Privacy / Security - Researching The Electronic Health Records (EHR)
EssayChat / Feb 6, 2018
The Electronic Health Record at the core should enable the privacy and portability of identifying personal information and medical information. The patient EHR can be enabled to interlink to the security system located at ER and ICU such that a photo can identify if the patient leaves the area unauthorized. The patient identification bracelet can identify the patient that is linked to the EHR. The identity options of the EHR must comply with the Health Information Portability Accountability Act (HIPAA) regulations. HIPAA is segmented within two separate acts, the Privacy, Security, and Breach Notification Rules (1996) and the Patient Safety Quality Improvement Act of 2005 Patient Safety Rule. Therefore, the security of the information systems relaying EHR is vital to the protection of the patient medical information under HIPAA.
Redesign Computer Work Processes
A new computer system in the ICU must share an operating system platform for all terminals that is compatible with the hospital-wide system. The ICU computer network must be able to share information with other networks on the hospital Intranet. Each department has its own network drive which allows each terminal to save files linked to an employee identity to the respective drive. The network drive may be locked and only viewable/accessible to computers with identities saved to the network drive. The level of security within the hospital intranet is as important as protecting the administrator access on the World Wide Web Internet. The patient electronic EHR can therefore be transferred from the admissions desk to the ICU to prep the department in anticipation of the patient arrival.
Redesigning the computer process is therefore integral to a specific flow-chart or set of processes in place as a plan for the departmental operations. For example, one set of processes can link the ICU to interact with the admissions desk and the discharge desk, which performs the activation and deactivation of the hospital security linking the EHR to the patient identity bracelet. The hospital-wide system must be linked interdepartmentally to support user interface design and biometric scanning sub processes that link each patient subaccount to the EHR. The most critical aspect of the redesign is the security. "Enterprise security roles are converging, so that individuals with responsibility for physical surveillance and perimeter control are moving into multi-disciplinary roles and working more closely with their counterparts in IT security, to minimize risk across the business." (Walters) The computer login must be password protected at each terminal. Additionally, the section of the network drive with the patient EHR data must be password protected as well insofar as to its transference to different departments until discharge. For security purposes and to better comply with HIPAA, the hospital is not authorized but is expected to remove the patient EHR file after discharge.
The revision of current work processes is specific to the implementation of security programs and protocol on the network and on the CPU of each workstation. The software and the programs that are specific to the daily routine and normal operations of the department will all be readily available on the new workstation in the same manner as was available on the old workstation. The ICU department head, the CMO, the CNO as well as each medical staff and administrative staff member in the ICU must convene in person or communicate in writing via email to the needs and possible upgrades and updates to current computer applications, software, and programs. In addition, the suitability and interoperability of a security system that links patient identification to EHR via the ID photo of the patient and camera scanning technology to identify the patient using the patient identification wristband.
The security and EHR network integration involves solving the human-computer interaction problem. The human-computer interaction problem seeks to identify "cognitive engineering methods to support system design." (Thyvalikakath et al) Computer systems design, specific to the use in the ICU, is an interconnected process that uses IT functionality to accomplish organizational customer service and compliance goals. "As systems continue to grow in scale and complexity, systems integration (SI) has become a key concern . . . SI involves interfacing and enabling the interactions of component elements to collectively provide the functionality needed by the system to accomplish its goals."
The key terminology is 'component elements' to which these components as separate procedures within the systems integration design is responsible for the overall functionality of achieving the end goals of the computer systems workflow information systems. Therefore, the computer work processes redesign will be authorized by the chief administrative officer of the hospital or medical facility and the implementation overseen by the chief information officer and/or chief technical officer. The compliance officer should also provide information on HIPAA compliance relative to the 1996 act and the 2005 act. My involvement is by way of consulting and answering questions that may arise during the redesign. The workflow processes of other hospital departments will be impacted as the same redesign will likely have to occur in each department as well.
Identification of Electronic Security Risk in Work Environment
Electronic security risk in the work environment is essentially the unauthorized access by unauthorized persons onto the hospital Intranet and Internet by way of the information technology and information systems components and infrastructure. The identification of an electronic security breach is based on a network security protocol that can lock the Intranet and Internet sections of the network. Citrix Systems has a network management software program that can provide this level of security to prevent unauthorized access by way of security breaches. Once the breach has been identified, the network security protocol will lock access to the Intranet and Internet and will require an identification password to login to the system.
The systems risk associated with the information systems not being protected sufficiently from attacks of different sorts that can lead to damages or losses is inherent to processes identification and processes management. "Risk can be managed or reduced when managers are aware of the full range of controls available and implement the most effective controls. Unfortunately, they often lack this knowledge, and their subsequent actions to cope with systems risk are less effective than they might otherwise be." (Straub, Welke) The management that is responsible for the internal controls of the IT and IS systems respective to the EHR and user access security procedures is therefore often not aware of the available security practices and best practices in place to ensure robust security protection.
The network security managers are responsible for identifying any and all weaknesses in the network before allowing the network to go online live within the daily operations of the hospital. New workstations will therefore imply a new computer desktop or laptop with new hardware and software along with a new monitor and possibly new printer and office equipment as well as peripherals. These new components will likely pose security risks that must be identified by the network security manager and addressed accordingly. Additionally, the network manager must work with the compliance officer to ensure that information respective to the storage of patient EHR is compliant to HIPAA standards.
The work environment is ripe with security risks including those that are posed from inside employees to outside intruders. Unauthorized access may be obtained by either type of security risk to which a violation of internal controls can occur if a network password is improperly obtained. Such parameters as the time of access to the network and the areas of access to the network can determine if the network user is indeed an authorized network user. In addition, protocol from a transitory department can grant access to a workstation in another department for a specified time range to which the specific network path can be accessed due to the retrieval and access of the patient EHR. The use of such protocol is designed to reduce to potential of security breaches of unauthorized patient EHR access.
Guerrero-García, J. (2014). Evolutionary design of user interfaces for workflow information systems. Science Of Computer Programming, 8689-102. doi:10.1016/j.scico.2013.07.003
US Department of Health & Human Services (HHS) (014) Health Information Privacy, Improving the health, safety and well-being of America.
Madni, A. M., & Sievers, M. (2014). Systems Integration: Key Perspectives, Experiences, and Challenges. Systems Engineering, 17(1), 37-51. doi:10.1002/sys.21249
Straub, D. W., & Welke, R. J. (1998). Coping With Systems Risk: Security Planning Models for Management Decision Making. MIS Quarterly, 22(4), 441-469.
Thyvalikakath, T. P., Dziabiak, M. P., Johnson, R., Torres-Urquidy, M., Acharya, A., Yabes, J., & Schleyer, T. K. (2014). Advancing cognitive engineering methods to support user interface design for electronic health records. International Journal Of Medical Informatics, 83(4), 292-302. doi:10.1016/j.ijmedinf.2014.01.007
Walters, R. (2010). Managing risk through the integration of physical and logical security. Biometric Technology Today, 2010(7), 6-8. doi:10.1016/S0969-4765(10)70144-2