2. Information system security and
privacy: A Background
The emergence of Information Systems
raises information security issues.
Rand Report R -609 :The first published
document by DARPA to widen the scope of
Information Security.
NSTISSI No 4011: A widely accepted
evaluation standard for security of IS
4. Why is information security and
privacy a contemporary issue?
Due to the increase of threats to the
characteristics of information, to name a few:
Fraud
Hoaxes
IdentityTheft
System Hacking
Disclosure
Privacy breach
5. Information security and privacy in
EMR systems
Domain of research: Healthcare IS
Scope: Information security and privacy of
EMR systems
What is Healthcare IS?
What is EMR?
6. Ssshhh...don’t tell
Why security and privacy of medical data is
important?
-Simple, would you like your friends to find out
that you’re seeing a therapist regularly
because you are unable to manage stress ?
7. Literature Review
Authors Their respective findings
Raghupathi
Bates at al
Rindfleish
Barrows and Clayton
Rind et al
Buckovich
General Health IS
EMR in Primary Care
Privacy and information
security of healthcare
systems.
Examines privacy concerns
Proposal to identify patients
electronically
Forwards a set of draft
principles of information
security
8. Important issues in the
literature identified contd.
A shift from paper record systems to
electronic record systems
The integration of information due to of
medical information systems, examples
W3EMRS
EMR systems in primary care
10. Important issues in the
literature identified contd.
Measures to protect information security and
privacy
Future Recommendations
11. Key findings and their future
recommendations
Successful migration to EMR system and an
increase in the number of end-users is
anticipated
EMR and information security can be
deployed in the Aged Care industry.
The potentials of EMR are being held due to
information security issues
12. Key findings and their
future recommendations
Responsibility to maintain information
security and privacy is not just upon EMR
systems
13. References
Barrows, RC, andClayton, PD, 1996, ‘Privacy, confidentiality, and electronic medical
records ’, Journal of the American medical Informatics Association, vol. 3, no. 2, pp. 139-148, viewed
15 September 2011, Jamia, DOI: 10.1136/jamia.1996.96236282
Buckovich, SA, Rippen,HE, & Rozen, MJ ,1999, ‘Driving toward guiding principles:A goal for
privacy confidentiality, and security of health information ’, Journal of the American medical
Informatics Association, vol. 6, no. 2, pp. 122-133, viewed 14 September 2011, Jamia,
DOI:10.1136/jamia.1999.0060122
Bates, DW, Ebell, M, Gotlieb ,E, Zapp ,J, & Mullins HC, 2003, ‘A proposal for electronic medical
records in U.S. primary care’, Journal of the American Medical Informatics Association, vol. 10, no. 1,
pp. 1-10, viewed 15 September 2011, Jamia, DOI: 10.1197/jamia.M1097
Raghupathi,W, 1997, ‘Health care information systems’, Communications of the ACM, vol. 40, no. 8
, pp. 80-82, viewed 22August 2011,ACM Digital Library DOI=10.1145/257874.257894
Rind ,DM, Kohane,IS, & Szolovits P,1997, ‘Maintaining the confidentiality of medical records
shared over the Internet and theWorldWideWeb ’, Annals of Internal Medicine, vol. 127, no. 2, pp.
138-141, viewed 13 September 2011, Jamia, http://www.annals.org/content/127/2/138.short
Rindfleisch,T, 1997, ‘Privacy, information technology, and health care’, Communications of the
ACM , vol.40, no. 8 , pp. 92-100, viewed 16 August 2011,ACM Digital Library,
DOI:10.1145/257874.257896
And more
Hi everyone, my topic is information security and privacy and today I will present security and privacy issues in terms of medical information systems.
First of all, let us take a quick run through the history of information security. When computers first took over, the dimensions of computer security was limited to the physical environment. This meant our usual lock and key protection, having security guards to monitor top-secret locations, so that unauthorised people do not gain access to sensitive documents. With the advancement of computer systems and the quick spread of computer networks data storage, transmission and transformation have become easier. A team from US Defence Advance Research Project Agency, the founders of the Internet prepared a document called Rand Report R -609. The concerns for Information security was first published in 1967 in this document. It pointed out a number of issues which widened the scope of computer security from physical protection of hardware and computer locations to data security. Suddenly, protecting information stored in the computer storages became vital. The document proposed to limit access to that data and also suggested management and policies should be employed to maintain information security Committee on National Security Systems (CNSS) developed NSTISSI No 4011. that became widely accepted as a standard evaluation for the security of Information Systems. It defines Information security as a protection of information and its characteristics, including the hardware that uses, stores and transmits them.
This slide points out seven main characteristics of information which needs to be preserved to ensure that information is of high quality. Loss of or imbalance in any of these characteristics immediately compromises information quality and so security measures are required to ensure these characteristics are maintained.
Looking around, industries such as banking, tourism all are taking advantage of information systems because they facilitate their business functions. However, if you keep an eye open in the news, you will come across stories of major security breaches such as identity theft, system hacking, unwanted information disclosure, acts of privacy breach, especially in the case of celebrities. Information security and privacy is vital for any information system because they contain information that is sensitive to an individual, community, organisation. Therefore, information security and privacy is truly a wide topic to research.
So, I decided to focus on the security and privacy issues of medical information systems not just because of my personal interest in healthcare information systems but also because it is a contemporary issue. Health IS is a current hot topic because despite tremendous technological advancement I found out that the medical industry is not as technologically advanced compared to other industries. Before we begin, let me shortly define healthcare systems for you. Healthcare IS, as the name suggests, is the set of computer systems which supports the medical industry. While there are numerous applications of healthcare systems, the core application is an EMR system, Electronic Medical Records systems. Details of EMR will be discussed as we follow. I conducted this research to find out the importance of maintaining security and privacy issues while implementing and maintaining EMR systems.
I
I found out numerous articles that related to the topic, however, articles by the authors mentioned above helped to understand proposed theories and issues that addresses the basis of information security in healthcare systems. In his article, Raghupathi discusses various facets of healthcare information system. Bates et al. emphasies that primary care providers must implement EMR and government should support the investment. Rindfleish discusses privacy and information security issues of healthcare systems. Barrows and Clayton compares paper based systems and EMR and examines if loss of privacy is a genuine concern. He also points out technological and management measures to protect information security. Rind et al makes a proposal which would make it possible to electronically identify patients and their records under secured conditions. Buckovich provides a comparative analysis of the information security principles to guide in developing a uniform set of principles.
Based on my study of the articles, here are some issues I thought were important for this research.
A shift from paper record systems to electronic record systems
Paper based record systems were initially a hit, and by initially I mean the time when the use computer systems and networks did not spread. For medical uses electronic records systems meant medical practioners were able to access information simultaneously anytime and anywhere, medical information required to be in a standard format so that physicians could integrate information and also use decision support tools to provide better quality medical care.
Therefore the shift to EMR became inevitable. Furthermore, the shift became a national issue and required government support.
The integration of information due to of medical information systems
Benefits of EMR override paper based systems, even though EMR faced obstacles in terms of cost, security issue and resistance from end-users. The W3EMRS, the World Wide Web Electronic Medical Record System was developed by the Boston Electronic Medical Record Collaboration. Here the Web would be a mode of transmission to share patient records so that emergency departments in participating hospitals can provide immediate effective treatments.
Another example of integrated use of medical information is at the primary care providers. Integrated accessible healthcare information is vital to provide a high quality healthcare and so, primary care providers are encouraged to adapt EMR because they are the first point of contact for patient and have the benefit of gathering detailed healthcare information which can be used to provide appropriate treatment.
On one hand integration allows accessibility and hence better quality care, on the other hand it increases threat to information security of medical records. Patients have a kind of belief in their medical care providers that their sensitive information will be safe in their hands. Perhaps this is due to the Hippocratic Oath which re-inforces the ethics of professionals maintaining individual privacy. Confidentiality is important to patients because disclosure can harm them in many ways such as social embarrassment, prejudice, reduced insurability or even failure to get a job. I will now relate a recent incident regarding breach of privacy.
A recent event has shaken the confidence of ensuring the public that EMR systems maintain privacy and security of their medical records. For nearly a year, a spreadsheet including names, diagnosis codes, account numbers, admission and discharge dates of 20,000 emergency room patients of Stanford Hospital and Clinics appeared on a commercial website. The breach was discovered by a patient. Although the website immediately took it down and investigation began, naturally, patients were enraged. When patients face such breach in their privacy issues they may even avoid needed healthcare.
Now that we know how lack of information security can effect us, here are some major security measures identified by the authors to protect information security.
Technological measures to authenticate and monitor internal users
Management measures to ensure policies, procedures and guidelines are strongly followed.
Legislations and statutes needs to be developed so that public can have confidence that their sensitive information are treated as a national issue.
The literature review revealed that research scholars pointed out the benefits of implementing EMR, likewise government worldwide and medical institutions have taken the initiative to shift towards adapting technology. In Australia, most medical centres employ EMR. I found out from Dr. Govindasamy, who witnessed this migration, at first medical centres were not confident enough in transmitting patient information over the Web, and someone would physically have to move hard drives back and forth from the main servers located in a geographically different position. But now, they are updated every night online which shows the development of online security measures nationwide. Mr. Hafiz, a care worker informed to me the lack of technology and information security deployed in the aged care industry to manage client records and pointed out that it is important to consider maintaining senior citizen’s records electronically in a secured manner.
Now that the shift from paper-based records systems to EMR is nearly over, consumers are demanding online medical services which is uncovering more potentials for EMR. However, it seems that technological advances in medical industry is being held up due to the threat of information disclosure, which may incur drastic results in the medical industry. Although information sharing and accessibility has numerous benefits, it also triggers threats to the confidentiality, privacy and security of medical information. So, it was definitely worth trying to figure out just how important information security is to EMR systems.
Surveys show an increase in demand for online medical service however due to security breaches as in the case of Standford, experts are focused on developing information security rather than improving medical services. Another survey indicates that security breaches occur due to employee negligence.
Looking into the future, I understand that maintaining information security is not just the responsibility of EMR systems and recommend that management of the medical and secondary organisations, should re-inforce policies and procedures to preserve privacy of medical records stored in their systems.