Information security in healthcare systems

¶ … Security in Healthcare

The recent advances in technology -- databases that store personal medical records and information -- are bringing tools to patients, doctors and other healthcare professionals that were simply not available just a few years ago. There is hope that eventually, a doctor in Hawaii that is treating a medical emergency for a tourist from Florida, will be able to access the digitally kept medical and healthcare records for that injured tourist. In other words, there will likely be in the foreseeable future a national database -- that perhaps links state databases with each other the way the FBI and local law enforcement agencies are linked -- that will be of enormous benefit to citizens and their healthcare providers.

But before that nationally linked database can become a reality, there are a number of potential problems that need to be ironed out. For example, legislation needs to be enacted that will certify safety in terms of patient privacy and security. Currently, there is legislation on the books -- the Health Information Portability and Accountability Act (HIPAA) Privacy Rule that is supposed to be sufficient to safeguard personal medical files. President Barack Obama pushed for this legislation; also, at his behest the Congress voted to include $20 billion in the recently passed stimulus package that gives states money to launch the technology needed to establish databases for the purpose of putting medical records in digital form.

But as promising as these events are, according to an editorial in the Journal of the American Medical Association (JAMA), "Invasions of privacy and security breaches" pose "major obstacles to the implementation of health IT" (Gostin, et al., 2011, p. 1373). Public policy should be pointed toward achieving what Gostin refers to as the "dual benefits of personal privacy and improved research" (1373). This paper agrees wholeheartedly with that goal.

Background / Introduction

The American society has truly entered an era that might one day be called "the digital epoch" because so many important transactions, communications, records, information files and other personal materials are in digital form. This is on the one hand an amazing time to be alive, because anyone with a personal computer and online access can communicate and interact with others elsewhere on the planet. Citizens can do their banking online, can pay bills online and order Christmas presents online -- saving the use of autos and the resulting carbon footprint that fossil fuels produce.

On the other hand, this is a dangerous time because experienced hackers and other criminals are technically competent to break into even the most secure Website. And while having one's medical records online makes it far easier for "doctor A" to find out what medications the patient has been prescribed by "doctor B," there is also the element of uncertainty and angst that the patient necessarily goes through, wondering if his or her records will be kept private and secure.

This paper delves deeply and investigates the subject of security and confidentiality vis-a-vis the digital storage of medical records. It also presents the dangers that are very real in the sense that scoundrels like those associated with Wikileaks and other interlopers are not going away any time soon. If Wikileaks could access 779 classified prisoner dossiers from those alleged terrorist individuals incarcerated at Guantanamo Bay (Cuba), penetrating a U.S. Defense Department databases, they can most certainly hack their way into a healthcare-related database in Miami, Florida, or Seattle, Washington, to dig up some dirt on a public official they wish to embarrass. The security issue must be assured, otherwise it will mean innocent citizens will have their most personal health issues at risk.

Analysis of the Issue

The key to understanding the positives and negatives regarding the security of personal healthcare information is to investigate a wide swath of available literature. Dr. Robert Kolodner is National Coordinator for the Office of the National Coordinator for Health IT in the U.S. Department of Health and Human Services. He testified before the House Oversight and Government Reform Committee in 2007, asserting, among other important remarks, the following: "Safeguarding personal health information is essential to our national strategy for health IT." Any strategy that does not fully preserve and protect a patient's privacy and security "would neither advance our interests nor those of the American people," he explained to the Subcommittee on Information Policy, Census and National Archives. He went on to assert that protecting health information in the current digital environment "requires a coordinated effort by all stakeholders" (Kolodner, 2007).

Kolodner concludes by stating the obvious, that secure policies and procedures cannot possibly be developed "in a vacuum." There must be input and participation from all the stakeholders, including the patient, the patient's doctor, the medical facility where the patient receives care, and the families of the patients (in most cases). What alert citizens and investigative journalists need to do is stay vigilant regarding all government and private industry actions that relate to safekeeping of personal, private healthcare files.

My Position

It is clear that personal medical records in many states and cities are now being stored in digital files, and on the surface this is a good thing. It is a good thing because in 99.9% of the cases doctors, nurses and medical staff members can be trusted to respect those personal medical files. Indeed, here is one scenario that illustrates the value of digital files for citizens' healthcare records. Let's assume there has been an emergency in Indiana -- an elderly woman is involved in a traffic accident -- and the patient arrives at the regional hospital unable to speak to the attending physician. With digitally accessible files, the doctor can log on to a database that will allow him to see this patient's medical history, what medications she has been given, what her doctor wrote during her last checkup, and more.

That is the positive side of keeping personal healthcare records in digital databases. The down side is that there most certainly are evil people lurking in various places around the planet, there faces hidden, their skills at hacking into secure computers and databases better than the best technology technicians' ability to block them. If society is moving towards keeping all medical records in digital files, there needs to be assurance from the stakeholders that those files are safe and secure.

Support For My Position

An article in the journal ACM Computing Surveys (Dogac, et al., 2005, p. 277) describes an "electronic healthcare record" (EHR) as: "Digitally stored health care information about an individual's lifetime with the purpose of supporting continuity of care, education and research, and ensuring confidentially at all times" (Dogac, 277). What the EHR (later in this paper it is referred to as a PHR -- a personal health record) actually includes is a great deal of information that can be of great value to the patient and his or her doctor. The EHR includes: "…observations (by doctors, nurses, etc.), laboratory tests, diagnostic imaging reports, treatments, therapies, drugs administered, patient identifying information, legal permissions, and allergies" (Dogac, 277-78).

At the time this article was published (2005), most medical information was stored in "all kinds of proprietary formats in a multitude of medical information systems," but the promise from this information was that making EHRs "interoperable" will be of enormous benefit to patients and their healthcare professionals (Dogac, 278).

A more recent article in the journal Healthcare Financial Management asserts that it is very clear that the "daily functioning of a healthcare provider" depends largely on the "integrity and reliability of the provider's information systems" (Glaser, 2010, p. 40). What Glaser means by that backs up this paper's assertions that competent professionals in the healthcare system realize fully that without a dependable, modern IT component that can keep financial and personal records for patients, any given system is to be considered inadequate and outdated.

Glaser insists correctly that the bar for security in healthcare IT "… has been raised," but given that fact, the dependence on electronic health records "…leaves the organization less able to tolerate viruses and other malware threats that can make the EHR unusable" (40). Understanding that the risks are there -- and this subject has been raised hitherto in this paper -- is critical to dealing with those threats. The threats that Glaser mentions on page 40 include: hackers, viruses, and worms. Hence the need for "increased diligence regarding healthcare IT security" is among the great challenges on healthcare in the United States today.

As the number of users increases, the threats can grow, Glaser explains. One threat comes from an unlikely source, smart phones, according to the author. Indeed, there is a new class of "powerful mobile devices" that are being marketed as consumer devices (think the iPhone, Blackberry, and other smart phones with increasingly sophisticated technologies) that are being used to gain access to medical databases. This is not to say that these smart phones are illegally accessing private files in databases. But some of the phone can be bought "outside of the normal purchasing and IT controls" and moreover, the medical service may not know how many mobile devices are being used, "let alone the degree to which these devices have encrypted hard drives" (Glaser, 41).

Also, while wireless systems (WiFi) are a wonderful technological tool, Glaser reminds readers that these systems provide yet another way for hackers to invade private medical files. Yet another concern Glaser mentions (41) is the fact that physicians are now communicating with other physicians through Internet-based systems and while "improved care" may result from these devices, they may also become "a means for inadvertent and inappropriate release of patient identifiable health information."

Virginia Sharpe writes in The Hastings Center Report that among the virtues of electronic records is the ready access to personal healthcare by doctors and other medical professionals during emergencies such as Hurricane Katrina. For example, the Veterans Health Administration (where she is an employee, or was at the time of her article) was able to back up all digital medical files for some 50,000 patients in New Orleans during the terrible floods that devastated the city in the aftermath of the hurricane.

By backing up those records, that allowed technical people to "re-enter them into a computer in Houston within four days of the storm" (Sharpe, 2005). Another event took place after the hurricane that shows the usefulness for this technology; the Office of the National Coordinator for Public Health Information Technology interacted with pharmacies to set up a central database. That database allowed for the digital filing of prescription drug records for 800,000 people that had been negatively affected by Hurricane Katrina. Hence, healthcare providers would have access to those prescription drug records, making it easy for a doctor in another part of the country (perhaps Houston) to learn instantly what any given patient's health history has been, and what medications are needed.

If those records had not been logged into digital databases, some information that is vital to the health of a patient might be, as Sharpe explains, "…buried in a paper chart" somewhere. That said, Sharp adds that "sufficient attention" must be paid to privacy and security when it comes to those records; if that attention is not sufficient, "the virtues quickly become vices" and a patient's life can be negatively affected. "Unprotected electronic records can be hacked by identity thieves," Sharpe continues; she notes that files have already been hacked into and personal private information has already been stolen.

In July of 2005, for example, 57,000 patient records that were kept on back-up tapes in a managed-care company in Phoenix, Arizona were stolen (Sharpe). While the author admits that the most recent legislation -- the Health Insurance Portability and Accountability Act and the Privacy Act -- does offer security and provides federal funds for local and state-related databases. Still, she goes on, a centralized database can be "misused"; and moreover, since patient records are available to "many users," any one along the line could breach the confidentiality of an unknowing patient. At the time this article was written, there were still decisions to be made regarding the converting of millions of medical files into digital database files; Sharpe insisted that in order to keep privacy rights "such as notification, opt-in/opt out, confidentiality, and personal access" save and secure, the government must work with professionals and private citizens to make sure things are done correctly.

Meanwhile the U.S. Department of Health & Human Services (HHS) has implemented a new regulation that is part of the Patient Safety and Quality Improvement Act of 2005 (PSQIA), according to an article released by the HHS. The PSQIA established a reporting system that is voluntary and will point towards enhancing all the data available regarding patient safety and quality of healthcare matters (HHS). There are some federal guidelines within this legislation that are important. To wit, there are federal confidentiality protections for patient safety information called "patient safety work product," which includes all the information that has been collected and created when there are patient safety events that have been held. A patient safety event occurs when information is being uploaded or downloaded to a database and within that window of time breaches could technically occur.

This patient safety confidentiality regulation means that during the time that providers (healthcare IT people or others involved in logging in data about patients) may report "and examine patient safety events" they can do so without fear of liability (HHS). The increased data that can be provided is important to the health of the patient, of course, and the government is showing through this legislation and through these guidelines that it is committed to the safe retrieval and protection of all personal health-related information.

When it comes to providing better access to individuals' healthcare and medical records, an article in the American Journal of Managed Care (AJMC) suggests that personal health records (PHRs) should be available not just to doctors and other medical professionals, but to the patients themselves. Consumers should be allowed to -- and should understand how to -- "access, manage, and share their health information" (Patel, et al., 2011, p. 104).

When personal healthcare records are "tethered" to a healthcare providers' own system of record-keeping, it can include data not just from that healthcare provider but from other health records that the patient has accumulated along the way through life. But not all electronic health records are complete, and not all databases offer thorough records, although it is expected as time goes on that there will be upgrading of all the systems to make records up-to-date, accurate, and available (Patel, 104).

Having electronic records available certainly is a help to doctors when the patient has chronic healthcare conditions. In New York State, a system is being launched called the Western New York Clinical Information Exchange (HEALTHeLINK) that allows providers "to access their patients' clinical information," Patel goes on. This system is only one of 17 that communities across the country are developing; with that in mind, the authors of this article launched a study to see what particulars that are associated with PHRs consumers have issues with or comments about.