The gathering and exchange of personal data electronically has significant general population health advantages but it threatens the level of privacy of individuals; personal privacy breaches lead to discrimination of an individual in employment, insurance, and federal government programs. People worried about privateness may avoid specialized medical or general public health testing, treatments, or research due to a scar of personal privacy invasions. (Gostin LO, 2001)
Risk of Electronic Security Threats to EHR/HIS is a critical issue because according to the personal privacy and security guideline of MEDICAL Insurance Portability and Accountability Take action (HIPAA) the patient's medical data are to be guaranteed and private that can be accessible only the hospital specialists and the doctors in charge of the individual and the individual himself.
The forms of electronic data improves the performance of general population health functions, but threaten level of privacy as they could be duplicated and transmitted quickly to unauthorized people.
A specific hazard is the risk of storing and transmitting the electric health record over web sites, network, computers or servers.
A consequence of this threat is the increased loss of sensitive and private patient personal and medical data or the disclosure of same. Counter-measures to reduce or minimize this risk include precautionary anatomist and educating the staff. The CPSI system is susceptible to this risk. For example, when a treatment provider does/requests major surgery, an individual medical history is necessary to be able to complete the surgery effectively. If the medical history is unavailable due loss of data the surgery may not be successful scheduled to major areas of concern and precaution being neglected credited to lacking of the annals report. Hence the individual data being stored must be safe and secure for the medical institution to run efficiently.
The launch of it into the professional medical environment holds the promise of reduced the physical and newspaper work to be achieved by a healthcare facility staff and advanced information management. However, with this guarantee comes the risk of security risk to the digital health record.
The threat of electronic security threat is thought as duplication and transmitting of the individual digital health record to and by unauthorized users who may misuse the data for illegal purpose. This threat includes illegally accessing the patient data by the unauthorized users who misuse the info or damage the data, or may duplicate the data in order to either injury the fame of the medical establishment or the doctors or the patients.
The reason for this newspaper is to describe the specific threat posed due electric storage space and transmitting of the info over websites, computers and machines.
The consequences of this storage and transmission of data electronically for an individual medical record can range from normal to severe. The following section describes the consequences of safe-keeping and transmitting of data electronically for an EHR
Risk of Electronic Security Threats to EHR/HIS is a critical issue because according to the privateness and security rule of The Health Insurance Portability and Accountability Act (HIPAA) the patient's medical files are to be guaranteed and private which may be accessible only a healthcare facility authorities and the doctors in charge of the individual and the patient himself.
The level of privacy and security guideline of HIPAA states that health information identified individually is the information created and received by physician that is relative to health of an individual, including information regarding the demographics of the individual and, that which may be used to recognize a person. (Miller JD, 2010)
HIPAA poses severe penalties to the people and institutions which fail to abide by the security and personal privacy rule. The fines change from cash penalties to imprisonment. Hence it is necessary that the medical companies that practice HER system take care that the medical information are secure and private and not accessible to unauthorized users. (Gostin LO, 2001)
The data files or server rooms pose a risk to the EHR as the access secrets to the server rooms and the data file can be copied. The employees even after termination from the careers can retain the secrets to the documents and the server rooms. Combination of the locks may well not be distributed or might not be changed normally. This brings about the individual medical data being disclosed, lost or manipulated. (Myers J, 2008)
This patient data if lost can lead to situations where the doctors don't have the patient's health background necessary for the procedure which might lead to situations where the doctors may perform major surgeries without knowing the patients historical conditions and which might lead to severe problems for the individual and could even cause loss of life.
For example if a patient having diabetes trips a clinic for a significant surgery. This patient has previously been to the hospital several times before which is likely to have his health background properly stored in the records maintained by a healthcare facility. In case the patient's medical records are lost the doctors may feel that the patients does not have any past background of major diseases and could execute the surgery with no a notion of the patient's condition where in fact the patient may bleed to death during or after surgery scheduled to non-clotting of the bloodstream as the diabetes patients are having issues of blood vessels not clotting quickly because of this of lack of the required platelets which are the main composition of the blood necessary for clotting.
The patient data may be disclosed over the tables or work stations. Patient information that is sensitive may be remaining on a table or in an unlocked drawer or cabinet or may be left over the screen which may be over seen by the passer by and become disclosed. (Myers J, 2008)
The patient data may be disclosed due to the use or misuse of printing press such as printers where the hard copies of the studies are still left on the printers before retrieving the studies or the reviews are sent to wrong printers or the printed reports are improperly discarded. (Myers J, 2008)
The patient data may be disclosed due to the use fax services where in fact the reviews are mistakenly send to unintended telephone numbers or recipients or the studies do not support the necessary confidentiality affirmation. (Myers J, 2008)
The patient data may be disclosed due to the use cellular devices such as the blackberries and other PDA's and the utilization of USB adobe flash drives which are being used to store the patient data. The unit may be lost or stolen or might not be password covered which if seen by unauthorized users; the unauthorized users may misuse the individual data. (Myers J, 2008)
The patient data may be disclosed due to lost or stolen desktop pcs or laptops and that are not password secured and the data on the hard drive is not erased before discarding or reassigning the computer to another staff. (Myers J, 2008)
The patient data may be disclosed because of the storage area of the delicate information on distributed network drives to which other users on the network are not supposed to possess the access. (Myers J, 2008)
The patient data may be disclosed due to the servers including the sensitive databases with all the current patient data which might be inappropriately reached by users that aren't authorized to gain access to the databases. These unauthorized users might use e-mail, portable mass media or some applications to transfer the sensitive information from the machines. (Myers J, 2008)
The disclosure of information may be either intentional or unintentional. Whether it is intentional or unintentional both of these cause a whole lot of damage to a healthcare facility and the individual.
For example in countries like India where gender test on fetus can be an illegal offense if the sonography reports are left over the computer screen and seen by the comparative of the patients, the relatives may force the individual for an abortion if indeed they find out that the infant is a female. This causes feticide which really is a criminal offense that has severe fines for all the people related to this act. A healthcare facility as well as the patients' relatives may be incurred a unlawful suit for feticide and gender screening. All of this will lead to defamation of a healthcare facility and staff even though it had not been done intentionally.
For example if the hospital directories on the server is utilized by an unauthorized user and he retrieves the set of patients who've been to the hospital for some check up. If that person for some reason uses the contact information on the patients and associates them and explains to them that they have been analyzed positive for HIV the patients may either get into unhappiness and lose expectations on the lives or they could document a suit against the hospital for negligence but in reality they may have not been attacked by the pathogen. The person who illegally obtains the individual details from the data source on the server may do so to be able to use revenge of some personal problem or under great pressure of some illegitimate persons. This is called subornation.
If these dangers are not mitigated or alleviated, you can find the chance that a healthcare facility may unknowingly break the regulations and rules enforced by HIPAA and may also cause a severe danger to patients. Therefore counter methods must be implemented that will assist the hospitals to avoid these dangers to enter into action. The following section outlines some basic interventions that reduce a clinic/clinic/care provider's risk to electric security danger.
The technologies in today's world are inclined to risks and therefore no system can be rendered risk free but certain steps can be studied to avoid the chance of Electronic Security Hazards to EHR. (Myers J, 2008)
There are two types of counter-measures to the risk of Electronic Security Hazards to EHR/HIS. One type is technological or preventive anatomist; the other will involve training and procedures to teach the workers so that attention is taken to avoid the dangers. (Myers J, 2008)
Technical counter-measures include restriction of access to the record/server rooms so that only approved users have access to the confidential data. Video surveillance of file/server rooms ensures that unauthorized users cannot get access to the server rooms in case the security is breached and the unauthorized end user gains usage of the server room they could be caught hold of even before they get access to the data. Ensuring that appropriate access is allocated/de-assigned to an individual based on his status will help in making certain past employees have no access to the confidential data. The highly sensitive file/server rooms, must have multifactor authentication access such as biometric validation like finger printing or retina check out and restricting the access to only in the guidance of the supervisor. (Myers J, 2008)
Other technological counter-measures include assembling of tables and structuring of work stations in order to distinguish them or partition those to create and keep maintaining a work environment that is secure. (Myers J, 2008)
Disconnecting the machines that contain delicate data from printers and allowing only local printers for pcs that contain delicate information avoids the disclosure of data as no data be uncovered to the folks outside the clinic. (Myers J, 2008)
Programming the fax machines with function for speed dial and preserving grasp lists so that dialing problems are prevented and restricting certain fax machines so that they can dial only certain figures can avoid mis-addressing of the faxes with confidential data. Programming fax machines in order that they automatically include the confidentiality statement whenever a fax is delivered will stay away from the legal breaches to confidentiality of the patient data. (Myers J, 2008)
Enforcing password safeguard on all the devices that store and travel patient data and encrypting each one of these devices will protect the individual information even if the devices are lost or taken. Employing inventory control techniques and deactivating devices that are unaccounted for. (Myers J, 2008)
Protecting all desktops with Security password and encrypting hard disks of most desktops, laptop computers and distributed drives with very sensitive data helps keeping the info related to the patients private. (Myers J, 2008)
Creating thin customer workstations to be able to manage the data on an isolated network in a way that there are no other applications no usage of internet at workstation, beyond data-entry program; restricting the usage of external drives, data jacks, or printers and restricting installation of printers on the machines helps us to keep the data secure and private even though the data is on a server. Encrypting of the server, the back-up of server and storing back-up in off-site location which includes restricted access and it is under constant training video monitoring helps us secure the back-up data. Auditing an individual gain access to and his activity on the server helps us stop the illegitimate access and use of the machines which helps us keep the data safe and sound. (Myers J, 2008)
These counter measures are effective when coupled with educating the personnel on how to store and manage the data and the resources.
The hospital must instruct the users they aren't allowed to duplicate keys or show combinations, aren't supposed to leave the delicate data on their tables, in unlocked drawers/cabinetry or printers, devices, lightweight press, hard drive, notebook computers, shared customer drives.
The hospital must instruct the users they have to confirm the positioning of the computer printer before printing sensitive information, and that they are not likely to make copies of delicate data.
The hospital must instruct the users that they have to verify the destination number for the fax before sending the fax and they need to coordinate the fax sent between sender and device. The hospital must instruct the staff to add a confidentiality declaration with all the faxes that are directed, how to keep track of pcs to ensure that data are correctly erased, how to handle sensitive information properly.
Ultimately risk and counter-measures must be assessed for a specific EHR. The next section discusses the chance of Electronic Security Risks in the CPSI system and briefly discusses appropriate counter-measures.
The CPSI system can be an enterprise-wide, single-source electric medical record (EMR) system. The system runs on the server based application that allows the users to log-in to the system from anywhere in the world online.
The CPSI system is susceptible to the Electronic Security Hazards as the data of the patients is stored on the machines which are prone unauthorized gain access to. The server rooms are also vulnerable to unauthorized access. Also the info over the servers may be disclosed on the network anticipated to other network risks.
The CPSI system can mitigate the Electronic Security Risks by enforcing biometric validation of the individuals who want to type in the server rooms. The biometric validations may either be finger printing or retina scanning or both.
The CPSI system should think about password protecting the servers so that even if the security to enter the server rooms is breached the unauthorized consumer cannot access the server.
The CPSI system should consider encrypting the data on the server so that even if the security to type in the server rooms and usage of the server is breached the unauthorized end user cannot browse the very sensitive information.
The CPSI system should think about encrypting the back-up data in secure machines in biometrically validated server rooms.
The CPSI should be mindful that it does not allow the staff members to use portable devices with the pcs and there should not be any internet access using which the staff members might transmit very sensitive data.
In this way CPSI system can maintain the patient data firmly and prevent any circumstances of data being disclosed which may lead the CPSI system into legal hassles and also CPSI system can make certain to abide by the security guideline of HIPAA.