Managing Medical Records and the Implementation of Tools and Safeguards Required within HIS
Introduction

Few practices are more important in managing health information systems than managing medical records, safeguarding patients’ medical history, and ensuring that all end users of medical information technology are approved and trained. Some of the biggest factors in security breaches are end users themselves (Rhee, Kim & Ryu, 2009). This is why training of staff on how to use equipment and the importance of protecting passwords is so important (Jackson, 2018). However, the system itself should have system protections built-in that can protect against end user mistakes—protections such as double security via multi-factor authentication (Crossler & Posey, 2017). This paper will discuss the programming language and relational databases that should be used to accommodate security needs for the HIS, the information tools and safeguards required to protect it, the security needed for electronic health records, an applicable code of ethics, and proposals for training staff.

HIS Programming Language and Relational Databases to Accommodate the Task

As Prince (2013) notes, “some programming languages are more susceptible to specific security flaws than others”—which means that some programming languages need to be avoided when it comes to HIS. Those languages include C and C , even though they are commonly used elsewhere. Their commonality is actually part of the problem. Because so many people are familiar with them, it is easier to hack one’s way into systems written in those languages. The issue with them systematically is that they are not type safe languages. In other words, the programmer is responsible for where the type and data go, how information is compiled and arranged, and so on. This makes it far more likely that errors will creep into the programming, errors that can then be exploited by hackers (Prince, 2013). For HIS, a type safe language should be used that reduces the likelihood of such errors occurring. A type safe language is one in which the language itself tracks integers, strings and space amount allotted to information inputs. Languages like .Net are much more preferable for HIS than C because .Net is type safe and thus provides buffers for programmers (Prince, 2013). If HIS security is going to be improved, the programming language has to be one that has improved since C was first unveiled, and that is the case with .Net. The language itself will not solve all the problems—developers will still bear some responsibility in developing a program that is secure; but starting with a language that can help minimize the risk of human error is preferable.

As for databases, the most common database used in health care is the relational database (Campbell, 2004). These are the most commonly used because they allow for the tracking of patient care, such as treatments, outcomes, heart rate, and so on. The relational database can connect to various other systems already in place—i.e., they are compatible with other systems—so, for example, patient information entered into the system in the emergency department can be linked to billing and so on. Or the registration system can be linked to it so that immediately upon registering a patient’s information is available to the nurses in the department he or she will be accessing at the facility (Campbell, 2004). The good thing about relational databases is that it means data only has to be entered in once.

Information Tools and Security Safeguards Needed for the HIS

Reeder, Ion and Consolvo (2017) point out that there is no single, universal way to guarantee 100% security of health information systems. While end user training is really the first line of defense against data breaches, there are other ways that the system can be developed to ensure protection. One of the most important ways is through multi-factor authentication, which offers at least two layers of protection of data whenever it is being accessed by end users. However, even this level of protection is not 100% guaranteed, as there are other ways for hackers to steal data. Data breaches can occur by hacking into the centralized identity repository; surveillance can be conducted of all data and patients’ privacy can be compromised (Crossler & Posey, 2017). Denial of service attacks can occur, eavesdropping, spoofing and tampering can all be ways that hackers meddle, and there are virtually myriad other ways that hackers can penetrate a system—and most of them rely upon end user negligence or upon the end user not being trained to recognize suspicious activity (Vanguard Communications, 2015).

That is why training employees on how to...…with passwords written on them for everyone to see.

Building a security culture is important of course, and one way to do that is through interesting training exercises like a weekly security trivia, in which workers can earn points for their team. Points could be redeemed for a pizza party or some other prize. The trivia would focus on understanding security issues and increasing workers’ security intelligence. The weekly trivia contest could be like the trivia games played in restaurants and pubs, only here it would focus on security questions. This type of training is more interesting, generally, to workers—and more meaningful and effective ultimately—than mundane Power Point presentations or computer-animated videos that are watched for five minutes and then forgotten about. The goal here is to get the workers thinking about what matters in terms of security and then using that energy to keep them engaged and knowledgeable.

HealthIT.gov (2018) offers privacy and security training games that staff can play to build up their knowledge of how to ensure that systems are kept safe and secure. As Health IT.gov (2018) notes, “the use of gamification by ONC is an innovative approach aimed at educating health care providers to make more informed decisions regarding privacy and security of health information.” Training does not always have to seem like a chore or a bore. It can take the form of something fun that trainees actually enjoy. The more fun they have doing the exercises, the more likely they are to be engaged with the learning material. And the more engaged they are, the more likely they will acquire a deep down understanding of the essential information they need to keep the system safe and patient data secure.

Conclusion

Managing health information systems effectively is important for the successful usage and storage of patient information as well as for the linking of various departmental information needs throughout a facility. Patients have the right to expect that their health information is protected, and end users have a duty to ensure that they follow the ethical principles regarding electronic health records usage. Staff have to be trained, however, to know what best end user policies are—because they, ultimately, are the first line of defense.