Introduction
In previous modules, we have discussed, at length, a litany of different concerns and troubles that healthcare organizations cite as the primary reasons behind hesitance to adopt digital healthcare records systems. Among them, lack of effectiveness and increased costs are the two most common complaints with EHR/EMR systems. However, one other major point of concern that healthcare organizations have with digital medical records systems is security. In the developing landscape of electronic data storage, cybersecurity has been an ongoing issue in virtually every business sector as more and more industries transition their data and record-storage to online platforms.
The healthcare industry, in particular, poses a set of unique challenges when it comes to electronic data security as effective healthcare inherently requires that all the members of a particular patient’s healthcare team require easy access to all the relevant information at any given time. Thus, healthcare data safety requires not only physical and digital safeguards but administrative buffers as well. In a day and age where data sales threaten to commodify every aspect of our daily lives, the American public is beginning to decide what is and is not acceptable use of electronic data. This development of collective mindset will ultimately affect every sector of private and government industries and healthcare is no exception. In the following sections, we will explore the current state of healthcare data security in the US, the challenges we are currently facing, and how informatics may be used to help address these challenges.
The healthcare industry, in particular, poses a set of unique challenges when it comes to electronic data security as effective healthcare inherently requires that all the members of a particular patient’s healthcare team require easy access to all the relevant information at any given time. Thus, healthcare data safety requires not only physical and digital safeguards but administrative buffers as well. In a day and age where data sales threaten to commodify every aspect of our daily lives, the American public is beginning to decide what is and is not acceptable use of electronic data. This development of collective mindset will ultimately affect every sector of private and government industries and healthcare is no exception. In the following sections, we will explore the current state of healthcare data security in the US, the challenges we are currently facing, and how informatics may be used to help address these challenges.
What are the current Considerations
for patient data Security?
As has already been stated, it seems that when it comes to healthcare data, there are three main security considerations to be made: administrative, physical, and digital safeguards. Currently, in regards to administrative safety protocols, healthcare organizations are generally aware of the need for conducting audits, assigning a chief information security officers, and designing contingency plans should a security breach happen.[1] While these security measures are effective, they are rather barebones and incomplete. Generally, large-scale protection of data and information within any system relies on heavy investment in cryptography as an additional form of health information security. Firewalls are another effective tool for health organization's information security. However, firewalls are often expensive and the scale and cost of maintenance deter healthcare facilities from implementation, as they would often prefer to invest the money in other, lower-level security features. Further, firewalls limit access to information databases from external users and guards the information influx and outflux of the health facility which, while effective at combating cyberattacks, can often misinterpret authentic transactions as malicious, impeding the effective transfer of patient data between providers. Installing anti-virus software on health organization computers is also a simple yet surprisingly effective way of protecting medical information [1]. With it being increasingly common for health information to be transferred between providers, the risk of data hacking inherently increases as well. In the case of healthcare, the exchange procedure for health information must be handled carefully. These information exchanges rely heavily on end-to-end encryptions and firewall protections in order for data to remain secure, but even high-level data encryption and the most sophisticated firewall can never be 100% effective at preventing data hijacking. To this end, the Health Insurance Portability and Accountability Act (HIPPA) has developed restrictions for digital data exchange. HIPAA compliance is a must-have for digital health systems but as new security measures are mandated, the cost of implementation continues to rise.[1]
There are some further considerations that need to be made in regards to cloud-based data computing and storage. With cloud computing, healthcare organizations are able to avoid the burden of maintaining a local data storage; this does, of course, introduce new safety concerns with patient data. When choosing a cloud computing platform, it is essential for organizations to purchase from credible platforms.
Data security is never a one-time business and needs to be maintained recursively. It is the responsibility of healthcare administrators to routinely perform risk assessments and security audits. A 2017 publication from the Journal of Medical Systems outlines what we believe are five highly effective steps that healthcare organizations can take to mitigate the security risks posed by electronic data storage[2]. These five steps are: (1) identifying potential hazards, (2) identifying the causes and effects of these hazards, (3) estimating the potential harm that could be inflicted by the hazards, (4) estimating the probability of harm occurring, and, finally, (5) evaluating the overall risk posed by the hazards. In the following section, we will explore, in more depth, the common threats posed by electronic data security in healthcare and what we can do to address these threats.
There are some further considerations that need to be made in regards to cloud-based data computing and storage. With cloud computing, healthcare organizations are able to avoid the burden of maintaining a local data storage; this does, of course, introduce new safety concerns with patient data. When choosing a cloud computing platform, it is essential for organizations to purchase from credible platforms.
Data security is never a one-time business and needs to be maintained recursively. It is the responsibility of healthcare administrators to routinely perform risk assessments and security audits. A 2017 publication from the Journal of Medical Systems outlines what we believe are five highly effective steps that healthcare organizations can take to mitigate the security risks posed by electronic data storage[2]. These five steps are: (1) identifying potential hazards, (2) identifying the causes and effects of these hazards, (3) estimating the potential harm that could be inflicted by the hazards, (4) estimating the probability of harm occurring, and, finally, (5) evaluating the overall risk posed by the hazards. In the following section, we will explore, in more depth, the common threats posed by electronic data security in healthcare and what we can do to address these threats.
Challenges with protecting electronic
healthcare data
The increased use of EHR/EMR systems theoretically increases the interoperability and exchangeability of medical data within and among healthcare organizations. The initiative of using EHRs is to improve overall healthcare quality by facilitating the communication between physicians, supporting consumers to take control of their own health with patient portals, and allowing cross-organizations cooperation in incorporating vast amounts of valuable data for primary and secondary research. The widespread usage of EHRs with the convenience of the universality of the internet in the wireless environment has brought on unprecedented threats on patients’ privacy and confidentiality. Even though HIPPA provides thorough guidelines which can be treated as a framework for organizations to implement security programs from administrative, physical, and technical perspectives, the new access and usage patterns of digital protected health information has forced healthcare organizations to significantly expand security programs and come up with new standards and specifications for data privacy. One example of such an issue is physicians using personal laptops or other electronic devices with household wifi in order to access ePHI (electronic, protected health information). How can security programs in healthcare organizations protect ePHI from virus attack under this common circumstance? Another issue around remote access is authentication; how do organizations confirm that the person accessing the ePHI is who they are claiming to be? None of these issues are particularly novel but have certainly become more difficult to address with remote access under wireless environments.
Possible risk mitigating strategies include proper training for healthcare workers in prudent digital security and safety techniques. By helping them understand their roles in the security program and the possible consequences of a breach fosters an atmosphere where security and patient privacy/confidentiality is valued and taken seriously. Organizations must also update their antivirus softwares regularly as well as mandating other basic safety features, such as two-factor authentication, to ensure proper access of ePHI from healthcare workers. Aside from the variety of safety features that providers must take seriously, what can we, as informaticians, do to ease the burden of data safety in the digital era?
The expertise of biomedical informaticians can be used to focus on the research and implementation of new technologies that support safe, secure, and scalable data sharing. One of the technologies that has received high attention in storing and exchanging healthcare data in a privacy-sensitive and timely manner is blockchain. The immutable, transparent, and decentralized characteristics of blockchain make its implementation in healthcare data sharing both possible and promising.
![Picture](/uploads/1/3/1/5/131568455/editor/skjermbilde-2020-05-03-kl-2-06-26-pm.png?1588536431)
The essential elements of an effective blockchain technology.[3]
There is already some successful research in implementing blockchain to support data sharing with healthcare givers and assisting patients in taking control of their data in tele-health and tele-medicine settings. By using private blockchain, patients have the power to store, modify, and share their data on their behalf with caregivers, while at the same time maintaining their data privacy from improper modification and interception by those who do not have explicit access to the blockchain. Moreover, the open source and decentralized characteristics of blockchain make the incorporation and sharing of clinical data across organizations secure, relatively easy, and moderately inexpensive.
![Picture](/uploads/1/3/1/5/131568455/editor/skjermbilde-2020-05-03-kl-2-10-57-pm.png?1588536708)
Guide to implementing blockchain technology in a healthcare setting.[3]
However, since blockchain is a relatively new technology for assisting cryptography and data sharing, there are several challenges in the implementation of blockchain in healthcare and medicine. Below is a simple graphic that summarizes the overarching pros and cons of potential blockchain implementation in the healthcare system.[3] To date, there is certainly no perfect system when it comes to healthcare patient privacy and security, but from an informatics point of view, it seems that blockchain may be a good place to start.
Want to learn more?
Here are some of the resources we used to write this article!
[1] Kruse, C.S., Smith, B., Vanderlinden, H. et al. Security Techniques for the Electronic Health Records. J. Med. Syst. 2017, 41, 127. https://doi.org/10.1007/s10916-017-0778-4
[2] Cooper, T., and Fuchs, K., Technology risk assessment in healthcare facilities. Biomed. Instrum. Technol. 2013, 47(3): 202–207.
[3] Siyal, A.A.; Junejo, A.Z.; Zawish, M.; Ahmed, K.; Khalil, A.; Soursou, G. Applications of Blockchain Technology in Medicine and Healthcare: Challenges and Future Perspectives. Cryptography 2019, 3, 3.
[2] Cooper, T., and Fuchs, K., Technology risk assessment in healthcare facilities. Biomed. Instrum. Technol. 2013, 47(3): 202–207.
[3] Siyal, A.A.; Junejo, A.Z.; Zawish, M.; Ahmed, K.; Khalil, A.; Soursou, G. Applications of Blockchain Technology in Medicine and Healthcare: Challenges and Future Perspectives. Cryptography 2019, 3, 3.
Personal reflections
Oliver |
I think the discussion of HIPPA security regulation in protecting ePHI is interesting and important, especially with the widespread implementation of EHRs and the advance in wireless connection. The HIPPA security guideline is surprisingly thorough and detailed than I expected. The framework guides the healthcare organizations’ security program from administrative level that focuses on risk analysis and management, physical level that require the organization to specify the strategies and policies in maintaining the physical hardware, to technical level that guide organizations to protect patients’ privacy and confidentiality by data encryption and some authentication methods. To be honest, I have a hard time figuring out what we can do in the security program as an informatician. The only part I think we have a role in is in securing the exchange and storage of patients’ data. However, I do agree that as an informatician that will access and research on patients’ data, it’s important to keep in mind these regulations and the proposed security standards and specifications. I searched the current challenges and future development of healthcare information technology on google scholar and found an article about blockchain implementation in healthcare and medicine which I think very interesting. It seems to me that blockchain is a relatively novel technology that is still in its embryonic stage in terms of its implementation in healthcare settings because of the complex nature of data and the cultures in healthcare.
|
WEipeng |
I am happy to see so many available tools are used to protect medical informatics data. It is surprising that internet security is so complex, and we almost always take it for granted. For example, I am using UW's internet right now and I never thought my data would go through so many layers of protection before it is delivered to someplace. It is also interesting to see the number of efforts a health organization needs to make in order to make the data safe. I usually took it for granted as well and I am now happy to know that my clinical data is well protected.
I think using cloud computing as a measure for health care data security is interesting. Recently I heard the news that Amazon and Microsoft were competing for the cloud computing deal for the US Department of Defense. I did not realize cloud computing is safe. If it is safe for military purposes, it is certainly safe for medical records. It seemed to me that putting the clinical data to a company was just unsafe, especially when the company handles so many types of data; if they are not professional in HIPPA standard, will they be able to take good care of my data? But now I think I need to change my mind a little. |
Dakota |
The discovery of up-and-coming blockchain technology is comforting to see considering the sheer number of privacy issues that currently plague the medical system. However, I must say that I find myself unsure of what role informatics has to play in this discussion. In the past several years, we have seen a growing body of evidence to show that anymore, we don't really have any privacy left in our lives. All that is left of privacy in the age of information is the illusion of privacy. We now know that our smartphones are constantly listening to us, radios and TVs are constantly playing high-pitched noises that we can't hear to try and see what other personal devices are in the same room at the same time, and every one of your likes, interest, and comments is gathered into a growing profile that online advertisers can use for targeted marketing. Last year, Apple was under fire because it was discovered that when Siri hears the words "don't tell anyone this, but...", she begins recording all the sounds that follow. Amazon has also been found to be listening in on countless American homes via their Alexa devices - in fact, there's an issue currently being discussed by the UN because workers at Amazon who are listening in and collecting data on American households are unsure of what to do when they hear crimes being committed in the background. The argument is currently about whether it is a privacy violation to be spying on people or if it is, instead, a privacy violation to call the police after spying on people. Again, privacy is dead and all that is left of it is the illusion of privacy that media and data corporations attempt to maintain.
I believe this is all tied together with the privacy of data in healthcare because it is my feeling (and, I believe the common feeling of many people in my and younger generations) that privacy no longer exists. I firmly believe that anyone, at any time, could access deeper sects of the internet and gain access to information that is very private and personal to me. In fact, I don't believe that there is anything about me that could not be found by any other human on this planet that was looking for it, and thus, I have a hard time thinking about privacy concerns just within the healthcare system. I believe that if we want better privacy of patient data in the US, there will have to be massive upheavals in what is currently considered a "privacy violation" by electronic data collectors. Until then, the concept of patient privacy is meaningless to me because every aspect of my life has already been tabulated and accounted for by some other data company, so why not add my health information to that? |