Electronic health record (ehr) system potential threats and measures taken to protect it

Since the early 1980s, informationtechnologyhave improved and revolutionized every aspect of our lives. We use information technology to do our daily chores like shopping and reading the latest global news at the comfort of our living room. It replaces old challenges with new possibilities. However, one of the areas that had evolved to this new demand in information technology but rather in a slow phase is the healthcare industry. Today’s healthcare includes hospitals and private clinics.

A lack of an effective management of data about a disease and the treatment for saving lives can be put at risk. In previous years medical information was stored only on paper and in one location, usually a patient’s primary care physician’s office or medical institute. People tend to migrate to a different area or country, thus making it difficult to transfer piles of paperwork and medical records to every point of medical institution which a patient is seeking treatment.

It is even more complex when most patients visit more than a single physician or an institution and the process of being treated by a different number of nurses, consulting specialists, diagnostictechnicians and administrative staff. Paper-based medical record systems are also adding the unnecessary expense to a medical institution. Registration clerks, nurses spend precious time away from patients attending to huge piles of paperwork. This adds up an enormous financial burden inclusive for the storage of the medical records and wages for the administrative support staff.

Miss-kept or missing medical records adds to the lost of precious time and can lead to unnecessary or duplicating of clinical tests. However, until recently, usage of information technology has increased and become prominent part of the healthcare industry. Many large hospitals and private hospitals have made the transition from old-school paper medical records to EHR, ElectronicHealthRecord System. Early stages of an EHR System were base on a simple side but have advance tremendously. Now EHR System is Web-based which are accessible across networks and utilizing GUI, Graphics User Interface for interactivity.

Web-based EHR are easy to use, have the capabilities to organize and link information, strong multimedia presentation capabilities, works on most hardware platform and operating system in the market; which communicate through the Internet and provide access to medical records using web browsers and web technologies. Jamie R. Steck(1998), Director of IT from the Central Utah Clinic stated that “ Efficiency has increased dramatically. We did an in-motion study in our records room, which showed that filing electronically is 80 percent more efficient than filing manually, and we’ve seen proof of that on a daily basis. Study shows that EHR is more efficient than the normal process of filing the paper-medical records. Health institution of many sizes faces many demands and challenges when making the transition from paper records to EHR. Healthcare institutions are working hard to reduce their reliance on handwritten records. EHR has improved patient care through greater and quicker access to patient information thus reducing medical errors due to paper-records. It also significantly reduces test result and patient wait-times with a faster and more efficient workflow.

It also reduces record-keeping time thus decreasing paperwork for administrative staff. EHR establish a better information and improved communications in a medical institution. It reduces the possibility of misplaced and lost records thus ensuring the patient record; test results are available when needed. It reduces cost on paper and supply. But just as much as its ancestor, EHR are subjected to privacy violations. Today, healthcares systems in developed countries are changing dramatically. These countries are looking into more inexpensivecommunicationmeans using the internet to achieve a more efficient and high quality EHR.

With the increase of health care system on information technology, we must also look into the increasing number of threats resulting from distribution and the implementations of the EHR System. Patients and doctors are aware of the security requirements base upon the system with the usage of communications over open and insecure network such as the internet. There are concerns over the privacy and security of electronic health information and they fall into two general categories: “ 1. concerns about inappropriate releases of information from individual organizations 2. oncerns about the systemic flows of information throughout the health care and related industries” – National Research Committee (1997, p. 54) The first category can result either from an authorized users who intentionally or unintentionally access or distributes information in violation of the institution policy or from hackers who break into a institution’s computer system. The second category refers to the open disclosure of patient health information to parties that may act against the interests of the patient or may also be alleged as invading a patient’s privacy.

EHR stored at medical institution are vulnerable to internal or external threats. Internal threats includes authorized system users or medical personnel who abuse and misuses their privileges by accessing information for inappropriate reasons such as viewing their friends, neighbors, colleagues or to leak information to the press for spite, revenge, or profit. External threats or unauthorized access, which is related to the open architecture of Internet, sometimes by vindictive former employees, angry patients, network intruders, hackers or others may steal information, damage systems, or disrupt operations.

Till today, there have been modest amounts of evidence to gauge the exposure of EHR to external attacks as there are still no tools for detecting attacks on EHR in the healthcare industry. In a case reported by Marbach, William D. (1983), so-called “ 414” group broke into a computer system at the National Cancer Institute in 1982, although no damages were reported. Study by the Federal Bureau of Investigation and the Computer Security Institute (CSI), CSI Director Patrice Rapalus(1996, p. 2) said, ” The information age has already arrived, but most organizations are woefully unprepared . . . making] it easier for perpetrators to steal, spy, or sabotage without being noticed and with little culpability if they are. ” Set of laws are being introduced for patient record privacy put strict demands on healthcare providers to protect patient information while using EHR while sharing the information with other patients. Six main factors are integrity, dependability, availability, confidentiality, authenticity andaccountability. Patient records involves very sensitive data, which should only be disclosed to authorize users, thus confidentiality of the required data is essential.

Integrity and availability of the services are also important. To accomplish the desire measure of information system security, a range of security policy models have been proposed and implemented in healthcare. One of the most widely use of security policy being adopted by medical institutions to protect patients information in a EHR System is the Role Based Access Control policy. Role Base Access Controls (RBAC) is the common policy being used in an ERH System. These include two basic types of access control mechanism that are used to protect data which are discretionary access control (DAC) and mandatory access controls (MAC).

DAC is very supple hence it is not suitable for protection of health records. MAC on the other hand is stricter, allowing ample space for flexibility and it requires all users handling the records to follow a set of rules administered by the system admin. RBAC in EHR System should have the advantages of both DAC and MAC. With the RBAC approach, EHR System should adopt the roles and the authorization management in its system. In RBAC, it identifies which staffs in a medical institution are authorized to view a patient medical record. It restricted the data from being abuse or falling to the wrong hands.

Each and every medical staff in a medical institution are assigned a specific role and operates the EHR System according to their role. Medical staffs are only allowed to view patients’ record that they are allowed to access. Not all data are being revealed to the every role. G. Pangalos(1998) states that: “ EHR System identifies the following roles in its system: 1. Patients. They have access to their own health institution, personal and demographic data. 2. Physicians. Main Users of EHR System. Make diagnosis, admissions and treatment. Act on behalf of patients. 3. Doctors.

Responsible for the laboratory tests and evaluation results. 4. Nurses. Responsible for providing daily care to patients. Don’t need to know any sensitive personal patient data. 5. Other Healthcare Professionals. Responsible to perform treatments for example psychiatric consultation. 6. Administration. Responsible for collection of the administrative, social, personal and non-personal demographic and insurance information about the patient. 7. Local authorities. Specifically Government bodies have access to health records for research or investigation purposes and any sensitive personal data will not be reveal. Department of Health and Human Services (1998), in the proposed rule for security and electronic standards, “.. each organization that uses communications or networks would be required to protect communications containing health information that are transmitted electronically over open networks so that they cannot be easily intercepted and interpreted by parties other than the intended recipient, and to protect their information systems from intruders trying to access systems through external communication points”. (vol 63, No 155)

As of the statement above given by the Department of Health and Human Services, all information that are sent over the internet must only be accessed by authorized receiver. Today’s technologies allow users to prove their authenticity and with data encryptions allow data to be transmitted safely over the medium. Data encryption should be at a satisfactory level of security to protect against intruders, thus data integrity have been compromised. User authentication must also be present with the encryption and data transmission process to ensure that the data sent are received by authorized receiver.

Other than data encryption, a good firewall should also be implemented on the database server to avoid external intruders from accessing unauthorized data. Although these policies and counter measures are being implemented, unauthorized data leakages do still prevails. Medical records of celebrities and famous people are sought after by the media around world. This is due to the interest of people andmoney. So patient plays a part in protecting their own medical records. They have to put their trust in the medical institution where their records are being kept.