amenschik
commented
4 years ago Reflection by Abby
The current challenges to security and privacy in healthcare strike me as unsurprising and non-unique to the field or industry. I understand that health data is among, if not the most sensitive type of data one can collect and host, but I found it increasingly frustrating to read about the threats to health data as if these are unique challenges that no other industry has tackled. Banks, private equity, and consultancy firms all handle highly sensitive data – and while likely none of it is protected health information, all if it requires high levels of security and protective infrastructure to prevent loss, theft, or contamination/corruption. I appreciated that this was somewhat acknowledged in the Kruse et al. (2017) paper that discussed cybersecurity, when discussing the fact that healthcare is very much falling behind on data protection.
I would have liked to see more discussion of the way some other industries that handle sensitive data, perhaps with the acknowledgment that some of these methods biomedical and health informatics can learn from. A paper I read and included in the primer from last week (Wu, Davis and Bell, 2012) discussed decision making and decision support systems within the context of other industries, comparing clinical decisions to those made by military commanders and business managers, and I thought it was a novel and interesting way to approach the challenge. I've found that health informatics can be very insular; papers and textbooks tend to think of the issues they face as unique to healthcare or only solvable by unique healthcare interventions, and in many cases that isn't the case. This is especially apparent with privacy and security, where many industries put emphasis on the emerging threats we've discussed here.
pristineliving
1. Introduction
Confidentiality, privacy, and security
Confidentiality is limiting access and disclosure on certain types of information to ensure personal information is secured. Privacy is the right of a person or group to decide on the availability of their data. Security is protecting personal information to reduce the harm from inappropriate or unauthorized access to data. Information security is especially important for enhancing confidentiality and maintaining the privacy of information providers. If measures of information security are not planned, implemented, and operated well enough, once the confidentiality which restricts personal privacy is broken, the harmful impact can be disastrous. Take information security in a hospital as an example, if the security is not thorough, and the patient-identifiable information is released unexpectedly, be it intentional or unintentional, by internal employees or outsiders, the confidentiality will be violated and patients’ privacy exposed. The damage may be irreversible and will lead to distrust from the patients to the hospital.
Different threats in security
Some examples of potential threats to the information system include intrusion of a computer virus, a common threat faced by the health care information system; natural or environmental disasters such as fire, earthquake or flood in the data center; untested software or external storage; employee theft and hackers who interfere with normal operations or steal and destroy clinical or administrative data. The range of threats to security can include intentional, unintentional, and misuse of data. The sources of threats to security can be divided into (a) human threats, whether they have malicious intent or not, or whether they are intentional or unintentional; (b) natural and environmental threats such as floods or fire that destroy the physical system, or power outages that result in loss of data; (c) technology malfunctions including failures in hardware such as drive, or software such as operating system. The breakdown of information security may come from (a) internal employees, who are tempted to steal data for money, who are not well trained or unqualified, mentally unhealthy, sheer carelessness, installing and using unauthorized software, using computing facility for illegal communications or personal profits; (b) external personage. It is easy to think about computer hackers when talking about threats from the outside, but it could also be pranksters who happen to get access to the data. There can also be cases involving both internal and external persons, usually due to a human error on the internal side that leads to a chance for external intruders.
2. Healthcare Information Security Issues and Organization-wide Confidentiality
Patient information provides precious resources for researchers and healthcare decision-makers. And the implementation of electronic health record allows the healthcare stakeholders to conduct population-leveled epidemiology research, reveal more risk factors than randomization-controlled trials with less cost, and integrate health data from different data providers for large-scale analyses. However, the patient data breaches had happened quite often after the development and collaboration of EHR. In 2000, some e-mails went astray causing the breach of confidentiality and integrity to personally identified health information that contains the appointment details, answers to patients’ questions, medical advice for over 800 Kaiser Permanente (KP) members through KP Online, a web-enabled e-Health care portal (Brubaker, 2000). In February 2008, the Irish Blood Transfusion Board (IBTS) experienced the theft, after a mugging of a laptop in New York that contained the data on over 170 000 Irish people who had used the services of the Irish Blood Transfusion Board between July and October of 2007 (Ryan et al., 2008). It was also known that CVS and Giant Food, chain drug stores in the US, made available patient prescription records for use by a direct mail and pharmaceutical company, and the interest in secondary usage of the patient information drove the aforementioned users seeking to derive financial benefit from selling access to the third parties (Lo and Alpers, 2000). The breaches due to accidental privacy error, ethically questionable conduct, and illegal actions need to be solved to prevent harm to patients’ benefits and rights.
2.1 Challenges of Health Information System (HIS) and Derived Principles to Follow
The health information technology (HIT) practitioners work on maintaining the confidentiality of patient information, monitoring and defending for information theft and data integration, and prevention of data loss. After incorporating the electronic data storage and cloud service, the HIT agents have to mainly deal with the problems of improper or illegal data access, user authorization, and data maintenance. Therefore, the challengers of HIS and HIT had fallen into the categories as follows: 1) Ownership of information: the creators who generate patient data could be either healthcare practitioners or patients themselves for patient-centric data. Therefore, patients may manage their data and yet the data management at the hospitals’ end may require a trusted third party with proper authorization from patients and clinicians (Zhang, 2010). 2) Authentication and authorization: both data providers and legal users should be able to access patient data if needed with verification of personal identity and authorization level with authentication toolkits in high-security level. 3) Non-repudiation: the stakeholders should sign and encrypt every transaction for data exchange, data utilization, or data input, and should not deny their behaviors once finished. 4) Patient consent and authorization: Patients should know the purpose and risks of data usage with well-described consent forms. They reserve the right to grant access to their profile and allow or deny sharing their information. 5) Integrity and confidentiality of data: Based on the interpretation by ISO-17799, the HIS designer and users should ensure that information is accessible only to those authorized to have access. Data should be maintained with accuracy and consistency with no unauthorized use. 6) Availability and utility: EHR system should be available and resistant to accidents like power outages, hardware breakdown, and system updates to prevent denial-of-service attacks and data loss.
Based on the challenges above, the Agrawal group drafter 10 principles of HIS management accordingly, in 2002 (Agrawal, 2002).
1) The purpose for which an individual’s e-Healthcare information has been collected shall be associated with that information (purpose specification); 2) The purposes associated with personal e-Healthcare information shall have the consent of the donor of the information (consent); 3) The e-Healthcare information collected shall be limited to the minimum necessary for accomplishing the specified purpose (limited collection); 4) The e-Healthcare information shall be subjected to only those queries that are consistent with the purpose for which the information has been collected (limited use); 5) The e-Healthcare information shall not be communicated outside the database for purposes other than those for which there is consent from the donor/owner of the information (limited disclosure); 6) The e-Healthcare information shall be retained only as long as necessary for the fulfillment of the purpose for which it has been collected (limited retention); 7) The e-Healthcare information about an individual shall be accurate and up-to-date (accuracy); 8) Personal e-Healthcare information shall be protected by security safeguards against theft and other forms of appropriation (safety); 9) An individual or a patient shall be able to access all e-Healthcare information about himself or herself (openness); 10) donor/owner of e-Healthcare information shall be able to verify compliance with these principles. Similarly, an e-Healthcare information system shall be able to address a challenge concerning compliance.
Later, the International Information Security Foundation specified the patients’ rights and standardized 9 rules for HIS security:
• accountability principle - information is not disclosed to unauthorized persons or processes; • awareness principle - owners, providers, and users of information systems should easily be able to gain knowledge of and information about the existence and extent of security measures, practices and procedures; • ethics principle - the security of information should be provided in such a way that respects the rights and legitimate interest of others; • multi-disciplinary principle - security measures, practices, and procedures should consider and address all issues and viewpoints including technical, administrative, organizational, operational, commercial, educational and legal aspects; • proportionality principle - the overall investment and resource allocation to security should be proportionate and appropriate to the value and degree of reliance on the IT system and to severity, probability, and extent of potential harm envisaged; • integration principle - security measures should be coordinated and integrated with each other as well as with other organizational measures on other areas so as to create a coherent security system; • timeliness principle - all parties at all levels should act in a timely manner in preventing and responding to security breaches; • re-assessment principle - security risk assessments should be carried out periodically as security requirements vary with time; • equity principle - The security of IT systems should be compatible with legal use and ow of data and information in a democracy.
2.2 Experience and Lessons for Health Information System Management (on Veterans Health Administration)
The Veterans Health Administration at the Department of Veterans Affairs (VA) has a long history of efforts to bring computer-based information systems to help in healthcare as an excellent participant of the Federal High-Performance Computing and Communications (HPCC) initiative. It was also proved to be a perfect testbed for applying many of the new technologies in healthcare settings from coast to coast (Belles, 1997). They have demonstrated successfully established HIS security with inspiring insights for the designers. The primary artifacts VA applied for data security were technical, administrative, and physical security controls and safeguards.
One category of the common threats brought up by the automated system was the insider attacks such as human errors leading to lower data integrity, accidents leading to facility damage, and omission resulting in data errors. Accordingly, VA proposed a plan which emphasized making implementable and enforceable policies, educational training for system users, regular reviews and monitoring to the data access, and a feasible contingency plan for the system maintenance after accidents. Those pioneering suggestions were consistent with the aforementioned principles proposed in the 21st century.
VA designed its security program to be a separate and yet parallel component of the VA automated HIS. Through an interagency agreement with the General Services Administration (GSA) and a follow-on contract with a private vendor, the VBA has developed a comprehensive policy, a security architecture for the modernized environment, and a computer-based security awareness training program for all field facilities (Department of Veterans Affairs, 1996). The designer pointed out that the data management needed to be knowledgeable enough to deeply consider the controls and practices to counter the risks of data security whenever external resources were retrieving or exchanging information. Meanwhile, federal laws and regulations guide the design and usage of HIS security when governmental agencies are also a provider or user of the HIS data.
VA had also implemented a bunch of technical controls for HIS security. They used a decentralized hospital computer program (DHCP) called Kernel to protect the data within its system by restricting the sign-on and access to the authorized users within the DHCP program and restricting the designated uses to the tasks relevant to their jobs (Department of Veterans Affairs, 1995). Kernel also used two-step authentication to verify the identity of users and lock the account with too many failed log-in attempts with auditing the history of user behaviors. Audit trails were used to track the users’ useful activities and logged with security. Package integrity tools were implemented to make sure that the program code would not expose to anyone under an accident or destructive damages. Early “precursors” of electronic signatures with personal computer code and DHCP code were required to make hard copy paper medical records. File access security and operating system utilities with encryption implementation worked together to control user access and authentication to the files and system. The managers were also required to perform journaling and testing periodically and regularly back up the system. On the other hand, VA established the approval of Internet access, firewall monitoring, virus suite protection, and local area networks (LANs) distributed security control to ensure that patient data was under protection when the users had to use the Internet.
In addition to the aforementioned technical controls and structural controls, VA also implemented administrative controls. They proposed organizational-wide policies to strategize for the managing resources, define responsibilities, address consequences, and suggest for guidelines at the workspace. They also established a standardized contingency plan and its regular testing to assess threats and estimate the feasibilities of relevant countermeasures so that the organization’s essential departments can still function under the worst-case scenario. This contingency plan worked closely with VA’s risk management and mitigation strategies to prevent or lower the probability of threats in real cases. Meanwhile, VA also demonstrated experience in implementing training and awareness programs, user account management, program compliance assessments, computer security specification in acquisitions, and computer security incident handling.
The VA has demonstrated us with a feasible and effective infrastructure back in the late 1990s. Since then, a lot of the hospitals adopted their pioneering architecture and developed more advanced techniques for data security toolkits according to actual needs and challenges, especially after the incorporation of EHR.
2.3 Evaluation of Health System Security
It is critical to test how vulnerable the HIS of interest is to the potential threats and risks, and what might be the blind corners of HIS design for possible attacks. Herrman research group indicated that one HIS should be evaluated in three dimensions: compliance, resilience, and return-on-investments (ROI) (Herrman, 2007). The metrics should be designed to quantitatively assess the HIS performance in security and privacy standards and laws (compliance), its ability to prevent, resist, and recover with aid from all kinds of controls we mentioned in Section 2.2 (resilience), and ROI in the aforementioned controls to guide II capital investment (ROI).
3. Emerging Threats
Some of the biggest challenges in biomedical and health informatics arise from placing computer applications and electronic systems in health care settings. In the face of these advances and new adoptions, healthcare professions continue to strive to uphold traditional healthcare principles and values. Thus, a balance must be struck between two competing pillars: free access to information, and the protection of patients' privacy and confidentiality.
Health information should be readily available to health professionals and administration involved in the care delivery system. Unfortunately, the reality is that with novel electronic systems, information availability opens up equally new opportunities for inappropriate access. A balance must be struck between these goals, which are not inherently incompatible but do present important trade-offs. Patient confidentiality must be protected by restricting computer system use. At the same time, care must also be improved by assuring the integrity and availability of healthcare data.
At this point, much of the information in today's healthcare organizations are created and transmitted electronically. We've seen a wider spread of EHR adoption, more so than ever before, and with it, even larger quantities of data and information are created and transmitted through these electronic channels. Still, the privacy of patients and the security of information remains the most imperative barrier to entry for organizations facing EHR adoption (Kruse et al. 2017).
Security in a now-wireless environment is facilitating a paradigm shift and changing the way healthcare systems operate. 'Wireless Technology' covers a wide range of capabilities. Most privacy and security concerns revolve around Wireless LAN (WLAN) devices – including client devices (laptops, smartphones, tablets) and access points (APs). APs are points of connection between the client devices and an organization's network infrastructure. In addition to the individual challenges posed to these devices, blue-tooth technologies and the increased adoption of handheld personal devices present new and challenging opportunities for security breaches.
Technology offers flexibility and new capabilities to healthcare providers and the individuals that support them, but the concerns about the level of security it offers in the healthcare environment is increasingly pressing. There has been generally very little activity towards policy development in the face of emerging, significant privacy issues – most of which are raised by this shift from the paper-based system to one that's integrated and electronic. The largest looming security threats now are hackers, viruses, worms, and accidental loss or theft of sensitive clinical data (Fernández-Alemán et al. 2013).
As some response to threats and cases of data loss, a series of standards has been released to address the inherent challenges of wireless networks and devices – mostly to maintain security as it pertains to system configuration and system monitoring. These guidelines include:
Of course, this does not address the other half of a wider electronic system, which is the increased ease at which personnel may work from home or remotely. This remote access presents additional and unique security issues, many of which have already been experienced first-hand through loss or theft of electronically protected health information (ePHI). As identified by HIPAA, these can include, but are not limited to:
Fernández-Alemán et al. (2013) conducted a systematic literature review of EHR security systems and identified five key areas still in need of address:
4. References
Fernández-Alemán, J. L., Señor, I. C., Lozoya, P. ángel O., & Toval, A. (2013, June 1). Security and privacy in electronic health records: A systematic literature review. Journal of Biomedical Informatics, Vol. 46, pp. 541–562. https://doi.org/10.1016/j.jbi.2012.12.003
Kruse, C. S., Frederick, B., Jacobson, T., & Monticone, D. K. (2017, January 1). Cybersecurity in healthcare: A systematic review of modern threats and trends. Technology and Health Care, Vol. 25, pp. 1–10. https://doi.org/10.3233/THC-161263
Kruse, C. S., Smith, B., Vanderlinden, H., & Nealand, A. (2017). Security Techniques for the Electronic Health Records. Journal of Medical Systems, 41(8). https://doi.org/10.1007/s10916-017-0778-4
Prater, V. S. (2014, December 8). Confidentiality, privacy and security of health information: Balancing interests. Retrieved from https://healthinformatics.uic.edu/blog/confidentiality-privacy-and-security-of-health-information-balancing-interests/
Shortliffe, E. H., & Cimino, J. J. (2014). Biomedical informatics: Computer applications in health care and biomedicine. London: Springer.
Wager, K.A., Lee, F.W. & Glaser, J.P. (2013). Health Care Information Systems : A Practical Approach for Health Care Management. Wiley.