Health data is very important in many aspects like containing vital individual data and in research of diseases and health outcomes. This data is very sensitive and strict security measures should be put in place to ensure that it does not fall in to the wrong persons. Due to technological advancement, health data can be accessed by many devices and this also brings up the concern on the security of the data. Consumers are taking more control due to advancement in information technology which is arises from self-care. Since physicians are busy and typically inaccessible, there has cropped up a new method of communicating with the physicians. Technology has made it possible to come up with digital medicine that is more experimental, more effective, more widely distributed, more precise and more egalitarian as compared to the current medical practice. Most healthcare facilities do not give a first priority to disaster recovery when it comes to their healthcare IT budgets. This is a very important aspect in a healthcare organization because without it data might be lost in case of natural disasters or cyber-attacks. Cybersecurity systems in healthcare organizations are lax when you compare them to other sectors and this makes them vulnerable to attacks by hackers. Precautions should be put in place to ensure that health data is safe and secure. This paper will outline who can access health data, the importance of security of health data and the different ways in which this health data can be kept secure.
Access to Health Data
Health data in today’s world is used in many forms to investigate the level and distribution of disease and other health outcomes in the society. Health data can be obtained from health systems, insurance companies, public health departments, and providers. The privacy of medical information has always been a concern of responsible medical care. In recent times however, new forms of data have come up which are highly sensitive. If this information is accessed by the wrong persons and used improperly, it can damage an individual’s insurability and employability as well as their psychological well-being (Armstrong, Rushton & Zimmerman, 1999). Such data includes results of HIV test and genetic susceptibility testing.
There should be fundamental societal decisions put in place to balance the need for access to an individual’s indentified health data for the public good and at the same time the importance of an individual privacy. A balanced approach is required because any access are mutually exclusive. There has been an increased restriction on access to personal health data by health scientists and epidemiologists. This can prove to be harmful to the public in different ways and there has been a suggestion on anomyzation of archived medical data (Centers for Disease Control and Prevention, 2003). However, this will make it difficult to trace back to an individual and because anything can happen in the future, it is important that individual identifiers be retained in a way. Privacy of medical information can be strengthened by requiring individuals to give informed consent for each separate use of this information.
However, this is unrealistic because contacting individuals or their next of kin for permission to use their information each time it is needed to be used for research years or decades later after the event has occurred seems unrealistic. This will lead to untenable administrative, logistical and financial burdens. It is essential to be able to study medical records over a period of time even after the individuals have left organized health systems or died. Personal health information need to be free of serious selection biases and be available on a population basis (Armstrong, Rushton & Zimmerman, 1999). Some of this selection biases include nonparticipation, in the population at risk. This is because such biases undermines the scientific validity of medical and public health research.
Devices and Technology Used In Security of Health Data
There are several devices that are used to access Electronic Protected Health Information (EPHI) that include portable media/devices such as USB flash drives and memory cards, mobile devices, personal digital assistants (PDA) , laptops, Wireless Access Points (WAPs) and home computers. Other devices also include floppy disks, CDs, DVDs, back up media, email, smart cards, and Remote Access Devices which includes security hardware. All these devices are expected to be in compliance with the HIPAA Security Rule which includes, among its requirement, reviewing and modifying security policies and procedures where necessary on a regular basis. This is particularly of significance for organizations that allow their staff to use remote access to EPHI through external systems or portable devices or hardware that is not owned or managed by the covered entity (Clarke et al, 2007, August).
Generally, covered entities should be very careful on the use of offsite or access to EPHI though there might be situations that might require access or use of such offsite. An example is when it has been found to be necessary through the entity’s business case or cases (Ammenwerth et al, 2003). Another example is only when great precision has been taken to ensure that procedures, policies, and workforce training have been effectively deployed. Also, access can be provided when it is consistent with the relevant necessities of the HIPAA Privacy Rule.
Some of the cases where this might apply include a home health nurse visiting a patient and requires to access and collet the patient data using a laptop or a PDA. Another case can be a physician responding to a patient’s request for a refill while out of the office using an e-prescribing application on a PDA. Also, a health plan employee going to deliver backup enrollee data to an offsite facility on a media storage device. There are other business cases that might require the offsite use of or access to EPHI hence a covered entity must evaluate its own need for offsite use or access. In coming up with which security strategy to be used the following factors should be put into consideration. The complexity, the size and the capabilities of the covered entity, its technical hardware, infrastructure, and its software capabilities. You should also put into consideration the cost of security measures and the criticality and probability of potential risks to EPHI (Clarke et al, 2007, August).
Connecting with the healthcare consumer
More than ever, consumers are positioned to undertake pre-emptive, decision making roles in terms of healthcare. As seen from self-care, the evolving of the patient-provider relationship, and advances in information technology, consumers are taking more control. Consumerism is having an impact on the operations, strategy, and decisions regarding investments of healthcare organizations. This is within all sectors of the industry and it is becoming more significant and apparent (Kizer, 2001). Consumers have changed and this consumer evolution has had a great impact on various sectors of the healthcare industry. This new crop of empowered and informed consumers guarantees the need for providers and executives to find a new methods to satisfy its consumers and its impact on improving of delivering healthcare. This mostly touches on the point where quality is concerned and the places where you can access healthcare.
Some organization prioritize developing their quality and safety frameworks and clinical governance structure which is the process, rather than the end product which is the safe care and patient centered care. Just like the air industry, the healthcare industry should make it a priority to maintain safety and quality through the foundation work ensuring standards are met, the monitoring of care and that the necessary policies are implemented. Another important aspect in connecting with the healthcare consumer is providing quality governance (Kizer, 2001). They should also develop systems with a definite purpose and provide a concrete relationship between quality of care and governance systems.
Emphasis should be put on the significance of promoting a common culture that can be shared by everyone in the healthcare sector, which is of putting the patient first. To be able to have quality governance, there should be strategic planning, effective and accountable workforce, consumer participation and compliance, good practice risk and improvement. To be able to run a successful healthcare center, it should have care that is connected and responsive to the individual and care that is safe and effective for all their patients anytime. They should also be supportive to their staff and trust them to deliver on the same (Kizer, 2001).
Unlike the traditional form of media-buying practices, email has upended it by coming up with a new medium that has unique purchasing considerations. This new method has been brought out by office-based physicians being busy and typically inaccessible. It has become crucial that the elements of email communication be considered to maximize results. Some of these elements include physician email address, design, and timing and composition. Since most of physicians work, communicate, access patients’ information online, and give prescription and access information online using smartphones, the most effective way to capture their attention is through email. Email marketing is fast and affordable hence being the mode of choice for many medical centers and pharmaceuticals (Rosen& Kwoh, 2007). Their target audience are prescribers for recruitment, surveys, product messages and webinars. Most of the companies that offer this services store the physician email addresses in the physician database. Most of these databases have phone numbers which are verified after a period of time like 6 months.
A company like SK&A has a unique verification process which offers a guarantee of monitoring their database ensuring that their clients receive the best physician email list. In case they add any new record or update their database, it is phone verified at the source by their Research Center. Most of commercial email databases get their physician emails through list compilation and web harvesting. In a company like SK&A, there are features and benefits to having access to physician email like you can select the audience by their type, specialty, geography, and type of practice or other profiling criteria. Also, you can be assured of deliverability because their database is updated regularly and they are affordable since you won’t have to pay for printing, postage or paper.
Email has the ability to narrowly target all types of physicians in any quantity unlike other forms of media such as television and print. When purchasing a physician list there are some considerations that you have to put in place. One of this consideration is that you have to narrow your audience and email marketing can offer this. It has the advantages of choosing exactly what you want without including any unwanted contacts. There are also other considerations like the name quality since it is important to reach an actual practitioner. List licensing is also important hence you should organize your email campaign to know the level of usage that you will require. Pricing is also another important consideration so you need to determine the scope of the audience by choosing a quantity of physician email addresses (Hobbs et al, 2003).
As technology advances, it presents great opportunities that assists in improving access to quality of health care. Technology has made it possible to come up with digital medicine that is more experimental, more effective, more widely distributed, more precise and more egalitarian as compared to the current medical practice. Digital medicine can be described as the convergence of computer assisted molecular and cellular diagnosis, artificial intelligence and computerized clinical decision support, wireless and mobile computer applications, telemedicine and broadband internet connectivity. It can be said that old medicine has been destroyed by convergence of wireless sensors, social networking, mobile connectivity and bandwidth, and cloud computing which has brought about new medicine (Graschew et al, 2006). With digital medicine it is envisioned that patients will be able to monitor their wellness and health by using digitized information.
Digital medicine will bring by a transformation in the patient-doctor relationship. Physicians will be largely replaced by artificial intelligence as the captains of the health care system. This will bring by equality between the physicians and patients when it comes to accessing medical knowledge. Unlike the present medicine approach that is to diagnose and treat, this new medicine approach promotes predict and prevent. This new approach concentrates on managing chronic diseases rather than outright cure. This brings out the meaning of health which is the state of mental, physical, and social well-being and not just absence of disease (West & Miller, 2009).
The use of smartphones is another form of digital medicine that help in detecting changes in a patient’s normal routine of activity and communication and in that way it may show worsening or a relapse of a chronic condition. Teenagers are also being involved in monitoring their health through texting, blogs and social media sites like twitter and Facebook. In this new digital medicine era, the function of imaging and pathology is being transformed due to the falling cost of computing and the development of miniaturization techniques including nanotechnology (Graschew et al, 2006). When performing heart surgery, the heart beat is produced in high resolution images through computer analysis of data through three dimensional transesophageal echocardiography. This has assisted in replacement of heart valves to be inserted by catheters instead of open heart surgery.
In most healthcare facilities disaster recovery has not been given a priority when it comes to healthcare IT budgets. Due to budget restraints, it has become really hard for healthcare organizations to put their investment in redundant data centers. This has been caused by its direct effect on patient care or little return on investment. Most of the healthcare clients that do have disaster recovery plan are either found to be non-existent, outdated or fail to provide sufficient solutions to recover data and resume business incase disaster strikes. However, disaster recovery plan is being taken seriously because most of healthcare facilities are embracing new technologies. Electronic health records and medical imaging are generating unprecedented amount of data, which is bringing an impediment in recovery, storage and security. For healthcare organizations to maintain their patients, they must reassess their current gaps and risks in their data recovery planning (Eisenman et al, 2007).
Healthcare IT executives are facing challenges in adopting electronic health records and other new applications because they are creating large amount of data which need to be retrieved in real time. Because the data could be of great importance or urgent to a patient, downtime is not considered as an option. Another driving factor to adopt disaster recovery is the enforcement of HIPAA security requirements (Eisenman et al, 2007). Another driving factor is also the risk of cyber-attacks and data breaches is on the rise. This is attributed to the high rise in technology adoption. Due to the changing healthcare landscape, there is a need for a comprehensive disaster recovery planning. Long gone are the days when there used to be a disaster recovery manual not in use waiting to meet compliance obligations.
Healthcare organizations cybersecurity systems are lax when compared to other sectors and this makes them vulnerable to attacks by hackers. They do this so as to search for health insurance data and Americans’ personal medical records. Hackers are more intent on hacking health data because it is far more valuable on the black market than credit card numbers. Health data contains details than can allow the hackers to obtain prescriptions for controlled substances or access bank accounts. Financial and retail sectors are more resilient to cyber intrusions as compared to the healthcare industry, therefore the chances of increased cyber intrusions is more likely (Shou, 2012).
There is a high demand for medical information on criminal marketplaces partly because it takes a long time for the victims to know that their information has been stolen and report it. Another reason why medical information is targeted is because of the different ways the information can be used. Also, some criminals use the medical records to obtain prescriptions for controlled substances and other criminals are purely interested in using the information that they obtain for financial fraud. The medical information can be used for illegal and bogus treatment by billing the victims’ health plan for inflated or fake treatment claims. The medical information thieves who do not have their own health coverage use this information to obtain free treatment, courtesy of the victims’ policy (Shou, 2012).
In regards to accessing health data, a large majority of the public have great concern about the handling and privacy of their personal health information. The biggest concern is on the secondary use of the data which is not in the direct-care setting. The general belief is that the current organizational practices and laws do not provide enough privacy protection. The fact that we are transitioning from paper and part electronic record to electronic health records opens some valuable public good health researcher possibilities. However, it is a make or break issue for whether it will work for the better good from large scale health data research through electronic transmission and communication. Privacy is not an absolute but rather a matter of balance and judgment so we need new legislation since many people see that HIPAA is outdated. There is a need for excellent models of voluntary patient control privacy policies. There is also a need for independent health privacy compliance and audits verification processes.
When using technological devices to store health data information there is a need for using a password or other user authentication. Installing and enabling encryption also is another way of making sure that the health information is safe which is sent and stored on mobile devices. The mobile devices should also have remote disabling and/or wiping features. Remote wiping helps in erasing data permanently on the device remotely when you lose or the mobile device is stolen.
A personal firewall is also an important feature that protects against unauthorized connections. Information can be intercepted through public Wi-Fi networks so there should be enough security to receive or send health information over public Wi-Fi networks. Installing and enabling security software protects against malicious spyware, viruses and applications. The software installed should always be kept up to date. Before you download an app, you should research about it first and verify that it only performs the functions you approve of.
There is a widening gap among customers between their unmet needs and the system’s performance. There however has been a major change in consumers’ behaviors and attitudes intersect with the healthcare system. Consumers satisfaction with elements of the healthcare system tend to vary consistently being less satisfied with hospital care and for health plans, more with primary care services. The key issues that most consumers tends to pay much attention are cost, access, and value. Consumers are more interested in better and more choices as health care and consumerism grows. Some of these services are like retail clinics and customizable health plans. Most of the consumers relate to healthcare on a personal basis and their understanding of the health care system is based on their personal experiences. This leads to them holding a strong opinion about its performance. Consumers are hoping for a lower cost n primary care and improved quality of the healthcare system overall.
Physicians use and adoption of E-mail enhances communication and improves patient outcomes and quality of care though it remains low. Most patients are willing to communicate with their physicians via e-mail. There are barriers that the physicians are worried about like work overload, increased medical liability and maintaining data privacy and security. There is a low routine use of email across the practice settings so the physicians might not get to read the email on time. The adoption of physician email has also not been adopted in many areas due to physicians concern like its impact on quality of care.
Information technology when used for the first time almost never works correctly and the best way to us it is by fiddling with it and modifying it until it meets one’s needs. There is no need for letting healthcare applications of IT to lag for a decade or two behind the adoption rate in other industries. The price has been paid by paperwork burdens, unresponsive or delayed decision making and consumer unfriendly healthcare experience. To achieve a more responsive, intelligent and a safer health system is by raising a collective expectations of how the health system performs. It is not enough just to have the technology but the thoughtful application of the new powerful tools. These tools can create a better healthcare experience and improved health.
When it comes to disaster recovery, each healthcare organization chooses their own option depending on the critical nature of the benefit/cost and the application. Most hospital prefer to build their own back up centers which comes at a great cost to maintain control and compliance. The data centers seems to be overwhelmed with data which is more than the hospital data centers can hold. This brings the option of outsourcing this work to third-party data centers. They have advantages such as advanced physical security, cost savings and compliance.
When looking for data center hosting companies, healthcare organizations should consider several factors. First, the company should be compliant to the HIPAA security requirements. There should also be trained personnel on the security and protection of Ephi. Data centers should prioritize on security by providing multiple layers of physical security such as mantraps, biometrics, and video monitoring. There is a need for a comprehensive data recovery strategy due to technological, regulatory, and environmental factors. The risks and consequences of failing to have plans in place to recover data in case of a cyber-attack or natural disaster is too great to ignore.
To counter cyber-attack there are precautions that should be put in place to ensure that the health data is safe and secure. The first step is having a strong password and make sure that it is changed regularly. The machines used should also be installed with anti-virus software which should always be kept up to date. Without this, data might be destroyed or stolen giving the attackers control of the machine. Healthcare organizations or third party data centers who transmit health information should control access to protected health information. This prevents anyone who is not cleared to access certain information not to be able to do so. The concerned parties that handle health information should also be prepared for the unexpected. This is done having a sound recovery plan and creating backups.
Ammenwerth, E., Gräber, S., Herrmann, G., Bürkle, T., & König, J. (2003). Evaluation of health information systems—problems and challenges. International journal of medical informatics, 71(2), 125-135.
Armstrong, M. P., Rushton, G., & Zimmerman, D. L. (1999). Geographically masking health data to preserve confidentiality. Statistics in medicine, 18(5), 497-525.
Centers For Disease Control and Prevention. (2003). HIPAA privacy rule and public health. Guidance from CDC and the US Department of Health and Human Services. MMWR: Morbidity and Mortality Weekly Report, 52(Suppl. 1), 1-17.
Clarke, M., Bogia, D., Hassing, K., Steubesand, L., Chan, T., & Ayyagari, D. (2007, August). Developing a standard for personal health devices based on 11073. In Engineering in Medicine and Biology Society, 2007. EMBS 2007. 29th Annual International Conference of the IEEE (pp. 6174-6176). IEEE.
Eisenman, D. P., Cordasco, K. M., Asch, S., Golden, J. F., & Glik, D. (2007). Disaster planning and risk communication with vulnerable communities: lessons from Hurricane Katrina. American Journal of Public Health, 97(Supplement_1), S109-S115.
Graschew, G., Roelofs, T. A., Rakowsky, S., Schlag, P. M., Heinzlreiter, P., Kranzlmuller, D., & Volkert, J. (2006). Virtual Hospital and Digital Medicine-Why is the GRID needed?. Studies in health technology and informatics, 120, 295.
Hobbs, J., Wald, J., Jagannath, Y. S., Kittler, A., Pizziferri, L., Volk, L. A., ... & Bates, D. W. (2003). Opportunities to enhance patient and physician e-mail contact. International journal of medical informatics, 70(1), 1-9.
Kizer, K. W. (2001). Establishing health care performance standards in an era of consumerism. Jama, 286(10), 1213-1217.Rosen, P., & Kwoh, C. K. (2007). Patient-physician e-mail: an opportunity to transform pediatric health care delivery. Pediatrics, 120(4), 701-706.
Shou, D. (2012). Ethical considerations of sharing data for cybersecurity research. In Financial Cryptography and Data Security (pp. 169-177). Springer Berlin Heidelberg.
West, D. M., & Miller, E. A. (2009). Digital medicine: Health care in the Internet era (p. 4). Washington, DC: Brookings Institution Press.
Check the PDF Sample below.