unmanned. Mistakes like these can be extremely costly.
Safeguards for Security and Privacy for Electronic Health Records (EHR)
Vanguard Communications (2015) points out that even if there are questions that staff will have to answer to proceed on to records, it is not hard for hackers to guess these answers or to find them out if they want to. These questions are known as backdoors because they can be pried open relatively easily and allow intruders in to access the data on patient files. Digital filers and EHR are thus vulnerable if backdoors are available to hackers. It is best to avoid simplistic security options such as the answer-a-security-question route to proceed to accessing the EHR. For the sake of security and privacy of patient data, there are better options, such as more strenuous multi-factor authentication—i.e., having a one-time use code sent to one’s mobile device or email and using that code to gain access. It may take a moment longer to gain access and one can feel that those moments add up, but in the long run they help to protect patient health records and it is better to be safe than sorry—as the case of Anthem and its data breach shows.
Anthem’s data breach ended up costing the company $116 million to settle the lawsuit that followed out of court (Donovan, 2018). The reason for the breach was simple: it had not trained its employees well enough to know what precautions to take while at work—and so, “a user within one of Anthem's subsidiaries opened a phishing email containing malware” (Donovan, 2018). A phishing email is a method that hackers use to gain access to a system. The email looks harmless enough or may even look legitimate: the unsuspecting user opens it and clicks on a link—and suddenly the computer is infected with malware that allows the hacker to penetrate the system and obtain data. That one email breach allowed hackers to remotely penetrate nearly one hundred different systems throughout the company. That is why making sure systems are secure and that employees are well trained in knowing what type of scams to be aware of and how to avoid them is so important to the company, the patients’ data, and ultimately the bottom line.
Link to Applicable Code of Ethics That Can be Used in the Healthcare Setting
To support the process of installing a secure HIS, it is helpful to be reminded of a useful code of ethics to guide the process. The IMIA Code of Ethics (n.d.) bases itself upon the following six core ethical principles:
1. Principle of Autonomy—everyone has the right to self-determination and to make decisions for oneself
2. Principle of Equality and Justice—everyone has the right to respect and to be treated with equitability and fairness
3. Principle of Beneficence—everyone has the moral responsibility to safeguard the well-being of others
4. Principle of Non-Malfeasance—everyone has the duty to prevent harm from happening to others so long as it is in one’s power
5. Principle of Impossibility—if it is impossible for these duties to be upheld because of extreme circumstances, that is okay—but under normal circumstances, avoiding these responsibilities is not permitted
6. Principle of Integrity—those who have the duties described above have the moral responsibility of fulfilling them
These principles convey the main spirit that should animate the process of ethically approaching health information security. In terms of informatics ethics, the IMIA Code of Ethics (n.d.) focuses on:
1. information-privacy—i.e., everyone has a right to privacy and thus any private information, such as health information, is something that no one else should have access to except for those given access by the individual
2. openness and transparency—i.e., whenever a patient’s data is stored, manipulated, etc., the patient has a right to know about it and to deny the use of his or her data in that manner
3. security—i.e., every person should have the right to reasonably expect that data is protected and safeguarded
4. access—i.e., the patient has the right to access any personal data that pertains to his or her health
5. legitimate infringement—i.e., the right to control data and health information can only be infringed upon in the event of a special circumstance that warrants the violation of one’s rights, such as in an emergency situation where lives depend upon it
6. the least intrusive alternative—if infringement becomes necessary under extreme circumstances, the method of infringement should be the least intrusive option available
7. accountability—i.e., any infringement that occurs must be justified to the patient whose data has been accessed without permission as a result of emergency circumstances.
These are the ethical principles that should govern the implementation of the HIS in the health care facility.
Proposals for Training that May be Required for the Personnel
Personnel will require training so that they understand what is expected of them as end users. Since they are the first line of defense, they have to constantly be on guard about using computers and digital devices that can access EHR and that use the HIS. This training does not have to be dry and technical; on the contrary, employees may benefit most from it if it is fun and engaging for them. That is why best practices for training employees in the use of this technology can include team work exercises that focus on helping members to understand the importance of system security, protecting passwords, and not leaving sticky notes on consoles with passwords written on them for everyone to see.
Building a security culture is important of course, and one way to do that is through interesting training exercises like a weekly security trivia, in which workers can earn points for their team. Points could be redeemed for a pizza party or some other prize. The trivia would focus on understanding security issues and increasing workers’ security intelligence. The weekly trivia contest could be like the trivia games played in restaurants and pubs, only here it would focus on security questions. This type of training is more interesting, generally, to workers—and more meaningful and effective ultimately—than mundane Power Point presentations or computer-animated videos that are watched for five minutes and then forgotten about. The goal here is to get the workers thinking about what matters in terms of security and then using that energy to keep them engaged and knowledgeable.
HealthIT.gov (2018) offers privacy and security training games that staff can play to build up their knowledge of how to ensure that systems are kept safe and secure. As Health IT.gov (2018) notes, “the use of gamification by ONC is an innovative approach aimed at educating health care providers to make more informed decisions regarding privacy and security of health information.” Training does not always have to seem like a chore or a bore. It can take the form of something fun that trainees actually enjoy. The more fun they have doing the exercises, the more likely they are to be engaged with the learning material. And the more engaged they are, the more likely they will acquire a deep down understanding of the essential information they need to keep the system safe and patient data secure.
Conclusion
Managing health information systems effectively is important for the successful usage and storage of patient information as well as for the linking of various departmental information needs throughout a facility. Patients have the right to expect that their health information is protected, and end users have a duty to ensure that they follow the ethical principles regarding electronic health records usage. Staff have to be trained, however, to know what best end user policies are—because they, ultimately, are the first line of defense.
References
Campbell, R. J. (2004). Database Design: What HIM Professionals Need to Know.
Perspectives in Health Information Management 2004, 1:6 (August 4, 2004). Retrieved from http://library.ahima.org/xpedio/groups/public/documents/ahima/bok1_024637.hcsp?dDocName=bok1_024637
Crossler, R. E., & Posey, C. (2017). Robbing Peter to Pay Paul: Surrendering Privacy for Security's Sake in an Identity Ecosystem. Journal of The Association for Information Systems, 18(7), 487-515.
Donovan, F. (2018). Judge Gives Final OK to $115M Anthem Data Breach Settlement. Retrieved from https://healthitsecurity.com/news/judge-gives-final-ok-to-115m-anthem-data-breach-settlement
HealthIT.gov. (2018). Health Information Privacy, Security, and Your EHR. Retrieved from https://www.healthit.gov/providers-professionals/ehr-privacy-security
The IMIA Code of Ethics for Health Information Professionals. (n.d.). Retrieved from http://www.imia medinfo.org/new2/pubdocs/Ethics_Eng.pdf
Jackson, R. (2018). Pulling strings. Retrieved from https://iaonline.theiia.org/2018/Pages/Pulling-Strings.aspx
Prince, B. (2013). Programming Languages Susceptible to Specific Security Flaws: Report. Eweek, 12.  Retrieved from https://www.eweek.com/security/programming-languages-susceptible-to-specific-security-flaws-report
Reeder, R. W., Ion, I., & Consolvo, S. (2017). 152 Simple Steps to Stay Safe Online: Security Advice for Non-Tech-Savvy Users. IEEE Security & Privacy, 15(5), 55-64.
Rhee, H. S., Kim, C., & Ryu, Y. U. (2009). Self-efficacy in information security: Its influence on end users' information security practice behavior. Computers & Security, 28(8), 816-826.
Vanguard Communications. (2015). Common Threats to Information Security (and Healthcare Providers) (2015). [Video file]. Retrieved from https://www.youtube.com/watch?v=yki_Vr3aefg (12:14)