Introduction
Fouzia, Nayer, Amit and Praveen (2015) defined electronic health record (EHR) as a record of a patient’s medical details (including history, physical examination, investigations and treatment) in a digital format. According to Poissant, Pereira, Tamblyn and Kawasumi (2009), physicians and hospitals are implementing EHRs because they offer several advantages over paper records, such as increasing access to health care, improving the quality of care and decreasing costs of health care delivery.
However, Anderson (2007) stated that ethical issues related to EHRs confront health personnel. When patient’s health data are shared or linked without the patients’ knowledge, autonomy is jeopardized. The patient may conceal information due to lack of confidence in the security of the system having their data. As a consequence, their treatment may be compromised. There is the risk of divulgence of thousands of patients’ health data through identity theft and hacking.
The challenges facing the implementation of EHRs as it relates to the security of the patient are of great importance worthy of adequate consideration. If there is security breaches of EHRs, it threaten patient’s privacy when confidential health information is made available to others without the individual’s consent or authorization thereby violating the privacy of the patient. Stanberry (2010) accepted that the challenges of securing patients medical records faced by the implementation of EHRs are enormous but can the minimized by putting in place security measures such as firewalls, antivirus software, and intrusion detection software to protect data integrity. In addition, specific policies and procedures can also be put in place to maintain patient privacy and confidentiality. For example, employees must not share their ID with anyone, always log off when leaving a terminal and use their own ID to access patient digital records.
Conceptual framework on electronic health records (EHRs)
An electronic health record (EHR) as defined by Bostrom, Schafer, Dontje, Pohl, Nagelkerk and Cavanaggh (2006) is an electronic version of a patients medical history, that is maintained by the provider over time, and may include all of the key administrative clinical data relevant to that persons care under a particular provider, including demographics, progress notes, problems, medications, vital signs, past medical history, immunizations, laboratory data and radiology reports. The EHR automates access to information and has the potential to streamline the clinician’s workflow.
The North Carolina Healthcare Information and Communication Alliance (NCHICA) (2012) stated that the EHR also has the ability to support other care-related activities directly or indirectly through various interfaces, including evidence-based decision support, quality management, and outcomes reporting by stressing that EHRs are the next step in the continued progress of healthcare that can strengthen the relationship between patients and clinicians. The timeliness and availability of data in EHRs enable providers to make better decisions and provide better care. For example, the EHR can improve patient care by reducing the incidence of medical error by improving the accuracy and clarity of medical records, making the health information available, reducing duplication of tests, reducing delays in treatment, and patients well informed to take better decisions.
As healthcare organizations increasingly adopt electronic health records, selecting the right EHR program is crucial for ensuring data security, interoperability, and ease of use. Various EHR software solutions on the market offer features tailored to different healthcare settings, from small clinics to large hospitals. Understanding the strengths and limitations of these programs can help providers improve patient care while safeguarding sensitive health information. For more detailed insights into popular electronic health records programs, their functionalities, and considerations for choosing the best fit, readers can explore resources like those available at KidsCur’s comprehensive blog on electronic health records programs.
Electronic health records and patients’ data secrecy
American Medical Association (2012) described patients’ data secrecy in the utilization of electronic health records as a responsibility of health information managers to respect the right of individuals to keep information about their health data from being disclosed to others. This entails ensuring that patients’ health data are kept from surveillance or interference from other individuals and organizations.
Renehart and Thompson (2006) stated that the information that is shared as a result of a clinical relationship through electronic health records is considered confidential and must be protected. These information can take various forms (including identification data, diagnoses, treatment and progress notes, and laboratory results) and can be stored in multiple media (e.g., paper, video, electronic files). However, information from which the identity of the patient cannot be ascertained—for example, the number of patients with prostate cancer in a given hospital—is not in this category.
American Health Information Management Association (AHIMA) (2012) however stated that patient’s electronic health records should be released to others only with the patient’s permission or as allowed by law. This is not, however, to say that physicians cannot gain access to patient electronic health information. Information can be released for treatment, payment, or administrative purposes without a patient’s authorization. The patient, too, has federal, state, and legal rights to view, obtain a copy of, and amend information in his or her electronic health record.
- Patients’ secrecy challenges facing the utilization of EHRs
Not too long ago, health records were kept in thick manila folders, and now many patients access their medical histories and test results via online portals. Although this abundance and availability of data is great for patients and medical professionals, it is even better for hackers. According to AMA (2012), as the healthcare industry embraces the EHRs, the security threat to most personal data is also changing. Here are five of the biggest healthcare data security challenges associated with EHRs:
2. Health information exchanges and electronic health records
The adoption of information technology in health care delivery encourages healthcare providers to adopt electronic health records (EHRs) for patients and health information exchanges (HIEs) to help clinicians share patient data. This makes it easy to stores large quantities of medical data shared between multiple providers which creates a tempting opportunity for data thieves. Where once, data thieves might have had to break into a doctor’s office and flip through physical files to access a person’s medical history, now all they need is a lack of moral compunction and some hacking know-how (Fouzia et al., 2015).
3. User error in technology adoption
Another healthcare data security hazard of EHRs that can undermine patients’ data secrecy is simple patient user error. Once accessing the laboratory work from a health care provider’s portal, patients’ medical privacy is in his or her hands. But when these data are stored in unencrypted folders in the cloud, or the results are sent through email, it paves a simple pathway for a hacker to access patients’ data (Odom-Wesley, Brown and Meyer, 2009).
4. Hackers and the rise of “hacktivism”
Nothing is sacred in the realm of data theft, as shown by the CHS Heartbleed attack. In 2013, hackers broke into the databases of Community Health Systems, Inc. (CHS), one of the largest hospital groups in the United States, and accessed personal data — including social security numbers — from around 4.5 million patients. Hackers from the self acclaimed Internet Vigilante Group also targeted the Boston Children’s Hospital, launching a distributed denial of service (DDoS) attack on the hospital website as an act of “hacktivism.” While the purpose of the attack, part of a larger operation called OpJustina, was to seek retaliation against the hospital for holding a patient against the will of her parents, it shows just how vulnerable healthcare data security can be to a group of determined hackers (AHIMA, 2012).
4. The adoption of cloud and mobile technology in healthcare
Healthcare mobile apps are also a growing industry, leaving patient data prone to the vulnerabilities of the cloud and individual mobile devices. While many practitioners argues that patients’ data is safe due to the fact that the encryption of PHI, but it is noteworthy that encryption is a slippery issue when it comes to the cloud. While it’s relatively simple to encrypt data at rest in the cloud, data in use — that is, data being used by an application, as opposed to sitting in storage — is much harder to encrypt (Rinehart & Harman, 2006).
4. Outdated technology in hospitals
Running a hospital is usually not cheap, and when hospital are prioritizing the latest MRI technology or increasing staff to meet growing needs, sometimes IT budget can fall by the wayside (NCHICA, 2012).
Measures to ensure patients’ secrecy in the utilization of EHRs
Ensuring the patients’ secrecy in the implementation of EHRs requires adequate security of protected health information (PHI) of patients in your health information technology system which entails putting measures in place to guard against unauthorized use and disclosure of PHI. According to the Health Insurance Portability and Accountability Act (HIPAA) of 1996 as cited in Adeleke (2014) stated that patients’ secrecy in the utilization of EHRs can be achieved through:
- technical safeguards;
- physical safeguards; and
- administrative safeguards.
Technical safeguards
Technical safeguards in the utilization of EHRs are safeguards that are built into your health information system to protect electronic health information and to control access to it. This includes measures to limit access to electronic information, to encrypt and decrypt electronic information, and to guard against unauthorized access to that information while it is being transmitted to others. Procedures and policies required to address the following elements of technical safeguards include:
- Access control: Allowing only access to persons or software programs that have appropriate access rights to data or PHI by using, for example, unique user identification protocols, emergency access procedures, automatic logoff, and encryption and decryption mechanisms.
- Audit controls: Recording and examining activity in health IT systems that contain or use PHI.
- Integrity: Protecting PHI from improper alteration or destruction, including implementation of mechanisms to authenticate PHI.
- Person or entity authentication: Verifying that a person or entity seeking access to PHI is who or what they claim to be (proof of identity).
- Transmission security: Guarding against unauthorized access to PHI that is being transmitted over an electronic communications network.
Odom-Wesley et al. (2009) stated that having technical safeguards in place can protect against various intended and unintended uses and disclosures of PHI. Some of the technical safeguards are preventive measures to protect PHI, while others are designed to ensure disclosure and identification of any unauthorized uses.
Physical safeguards
Physical safeguards for PHI and health IT refer to measures to protect the hardware and the facilities that store PHI. Physical threats, whether in electronic or paper formation, affect the security of health information. Some of the safeguards for electronic and paper-based systems are similar, but some safeguards are specific to health IT. Policies and procedures must be put in place to physically safeguard health IT. These elements include:
- Facility access controls: Limitations for physical access to the facilities where health IT is housed, while ensuring authorized personnel are allowed access.
- Workstation use: Specifications for the appropriate use of workstations and the characteristics of the physical environment of workstations that can access PHI.
- Workstation security: Restrictions on access to workstations with PHI.
- Device and media controls: Receipt and removal of hardware and electronic media that contain PHI into and out of the facility and the movement of these items within a covered entity, including disposal, reuse of media, accountability, and data backup and storage.
Administrative safeguards
Administrative safeguards refer to the policies and procedures that exist in practice to protect the security, privacy, and confidentiality of patients’ PHI. These administrative safeguards include:
- Identifying relevant information systems
- Conducting a risk assessment
- Implementing a risk management program
- Acquiring IT systems and services
- Creating and deploying policies and procedures
- Developing and implementing a sanctions policy
References
Adeleke, M. (2014). Professionalism in the age of computerised medical records. Nigerian Med J.,47,1018–22 .
American Health Information Management Association (AHIMA) (2012). The 10 security domains. J Am Health Inf Management Assoc., 83(5), 50.
American Medical Association (AMA)(2012). Electronic health records: Privacy, confidentiality and security, Journal of Ethics, 20(12), 9-12.
Anderson, J. G. (2007). Social, ethical and legal barriers to e-health. Int J Med Inform., 76,480–3.
Bostrom, A. C., Schafer, P., Dontje, K., Pohl, J. M. Nagelkerk, J. & Cavanaggh, S. J. (2006). Electronic health record: Implementation across the Michigan Academic Consortium. Comput Inform Nurs., 24:44–52.
Fouzia, F., Nayer, J., Amit, S. & Praveen, A. (2015). Ethical issues in electronic health records: A general overview. Prospect Clin Res., 6(2), 73–76.
North Carolina Healthcare Information and Communication Alliance (NCHICA) (2012). The benefits and risks of electronic health records. North Carolina: NCHICA.
Odom-Wesley, B., Brown, D. & Meyers, C.L. (2009). Documentation of medical records. Chicago: American Health Information Management Association.
Poissant, L., Pereira, J., Tamblyn, R. & Kawasumi, Y. (2009). The impact of electronic health records on time efficiency of physicians and nurses: A systematic review. J Am Med Inform Assoc., 12, 505–16.
Renehart & Thompson (2006). Privacy and confidentiality. Challenges in the Management of Health Information. (2nd ed.) Sudbury, MA: Jones and Bartlett.
Stanberry, B. (2010). Telemedicine: Barriers and opportunities in the 21st century. J Intern Med., 247, 615–28.
