Analysis of Information Security of Health Record Systems - Term Paper Example

EHR Review Xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Name Xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Course Xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Lecturer Xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx August 13th, 2012. Introduction With the introduction of technology in the healthcare sector, confidentiality, consent and privacy have been a major concern to individuals. Through the introduction of technology, it has been easy for medical institutions to easily store and retrieve patient’s data (Lemaire et al 2006, pp. 216). Using electronic health records (EHR), it has been easy to increase efficiency and accessibility while reducing threats in accessing patient’s data. The thesis statement that is going to guide us through this report is: Are current information security technologies adequate for electronic health records? To cover this report we are going to take a look at the importance of these technologies how applicable they are in medical institutions and if there is any recommendations that should be kept to ensure security and confidentiality of a patients records. Background Consent, Privacy and Confidentiality are key principles observed by medical professionals in the recording of medical data and in this case we are going to take a deeper look at the definition of each of the terms. Consent is classified in two broad terms: the ethical dimension and the legal dimension. Consent has been emphasised for many years in medical institutions as a health policy as it strengthens the relationship between health professionals and the public. It therefore gives individuals the right to decide on the actions they would like taken by the professionals while treating them as consent emphasises on individual information (Win and Fulcher 2007, pp.94). Consent takes an ethical dimension when any consequence or alternative of a medical procedure is to be communicated first to an individual. The law also recognises that consent be applicable by all regulatory bodies in the processing of individual medical data. This has been supported by various Acts in the United Kingdom government that promotes human rights and data protection. This human rights act supports the rights to respect an individual‘s privacy using eight principles summarised that personal data should be made lawfully and fairly and there should be a lawful reason why individual data should be retrieved from the data banks. Consent as applicable in electronic data involves auditing purposes of patient’s records. This has mostly been used in cancer patients to check on their progress (Clark and Findlay 2005, pp.1007). Using the electronic form of storing their information, it becomes easy to identify the patient and quickly analyse the conditions thereby having the right recommendation. To ensure that there is much individual consent, the feedback of any examination should be done electronically and at the same time medical professionals should keep up to date records to ensure that correct information is passed to the patients. Privacy can be regarded as a situation where someone’s information is not disclosed or in other situations kept to secret. In medical institutions, privacy has been highly upheld through different legislations that protect any information belonging to a patient from being disclosed. Privacy can be associated to space of an individual, place in which a person stays and the physical location. The Australian standard for palliative provision states that there should be an awareness of privacy in order to maintain a friendly environment for patients and their families (Perera et al 2011, pp.96). In this case it is observed that space represents home and the physical location relates to where they rest after they die. Privacy also includes free interaction of the patient and their family members hence creating space outside from interference. Confidentiality and privacy goes hand in hand where storage of patient information in electronic manner is broadly based. Data being stored in random places ensures confidentiality because this kind of system provides little or no access to records. Information being confident prevents threats from both internal and external access of data and more importantly easy retrieval and storage of data. For there to be easy storage, security has to be a major concern and that way confidentiality will be enhanced in health institutions (Street and Love 2005, pp.1799). Issues that will be accompanied by confidentiality will include authentication which involves the right person to get the information from electronic sources and how the data gotten should be delivered to the required centres. The need to share health records In deed there is an importance on why health records should be shared. This is in regard to maintaining and improving the health situation of the patient. Following the security principles, patients are allowed to share their records with medical practitioners so that they can be aware of their progress and how the patient is to be treated in cases of being transferred to another hospital. In the exchange of data, privacy should be maintained as safe methods are applied in retrieving of information by authorised users (Elahi 2009, pp.117). It should also be noted that a lot of exchanging of information would lead to inefficiency leading to insecurity and thereby breaching confidentiality on the side of the patient. Perspectives of Different group on Sharing of EHR Medical professionals think that security should be greatly regarded so long as it is to the benefit of the patient (Whiddett et al 2006, pp.539). With the introduction of computers, security has been enhanced by encryption of any relevant information and through a system called random computing. Medical practitioners say that with technology, there is an increased chance of keeping records in a confidential manner. Patients express less concern about the threat of security of their EHR records as the benefit of clinical use computerised systems far outweighs the security risk involved (Elahi 2009, pp. 116). In a study carried out in Canada it was found out that 90 per cent of patients approve the use of computer systems in management of health records (Willison et al 2007, pp. 709). However, 48 per cent want the usage of EHR to be limited to their own personal physicians. Concerns about the intention of outsiders in accessing the information of patients was highest if the secondary access were to be allowed by groups who stood to gain an economic advantage from them (Perera et al, 2011 pp. 96). 67 per cent of the respondents would consider their rights violated if insurance companies could access their health information, while only 22% felt that it was wrong for universities to make secondary use of EHR. Most patients feel that the highest security risk to EHR is if it transverses the internet (Beebe et al 2011, pp.706-9). A similar study also support that majority of patients are willing to allow their records to be used in research but are concerned about the privacy of the information stored in ERP’s. Most patients however expressed increasing concern about the security of EHRP as advances in computing continue to be made (Civelek 2009, pp. 298). The concern of privacy of information is brought about by the struggle to by institutions to gain control over information against the patient’s desire to freedom. One of the largest concerns of patients when giving consent for usage of their health record is anonymity. In () patients were more willing to give consent to use of health records if the records could not be identified with them later. However, 60% of the respondents’ still felt that even anonymous information should only be used by health professionals only. Why EHRs need to be reviewed The need to enhance security of EHR has increased with the use of handheld devices to store and transmit data. An EHR system that consists of mobile devices has multiple levels of security vulnerability (Susilo and Win 2007, pp 218). The records can be compromised at the internet level, at the wireless application level, at the wireless network level, the mobile device level and finally on the user level. The increased susceptibility to attacks brought about by the incorporation of Mobile devices into EHR systems means security has to be improved at each of these levels. Secondly, patients do not give unlimited consent for use of their EHR information but they express a number of reservations over the usage information collected about them. Current, EHR system do not consider the type of consent granted for use on information before determining who can access this information (Flores, Win and Susilo, W 2011, pp.17. Patients give consent for the usage of their health information based on whether they are sure who will be using it, on how many occasions the information will be used and on whether the information is anonymous. This brings about the need to create an EHR system that reflects the desire of patients over their EHR (Bergmann et al 2007, pp. 130–136). Finally, there have been increased cases of breaches of EHRs causing considerable distress to patients and exposing health institutions to legal action. For example the in August 2000, Kaiser Permanente sent private messages for 850 patients to 19 unintended recipients (Win 2005, pp. 13). A health worker for the Florida public health department also compromised the privacy of 4000 HIV positive patients when he sent their names to the local newspaper (Win 2005, pp. 13). Leakage of information in EHR has devastating consequences for both patients and the institutions charged with safeguarding the information. A patient may become severely embarrassed, have their lives or careers ruined, and lose the possibility of getting medical cover (O’Brien, William and Yasnoff 1999, pp. 749). The institution may be sued for the breach of privacy sometimes by multiple individuals in class action suits. Recommendations for security system User Authentication is one of the security mechanisms that EHRs can use to enhance the security of information. Although password and usernames and passwords have been used for a long-time to secure information system they have been seen to be vulnerable and need to be complimented using biometric based authentication and role –based access controls (Ohno-Machadoa et al 2004, pp. 602). Role-based access controls can be implemented according to four access mode suggested Porteri and Borry (2008) based on the levels of consent. Another access mechanism that can be very effective in ensuring security of EHR is an RFID chip which is inserted below the skin which allows the computer to uniquely identify users of the system (Win 2005, pp. 13). The use of Web Certificates and digital signatures can also be used to secure EHRs where the records have to be accessed over the internet. The implementation of the 128-bit certificates is used by the Canadian traumatic brain injury EHR system which allows secure web-based access of clinical information. Use of Public Key encryption and Kerberos are also methods that EHRS can use to enhance the integrity of information transmitted through the system. Conclusion The need to review EHR systems has become more urgent as the world become more interconnected and technology in the information systems become more sophisticated. While health records still need to be shared to enhance treatments and discover cures there must be a balance on the need to share and privacy of patient’s information depending on the level of consent granted by the patient. EHR systems can be reviewed to incorporate advance in computing technology to enhance sharing of information while at the same time ensuring security of information. References Beebe, T.J, Ziegenfuss,J.Y, Jenkins, S.M, Haa, L.R, Davern, M.E. 2011, Who Doesn’t Authorize the Linking of Survey and Administrative Health Data? A General Population-based Investigation, Ann Epidemiol, vol.21, no.19, pp.706-9. Bergmann J,. Bott, O.J Pretschner, D P. Haux R. 2007, An e-consent-based shared EHR system architecture for integrated healthcare networks, international journal of medical informatics, vol.7, no. 6, pp. 130–136. Civelek, C 2009, Patient safety and privacy in the electronic health information era: Medical and beyond, Clinical Biochemistry, vol. 42, pp. 298–299 Clark, A. M., Findlay, L.N 2005 Attaining adequate consent for the use of electronic patient records: An opt-out strategy to reconcile individuals’ rights and public benefit, Public Health, vol. 119, pp. 1003–1010. Elahi, E 2009 Privacy and consent in the digital era, Information security technical report, vol. 14 pp. 113–118. Flores, A.E., Win, K.T & Susilo, W 2011, Secure Exchange of Electronic Health Records, In: Chryssanthou, A., Apostolakis, I., Varlamis, I., Susilo, C.R ed, Certification and Security in Health-Related: Web Applications: Concepts and Solutions, Hershey , New York, pp.17. Lemaire, E. D., Deforge, D., Marshall, S & Curran, D 2006 A secure web-based approach for accessing transitional health information for people with traumatic brain injury, Computer methods and programs in biomedicine, vol. 81 PP. 213–219. O’Brien, D.G.,William A., & Yasnoff, M.D. 1999, Privacy, Confidentiality, and Security in Information Systems of State Health Agencies, American Journal of Preventive Medicine 1999; vol. 16, no.4. pp. 749 Ohno-Machadoa, L., Sérgio, P., Silveirab, P., & Vinterbo, S. 2004, Protecting patient privacy by quantifiable control of disclosures in disseminated databases, International Journal of Medical Informatics (2004) 73, 599—606. Perera, G., Holbrook, A., Thabane, L., Foster. & Willison, D.J 2011 Views on health information sharing and privacy from primary care practices using electronic medical records. International journal of Medical Information, vol. 80 pp. 94-101. Porteri, C, & Borry, P 2008, A proposal for a model of informed consent for the collection, Storage and use of biological materials for research purposes, Patient Education and Counseling vol.71, pp. 136–142. Street, A.F& Love, A 2005 Dimensions of privacy in palliative care: views of health professionals, Social Science & Medicine, vol. 60 pp. 1795–1804. Susilo, W., & Win K.T 2007, Securing Personal Health Information in Mobile, International Journal of Mobile Communication, vol.5, no.2, pp 215-224. Whiddett, R., Hunter, I., Engelbrecht, J. & Handy, J 2006 Patients’ attitudes towards sharing their health information, International Journal of Medical Informatics, vol. 75 pp. 530—541. Willison, D. Schwartz, L., Abelson, J. , Charles, C., Swinton, Northrup, D. & Thabane, L 2007, Alternatives to Project-specific Consent for Access to Personal Information for Health Research: What Is the Opinion of the Canadian Public?, J Am Med Inform Assoc. 2007 , vol.14, no.6, pp 706–712. Win, K.T 2005, A review of security of electronic health records, Health Information Management Journal, Vol.34, No.1,pp. 13. Win, K.T. & Fulcher, J.A 2007 Consent Mechanisms for Electronic Health Record Systems: A Simple yet Unresolved Issue, J Med System, Vol. 31, pp. 91–96. Read More