Information Security of Health Record Systems - Assignment Example

Information security of health record systems xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Name xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Course xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Lecturer xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Date xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Executive summary Security and privacy of health information is becoming increasingly important. The adoption of provider consolidation, increased regulation and digital patient records all point to the need for better information security of heath records. Governments across the globe have envisioned the adoption of electronic health records systems in the near future as they are regarded more secure as opposed to the traditional paper-based recordkeeping systems. Even so, elimination of paper-based records cannot be accomplished instantly and thus issues underlying security of these systems need to be addressed. This report gives a review of information security of health records systems with regard to both paper-based records and Electronic Medical Records. Table of Contents Executive summary 2 Table of Contents 3 1.0 Introduction 4 2.0 Health care record systems 5 2.1 Paper-based health records 6 2.2 Electronic health records 7 2.2.1 Threats to information privacy in EHR 7 2.2.2 Implementing and monitoring information security in EHR 8 3.0 Conclusion 10 References 10 INFORMATION SECURITY OF HEALTH RECORD SYSTEMS 1.0 Introduction Health information systems are the building blocks for decision making across functions within health facilities. Appari & Johnson (2010) assert the role of health record systems in decision making has four major underpinnings: communication, compilation, data generation, analysis and synthesis. Therefore, sound and reliable health records systems are required in achieving proper decision making processes. As such, it is essential for healthcare facilities to develop and implement procedures that regulate and govern these records. These include proper human resource development in healthcare records education, service delivery and information of health records security. Information security of healthcare records has become particularly an interesting area of research across the globe. This is because information security and privacy are key principles that determine the effectiveness of the patient-physician therapeutic relationship. Usually, patients are required to share certain information with doctors for purposes of diagnosis and treatment procedures. However, they often find it difficult to disclose all information especially in case of health complications like HIV and psychiatric problems as their disclosure might lead to discrimination and stigmatization. Hodge (2003) defines information security as the protection of information and information systems from destruction as well as unauthorized modification, disruption, disclosure, use and access. Information security in the healthcare sector is achieved by ensuring availability, integrity and confidentiality. Confidentiality refers to the property that health information is not disclosed or made available to unauthorized persons. Integrity on the other hand makes reference to the fact that health records should not be destroyed in an unauthorised manner. Availability of health records refers to easy accessibility and usability of health records upon demand by an authorized person. The purpose of this report is to give a review of various information security methods that are used on different types of healthcare records systems. 2.0 Health care record systems Health records also known as medical records are instruments used by health practitioners to track a patient’s medical history and thus determine patterns and problems of the current medical problem. Medical records are quite fundamental as they enable healthcare providers to provide quality health care to patients. In addition to providing information required for the therapeutic process, medical records fulfil legal, auditing and regulatory requirements. Medical records contribute to the quality of medical services provided to patients by improving coordination and efficiency in interprofessional and team-based settings, optimizing the use of resources and facilitating resources (Baker 2006). Medical records contribute to the quality of healthcare by providing a detailed description of the patient’s health status and the rationale for treatment. Karen et al (2009) maintain that they are helpful tools during subsequent visits to the hospitals as medical practitioners can have a review of the patients past and current health status. Besides that, they are evidence of care, that is, they are legal documents that prove that a patient received certain medical attention and especially in cases of civil and criminal matters. Medical records can be classified into two broad categories: paper-based recordkeeping systems and the Electronic Medical Records (EMR). Paper-based medical records arose at the beginning of the 19th century and they basically involve the use of highly personalized lab notebooks used by healthcare providers to record their observations and treatment plans about patients. One sticking feature about paper-based recordkeeping systems is that papers or files are piled up in the hospital archive which makes the process of retrieval tiring and time consuming (Laerumet al 2003). Due to these disadvantages, paper records are gradually giving way to electronic records which are more efficient and less costly. Security and privacy issues underlying the two types of recordkeeping systems are quite different as the storage systems are also different (Shortliffe 1999). 2.1 Paper-based health records Paper-based records are considered a traditional method of recordkeeping in the healthcare sector as it has been overtaken by technologically enabled recordkeeping systems such as the Electronic Health Records system and Google health. This is because paper records have been associated with al lot of insecurity and vulnerability to destruction by fire or theft. Besides that, paper-based recordkeeping systems involve piling up of thousands of patient manila folders and files which require adequate storage space as well as professional record keepers to avoid instances of lose. McCarthy (2010) criticizes paper records as they are resource and time intensive and waste a lot of precious time that could be used to clear the queue of patients. Even so, Lorsch (2009) posits that paper-based recordkeeping systems are not going anywhere as hospitals cannot do without them completely. Even with the outburst of EHR, a vast majority of doctors and other healthcare providers are still using paper-based records to take note of patient’s medical histories, radiology reports, patient charts and laboratory reports. Surveys in the US indicate that only 17% of doctors purely use EHR. Thus, paper-based records are going to be there for a long time. Of importance is to ensure that paper-based records are properly stores and secured as they are more prone to unauthorized access and destruction relative to electronic records. Essentially, patient files should be located the in hospital department where they are used. This provides the record custodians with storage and management procedures that best suit their department (APA 2007). To avoid confusion, the files should be assigned unique departmental codes or numbers within the directory of records. The whereabouts of each file is standardized through its management-approved department office responsible. Its availability is furthered by use of a directory of records database that contains the retrieval and automated methods. This systemized approach ensures that files occupy office space only when the patient visits the hospital or during any other instance when they are in active use for example when needed by insurance companies. Each department should assign a records custodian whose principal role is to manage index and retrieval systems of the department patient files by use of the Directory of Records. He will also be assigned the responsibility of filing incoming files and ensuring that they have adequate backup for instance duplicating the most essential ones. Additionally, the custodian will conduct annual purge of active files so as to eliminate those that are no longer in use. He will also be in custody of store keys and passwords to the backup electronic records (BCIT 2011). 2.2 Electronic health records 2.2.1 Threats to information privacy in EHR Appari & Johnson (2010) categorize information threats or insecurities into two broad areas: organizational threats and systemic threats. Organizational threats usually emerge from within the organization and may take different forms. It could be accidental disclosure where a healthcare provider unintentionally discloses patients’ private information to others for instance, sending an email to the wrong address. An employee with data access privilege could also take advantage to pries upon health records of patients for curiosity purpose or to transmit the information to outsiders for revenge or profits. Physical intrusion is another form of organizational threat to EHR whereby an outsider forcefully makes entrance into the premise and gains access to the system. Intrusion of networks systems from outsiders including hackers, malicious patients or former employees is also classified under organizational threats. Systemic threat on the other hand refers to ‘limits to privacy’. Unlike organizational threats, systemic threats are not caused from any sources outside the information flow but rather from individuals who require the information and thus have the legal privilege to access it (Applebaum 2002). For instance, insurance firms have the right to access medical records of individuals so as to make decisions on whether to issue an individual with life insurance or not. Some employers also demand for medical records of employment candidates and this is an outright threat to the individual as the records can potentially deny him an employment opportunity or a promotion. 2.2.2 Implementing and monitoring information security in EHR In order to ensure that information kept in EHR meets the requirements of confidentiality, availability and integrity, one needs to fully understand the facility’s health IT environment (Al-Nayadi & Abawajy 2007). This includes being conversant with all the terminologies used within the administrative and clinical contexts of the premise, where they are physically located and how they are used. Besides that, one requires to consider situations that might compromise security of information with regard to disruption, disclosure, unauthorized access, modification and destruction of the information. These situations are often unique to organizations and are most technology related for instance lack of properly configured computers. They could also be related to procedural matters for instance lack of security response plans or even personnel issues related to lack of workforce with adequate information security training. Arzt (2007) maintains that the next step after identifying the potential risks to electronic health information is to evaluate the undesirable effect the risk might have on the organizations as well as patients. One way to mitigate such risks is to review the existing health information security policies and develop new ones that will address the risks. This new policies could mean incorporation of new technologies within the organization such as encryption of data on mobile computers such as laptops. Besides that, the policies can outline or refine personnel within the facility authorized to handle EHR and further improve and clarify when and how electronic health information is disbursed to patients and other healthcare providers. Once the policies have been reviewed and new ones developed, then they should be instituted within the facility so as to ensure that security issues are constantly updated and the impact or likelihood of information being destroyed or accessed in an unauthorized manner is reduced (Ilioudis & Pangalos 1999). Safeguarding the solutions and tools developed through security policies requires sustainable implementation of new technologies, installation of new facility controls and training programs for employees. Performing a tradeoff between the cost of implementing the safeguard and the benefits received thereof is one way of determining the best safeguard to use. For instance, if the cost of purchasing a technology is too expensive for the organization, then less expensive administrative safeguards might be more appropriate. Conversely, the organization might not be able to handle the burden of administrative safeguards and thus might opt to sacrifice its finances for an expensive technological safeguard (Albert & Dorofee 2002). 3.0 Conclusion Evidently, security of patients’ medical information is a vital part of any health facility. This is because it determines the quality of health care that will be provided to patient. Information contained in paper-based records is less secure as it is prone to unauthorized access and destruction by fire, floods and theft. Even so, hospitals that chose to adopt this recordkeeping system should develop a systemized approach whereby records are stored within departments that use them and a custodian is appointed to manage the records. For organizations that use electronic medical records certain policies need to be established to govern storage and retrieval of information in these records. To ensure ultimate security of the records with regard to confidentiality, integrity and availability, the hospital can chose to use incorporate new facility controls, new technologies or training programs for employees. Whichever method that a facility chooses to use should ensure that there is maximum security of patient records as such information is quite sensitive and its insecurity could potentially compromise the integrity of a healthcare facility. References APA 2007). Record keeping guidelines. Journal of American psychological association, 62(9) , 993-1004. BCIT 2011, Records management procedure. Retrieved August 15, 2012, from www.bcit.ca: http://www.bcit.ca/files/pdf/policies/6701-procedures.pdf Albert, C., & Dorofee, A 2002, Managing information security risks: An OCTAVE approach. Boston: Addison Wesley Publications. Al-Nayadi, F., & Abawajy, J 2007, An authorization policy management framewok for dynamic medical data sharing. International conference on ointelligence pervasive computing, (pp. 313-318). Appari, A., & Johnson, E 2010, Information security and provacy in healthcare: Current state of research. International journal of internet and enterprise management, 6(4) , 279-313. Applebaum, P 2002, Privacy in psychiatic treatment: Threats and response. American journal of psychiatry,159 , 1809-1818. Arzt, N 2007, Evolution of public health information systems: Enterprise-wide approach. San Diego: A consultation paper for the state of Utah Department of health. Baker, D 2006, Privacy and security in public health: Maintaining the delicate balance between personal privacy and population safety. Computer security applications conference. Hodge, J 2003, Heath information privacy and public health . Journal of Law, Medicine and Ethics, 31(4) , 663-671. Ilioudis, C., & Pangalos, G 1999, Security issues for web based electronic health care records . Thessalonika: Aristotelian University . Karen, W., Lee, F., & John, G 2009, Health care information systems a practical approach for the health care management, Epub Edition. London: John Wiley and Sons Inc. Laerum, H., Karsen, T., & Faxvaag, A 2003, Effects of scanning anf eliminating paper-based medical records on hospital physicians' clinical practice. Journal of the American Medical informatics association, 10(6) , 588-55. Lorsch, R 2009, Paper-based records are not going away. Retrieved August 15, 2012, from MMRGlobal.com: http://blog.mmrglobal.com/tag/paper-based-medical-records/ McCarthy, C 2010, Paging Dr, Google: Personal health records and patient privacy. William and Mary Law review, 51(2243) , 2243-2267. Shortliffe, E 1999, The evolution of electronic medical records. Academic medicine, 74(4) , 414-419. Read More