Health Information Security – What Do We Need To Know?

This week for MI 227: Clinical and Laboratory Information Systems, we were tasked to create a in response to the following scenario:

You are part of a group practice that has decided to implement an electronic solution for clinical documentation. However, you have come across many horror stories regarding health information security that have led to failed clinical information system implementations. How would you prevent this from happening to your group practice?

Our specific task was to create an article listing down questions that my group practice should be able to answer to identify risks to securing electronic health information.

Along with the increasing adoption and implementation of health information are the increasing threats to information security. Cyberattacks on the health industry are on the rise and they translate not only to millions of dollars in losses but loss of patient trust as well. A recent example is the WannaCry Ransomware that affected UK’s National Health Service. It is imperative, therefore, to ensure that health information systems are secure and that patient’s sensitive personal information are adequately protected.

So if I were part of a group practice, I’d like to know the answer to the following questions:

  1. What are the types and categories of health data are we collecting?
  2. Who has access to the data and which data does each user have access to?
  3. Where will the software/application be hosted?
  4. What security measures are in place to ensure integrity, confidentiality, and privacy of data?
  5. Who will be responsible for preventing, monitoring, and addressing any threats to the system?
  6. What is the business continuity plan should the system be compromised?
  7. How much will it cost to ensure that there are multiple layers of security for the system?
  8. What is the exit strategy for a compromised system and how can data be migrated to another system?

I think that the list above covers the basic questions any owner of health information system should be able to answer adequately in relation to security of the system.

Advertisements

Barriers to EHR Implementation

You have been selected to be the project manager for a DOH project with the task of implementing a national EHR that all government hospitals will implement.  Select at least three barriers to EHR implementation from the article that you believe to be the most important ones that might adversely affect your implementation. Explain and provide supporting cases/articles/information.

The scenario above is what we have been tasked to discuss in this blog. This article was provided as a reference. As a disclaimer (for new readers out there), my only experiences working in a government hospital were the following: as a student nurse in Philippine General Hospital (3 years), as a junior OB intern in EAMC (1 month), and as a senior Pediatrics intern at Taguig-Pateros District Hospital (2 weeks). My PGH stint is the longest, although that we were only on duty for certain weeks of the school year. I have not encountered any type of EHR in any of those settings. I have, however, personal experience working with an EMR for the past 21 months the private multinational company I’m currently employed in. In addressing the scenario above, I will take both into consideration my experience, albeit limited, in EMR deployment in a private setup and how I think that would apply to the public hospital scenario, as well as from articles or personal stories I have come across.

In the article by Boonstra and Broekhuis (2010), they did a systematic review of journals exploring the barriers to the acceptance of electronic medical records by physicians. They identified 8 main categories, namely: financial, technical, time, psychological, social, legal, organization, and change process. The first three were considered as the primary barriers – those that are first to arise when physicians are faced with EMRs, while the latter five were considered as secondary barriers – occasionally subconscious, beneath the surface, and so not immediately mentioned. 

In a setup where a national EHR will be implemented, I think that the 3 top barriers to implementation will also be the primary barriers the article mentioned. First is the financial aspect of implementation. It could be assumed that since I was already tasked to implement a national EHR, then there already is a budget for this initiative. The health information system itself may be costly, but equally costly is the actual rollout of the EHR. Since the Philippines is an archipelago, the deployment of the EHR especially in geographically-disadvantaged areas can be costly, taking into consideration not just the HIS but the deployment of hardware, ensuring that internet connection is available, and capacity-building of the users. If the RxBox has taken more than a decade for it to be deployed in different parts of the Philippines, then the national EHR may take years as well.

The technical and times aspects of the EHR implementation, to me, are the most challenging of all. Even in my current setup, where an EMR has been deployed in the different business units (countries) where our company operates in, these prove to be the biggest hindrances and they go hand in hand. I could say that the other aspects of the EMR implementation in our company – change process, financial, social, legal – were not much of a problem. The technical and time parts, however, were the main barriers. Most users of our EMR were doctors and nurses aged 30 and above and those who were not previously exposed to any type of EMR. The capacity-building for said users is taking years (since the rollout is still ongoing). Of the users I have talked to, the physicians were the most resistant. While all of them were computer-literate, use of the EMR required a different set of skills that they had to learn. Not much time can be dedicated just for learning the system since the operations are continuous and there are constant deliverables that could not be delayed. A common concern as well was the increased time it took to enter data into the system. If paper charts took an average of 5 minutes to be completed, data entry into the EMR took at least twice as much time, sometimes even longer especially during the initial phases of the EMR implementation when users.

Related to the concerns above is the complexity of the system. One of the identified reasons why it was taking a long time to learn how to use the EMR was its complexity. This is because despite all of us working in the same company, the health needs of each business unit (country) are different. We have upstream, midstream, downstream, shipping, and shared services, and the processes of one group are not the same with the others. In an attempt to create an EMR that encompasses the needs of all stakeholders, the end product was an EMR that seemed overwhelming to use. The corporate support team has since tried to address the issue, but the current version that we have could still use some major improvement.

Based on those experiences, I also anticipate that similar issues will be encountered with implementation of a national EHR. Majority of public hospitals in the Philippines still employ paper-based systems. While the newer generation of health professionals are more tech-savvy and are mostly computer-literates, the older generation aren’t necessarily so. This will present as the challenge during capacity-building of the end-users. As it is, health care personnel in our government hospitals, especially the tertiary ones, have a lot on their plate (with nurse-to-patient ratio as high as 1:40, even worse for physicians). There is little time to learn the new system, and even much lesser time to use it if it means that using the new system will mean more needing more time for documentation. In addition, the workflow of government hospitals should be carefully studied as well. The same way that different business units in our company do things a little bit differently (aside from the core processes), the same is expected of the different government hospitals. A basic version may be deployed, but there should be options to customize some functionalities depending on the needs of the hospital. An EHR that is not congruent with the workflow of the users will encounter more resistance during implementation, and will not be maximized fully by the staff.

Aside from those mentioned above, I think that one of the legal aspects that is a big concern not just to the physicians but to the patients themselves is the security of data. I remember the #ComeLEAK issue in 2016 where voters’ data was hacked and reportedly later sold to the black market. It was regarded as “the worst recorded breach on a government-held personal database in the world”. Reports in 2017 revealed that the IP address was traced to the NBI. This incident then begs the question – how safe are our data? A computerized database on health will also mean that the data will be susceptible to hacks such as the Comeleak. Similar concerns on security were likewise raised with the proposed national ID system. More than convincing the users of the EHR that the data will remain secure, it is ultimately the patients – the Filipino people – that will have to be assured that their sensitive personal data will not be compromised.

Two critical targets of the Philippine eHealth Strategic Framework and Plan (2014-2020) of the DOH, under eHealth solutions, are implementation of an integrated health application or software compliance certification system and integration and harmonization of various electronic health record systems. Implementation of a national EHR, at least for government hospital, will working towards achieving these targets. While the barriers are to be expected, the ultimate goal is to improve the delivery of health care services to the Filipino people. If done right, this will usher us into a new era – a better era – of health service delivery, something which the Filipino people deserve.

References: