Through the passage of the Patient Protection and Affordable Care Act of 2010, the federal government is pushing healthcare providers and hospitals to quickly move towards electronic documentation systems or be penalized for non-compliance. This push has presented many problems for physicians and hospitals alike. Probably the most important issue that needs to be kept in mind when making a decision on a system is security and patient privacy. These two pieces present technological challenges as well as practical challenges including where and how the patient data is captured, stored, and accessed.
HIPAA (Health Insurance Portability and Accountability Act of 1996) is the dictating law that must be kept in mind when choosing a medical charting system and the devices needed to access the system. Patient data and privacy must remain confidential and protected above any other concerns regarding electronic systems. Cloud computing is a “hot-button” topic that is becoming popular in business and healthcare. The convenience of access data from anywhere and from multiple hardware platforms has many benefits, but this ease of access comes with security concerns. These concerns must be reviewed and policies put in place to ensure that confidential patient data is not exposed.
Security Issues: Healthcare I.T. and Cloud Computing
The digital age has brought about many changes in the way certain tasks are performed, the way communication takes place, the way education is performed, and the way that medicine is practiced. As government regulation regarding healthcare practice and reimbursement becomes more strict and requires documented evidence to back up medical decisions before Medicare or Medicaid will pay the providers, it is becoming increasingly important for medical personnel and hospitals to not only conform to the new technological standards, but to embrace the technology that is driving it.
In the past, organizations were required to host, store, and back-up the data and applications that were used both inside and outside of the facilities. This presented many difficulties such as application maintenance, data storage and maintenance, and hardware maintenance. Cloud computing offers some solutions to these issues by allowing IT departments to rely less on physical hardware, perform backups and duplicate them easily to offsite facilities, and provide application support to platforms that previously were unsupported. However, this presents significant security risk and legal liabilities with regards to HIPAA (Health Insurance Portability and Accountability Act) laws.
The purpose of this report is to discuss the options available for implementing and accessing Electronic Medical Record Systems and the issues inherent with the different options, focusing on the security and privacy concerns specific to cloud computing.
This report will identify the reasons and methods for implementing cloud computing within the healthcare environment. It will also point out the security risks inherent to electronic storage of confidential health information and compounded by access to this information through the internet. As background information, the core components and functions of Healthcare IT will be discussed. The research will also cover the laws that govern the protection of PHI (personal health information), who has access to PHI, and what are the differences in the laws with regards to hosting a service versus being a user of the service.
Sources and Methods of Collecting Data
The research for this report was done primarily through secondary resources including the transcript from a webinar performed for healthcare IT and compliance personnel covering regulatory compliance within healthcare software as well as articles from Information Technology and Healthcare journals covering issues with security and “cloud” environments. A survey was also performed in 2009 of the physicians on active staff at Terrebonne General Medical Center. The primary research is also used to demonstrate the lack of adoption within the local physician community.
Healthcare Information Technology
Healthcare IT is not that different from IT in other industries. The maintenance of pc’s, servers, software, and network connectivity is the same regardless of the business. The difference between Healthcare and most other industries is that the nature of the data being held within the computer systems is incredibly personal and the protection of that data is highly regulated by government entities. Up until the last few years, it was primarily hospitals that had to be concerned with ensuring that electronic patient data was stored and protected correctly. Some technologically advanced physicians have already implemented Electronic Medical Record Systems, but most physicians are only now beginning to explore the multitude of options available due to the passage of the Patient Protection and Affordable Care Act of 2010 by the US Congress.
Within the realm of healthcare, there are typically two major divisions in computer applications. There are financial systems and clinical systems. Financial systems have been adopted in most hospitals and physician offices, largely due to requirements from insurance companies and government bodies that require data to be transmitted electronically for payment. Clinical systems, however, have not been implemented wide due to lack of knowledge and workflow interruption concerns. “Elaborate training in new e-healthcare systems is not a luxury that is typically available to healthcare professionals – i.e., doctors, paraprofessionals, (e.g., nurses) and administrative personnel—because of the 24×7 nature and criticality of operations of healthcare organizations, especially hospitals, thus making peer interactions and support a key driver of or barrier to such e-healthcare system use” (Venkatesh, Zhang, & Sykes, 2011).
Data and security
While a paper could be written solely regarding the storage and maintenance of electronic data, for the purposes of this paper only an overview and best practices will be discussed. Data can be stored in a multitude of different manners, all of which have benefits and downfalls. Saving data locally to a particular computer or other device can be dangerous. Should that device fail, the data saved to it could be lost. Also, data that has been saved locally to a device is more difficult to secure and guarantee that the data will only be accessed by the appropriate person or persons. From an enterprise or business level, the best practice for data storage is to ALWAYS save data to a central location so that is can be backed up regularly and can be accessed from multiple locations. It is also recommended for larger business such as hospitals to have duplicated backups and in some cases the data may be backed up to an off-site facility for disaster management purposes.
Though proper backup practices are vital, data security is just as important. Software applications such as Microsoft Active Directory and Novell NETWare are used to provide security to a computer network and the data stored within. Through these systems, users must log into individual workstations and based upon the credentials provided to this log in, the user will only be allowed to access certain portions of the data which is stored somewhere else on the network. This method of access and storage is much safer and more easily controlled than it would be if the data were stored to the hard drive of the device the user is accessing.
Security has become more difficult to enforce with the increased adoption of mobile devices. The rapid growth in the number, types, and functionality of mobile devices has been stunning… currently there are over 17,000 healthcare mobile applications listen in major app stores, of which 50% are directed to healthcare professionals (Laverty, Kohun, Wood, & Turchek, 2011). Securing data accessed by Smartphones, tablet computers, iPads, and other handheld devices presents a host of new difficulties. In many cases, these devices are not owned by the facility and thus are not being accessed in the same manner as desktop pc’s and laptops.
Controlling devices that access patient data while working within the confines of HIPAA is a key challenge for healthcare organizations. HIPAA privacy rules apply to all healthcare providers, health plans, healthcare clearinghouses, and business associates (Roach & Wunder, 2009). Internally, data security can be achieved by proper user habits such as logging out of a session when the user is not actively using the system, screensavers that require a password, and automatic timeouts during periods of inactivity all help to ensure that private data cannot be accessed by someone that does not have the legal rights to view the data. Many organizations undergo periodic security audits to assist in finding vulnerabilities within the systems being run. Not only is it a challenge to provide data access security, but it is even more difficult to physically secure a device that someone carries around with them and is not stationary.
Some programs like Microsoft Exchange (for email) can require that a security threshold be in place before the program can be accessed from a particular device and have the ability to remotely wipe the data from a device should it become compromised. The mobile nature of handheld devices is also a major challenge. In years passed, laptop computers were the only valid threat to data being accessed from off-campus sites. As cellular data technology has gotten fast and now mobile devices can access these wireless systems from nearly anywhere, the threat of data security breaches has increased. Another challenge is keeping up dated with users that should no longer have access to the available systems. Internally, a systems administrator can keep track of employees that are still employed with the organization. It becomes a much more difficult task to police the accessibility of users outside of an organization.
What is cloud computing?
The term “cloud” computing originates from the telecommunications world of the 1990s, when providers began using virtual private network (VPN) services for data communication. (Kaufman, Lori M.;BAE Systems, 2009) Cloud computing shares its resources among a cloud of service consumers, partners, and vendors. (Kaufman, 2009) In simpler terms, cloud computing is a shared infrastructure where hosting and accessing of services is not site specific. The data does not live only on a server in an office or building. Cloud computing can be used to offsite data backup. In lieu of housing a set of storage servers at an offsite facility, organizations can choose to back up their data to the cloud where it will be stored by someone else for a fee. The same process can be applied to applications. Rather than having to invest in expensive hardware that requires maintenance, organizations may choose to run web based applications that are hosted by someone else over the internet for a fee. Cloud computing allows for some systems to interconnect and share data, which is the end goal of electronic medical records and forming a personal health record for patients.
Cloud computing has begun to take off as vendors such as Google and Apple have begun to open up their own cloud offerings. Some vendors offer these services for free, such as Google has with its Google Documents offering. Others, such as Apple’s iCloud are offered to users for a fee. Services such as these have enabled users to access personal data from anywhere at any time.
Benefit to Implementing in Healthcare
Though the upside to implementing EMR systems and sharing data is evident, there are drawbacks. One key concern is that practitioners will be slowed down due to the learning curve involved with using new systems. Physicians have grown accustomed to providing medicine in a certain manner, which does not always work well with electronic charting systems. Another issue at hand is who owns the data? Physicians are not always excited to share their personal notes regarding patient care. “The whole point of cloud computing is economy (Delaquis & Philbin, 2011).” With the passage of the passage of the Patient Protection and Affordable Care Act of 2010, physician and hospital organization reimbursement for Medicare and Medicaid will be tied to meeting certain “meaningful use” guidelines. In order to get full reimbursement for services provided, these providers are being pushed to document their practice of medicine electronically and in turn this information will be the property of the patient and shared with other providers to ensure proper continuity of care.
The idea behind this is that there will be fewer medical errors and the patient will have access to all the information necessary to make informed decisions regarding their healthcare. From a provider stand point, this means that “hopefully” all medically necessary information will be available to medical professionals in order to provide the necessary medical care and fewer errors will be made due to lack of patient health history. Electronic documentation and ordering also has a few other side effects. Fewer errors should be made due to less human intervention and interpretation of orders and, with luck, better coding and documentation of services rendered will lead to increased revenue. Because physician adoption is low, the building of personal health records is moving much more slowly (see Illustration below for EMR adoption rates at a local hospital) than the growth of cloud computing as a whole.
Though there are definite risks involved with the storage and transfer of protected personal health information, the use of mobile devices in the work place is driving cloud computing and will continue to do so. In order to get healthcare providers to begin adopting electronic systems, the systems must be user friendly and work well within the flow of the practice of medicine and not inhibit the proper care from provided. The environment of healthcare is changing and the delivery of healthcare information must change with it. Patients no longer expect to just be given appropriate care, but they now insist on being involved with the decision making regarding how that care is rendered. Moving health information into a cloud environment and allowing that information to be shared will eventually lead to better healthcare for everyone, no matter which hospital the patient is in or which physician is providing the care.
Delaquis, R. S., & Philbin, G. (2011). To Cloud or Not to Cloud? Issues in Information Systems, Volume XII, No. 1, 54-58. Kaufman, Lori M.;BAE Systems. (2009, July/August). http://www.computer.org. Retrieved from IEEE Computer Society: http://www.computer.org/csdl/mags/sp/2009/04/msp2009040061.html Laverty, J. P., Kohun, F. G., Wood, D. F., & Turchek, J. (2011). Vulnerabilities and Threats to Mobile Device Security from a Practitioner’s Point of View. Issues in Information Systems; Vloume XII, No. 2, 181-193. Miller, Esp., W. J. (November 3, 2011). New World of Medical Appls: Beware Regulatory Traps! Progressive Healcare Conferences. Malvern, PA. Mishra, S., Leone, G. J., Caputo, D. J., & Calabrisi, R. R. (2011). Security Awareness for Health Care Information Systems: A HIPAA Compliance Perspective. Issues in Information Systems, Volume XII, No. 1, 224-236. Pardue, J. H., & Patidar, P. (2011). Threats to Healthcare Data: A Threat Tree for Rick Assessment. Issues in Information Systems, Volume XII, No. 1, 106-113. Paullet, K. L., Pinchot, J. L., Douglas, D., & Rota, D. R. (2011). Mobile Technology: Plugged In and Always On. Issues in Information Systems; Volume XII, No. 1, 141-150. Roach, W., & Wunder, G. (2009). Privacy Under Health Insurance Portability and Accountability Act (HIPAA) of 1996: The Impact of RFID. Issues in Information Systems, 237-241.
Courtney from Study Moose
Hi there, would you like to get such a paper? How about receiving a customized one? Check it out https://goo.gl/3TYhaX