Medical Records Security Paper
Medical Records Security Paper
In my paper, I am going to explain technology threats that an organization might face with having medical records put on a database.
I am also going to explain the information that will be protected in medical records on the database. I will also go over all the latest security measures available to help keep these databases threat free so the medical records will be safe on the computer. I will also explain what I would do to help keep my organizations medical records secure.When an organization has a staff ratio of one person to 100 people that can lead the organization to big trouble as far as following rules and procedures that need to be followed as far as following important rules like patient privacy and security. Having a staff ratio that small can lead to short cuts by staff to get things done faster and that can lead to mess ups like pulling up someone else’s medical record or giving someone the wrong prescription. That is why it is so important to make sure the staff to patient ratio is adequate to meet all the needs of the organization.If the staff to patient ratio is adequate staff will slow down and do things right because if they do not they will be in a lot of trouble.Medical Records Security Paper
There are a number of threats that effect organizations that maintain electronic medical records [ (Jeanty, 2010) ]. These threats come from both internal and external sources and from both those with malicious and maligned intent. The potential exists that individuals with malicious intent have the potential to attempt to access the records, and there exists the potential for records to be accessed/changed unintentionally.There are a number of different threats that can happen on a database an example would be a virus or a bug. Organizations need to be careful about these sorts of things and get software for their computers to keep their databases free of these parasites. Especially if they have people’s medical records on their computers. The major concern with medical records in the electronic realm is the protection of a patient’s privacy and confidentiality [ (U.
S. Department of Health and Human Services) ]. The privacy of documents on digital format is always vulnerable to threat.Luckily, today’s electronic medical record programs come with built in security measures such as passwords, firewalls and various other security functions. What is especially important in the arena of medical records is the integrity of the respective medical record. Errors in a medical record could be fatal. The likelihood of errors could also increase when many people have the ability to enter data into a record.
Therefore, who has access and the control of access to the medical records is imperative. That is why only doctors should have access to their patient’s records because they are the ones treating them.That way only one person will have access to medical records and not a whole bunch of people. That will help minimize errors on medical records. In regards to information maintained in medical records that needs to be protected, the utmost importance is the patient’s personal information to include their SSN, and other personal information. However, the patient medical information is important to protect as well. In a large sense, it is important to protect the confidentiality of the patient medical history, but more importantly, it is important to protect the integrity of the data.Medical Records Security Paper
In order to keep my organizations medical records secure I would have the necessary software to keep my database running smooth. I would also have security measures put in place on the database as passwords put on in order to access patient records. I would also only have doctor’s access medical records because they are the ones that treat the patients and they are the ones that should have access to them not everyone else. That will help minimize all problems associated with medical record privacy. Conclusion Protecting a patient’s medical records is the most important thing that n organization must do for the patient. Patients medical records represent who they are, organizations must understand that, and live up to all the Hipaa rules that are put in place to protect people from patient invasion of privacy. Think about it how would you like it if people were invading your privacy by looking at your medical records when you did not want them to.
References Jeanty, J. (2010, August 10). HIPAA Rules That Affect Technology. Retrieved from www. ehow. com. U.
S. Department of Health and Human Services. (n. d. ). Regulations. Retrieved from www.hhs. gov.
Assignment 1
Unauthorized access of data, networks, applications and devices by bypassing the underlying security mechanism entails a security breach. In a patient-physician relationship, privacy is the key principle. Patients may refuse to reveal significant information to the physician if disclosure may lead to stigma and discrimination. Medical health records have a range of purposes apart from diagnosis and treatment. A good example is that such information is utilized in improving the health care system efficiency, development of public policy and in conducting medical research. Such information is also shared with payer organization such as insurance companies (Huston, 2001). The information should only be shared with the full consent of the patient. However, the consent requirement should not hinder medical research though proper procedures need be developed to solve this procedural problem.
All healthcare information shared with any organization should be used for the primary purpose only and privacy should be maintained. In addition, the electronic systems used in the sharing and storage of health care information should be well protected with firewalls and other security applications (Win, 2005). Other web-based platforms for the exchange of information should be secure and confidential. However, this will only happen if patients manage their data effectively.
Threats to privacy are categorized into two categories, which include organizational threats and systemic threats. Organizational threats arise when an external or internal agent exploits system vulnerability and accesses patient’s data. Systemic threats mostly occur from inside the information flow by people who are legally allowed to access the health care information. Insurance companies should always take measures to ensure that patient’s privacy and confidentiality is maintained. It is important to regularly conduct security risk assessment to uncover any system vulnerabilities.
Assignment 2
Security Breaches in Healthcare Insurance
A security breach entails the unauthorized access of data, networks, applications and devices by bypassing the underlying security mechanism. This usually occurs when an application or individual illegally accesses a private and confidential IT perimeter. A security breach is the first stage of a security attack usually by a trespasser such as a cracker, hacker or a reprehensible application. A security breach is deemed to have occurred if any of the procedures, system or security policies are violated. In many organizations, security breach is carefully monitored for quick identification and mitigation. The whole process of monitoring to mitigation is done by a firewall of software. When a potential breach is identified, the firewall or software sends a message to the security administrator. Health insurance companies hold the medical data of their clients mostly in digital form. Such data is prone to a security breach. Some of the reasons why anyone would want to steal medical data are for blackmail, identity theft, activism and fraud among others.Medical Records Security Paper
Health information privacy and security background
In a patient-physician relationship, privacy is viewed as the key principle. To enable correct diagnosis and treatment, patients are required to share their personal information with the physician. However, in cases where disclosure may lead to stigma and discrimination, patients may refuse to reveal significant information to the doctor. Over the years, a patient’s health care information records accumulates important personal information such as identification, habits, genetic information, medication history, sexual preference, employment history, psychological profiles, income history and assessment of mental and personality state.
Medical health records have a range of purposes apart from diagnosis and treatment. A good example is that such information is utilized in improving the healthcare system efficiency, development of public policy and in conducting medical research. Medical records are shared with the payer organizations such as insurance companies, Medicaid, Medicare and social insurance in justifying payment of rendered services. Healthcare providers can also use the information in the management of their operations and improving service quality (Appari & Johnson, 2010).
Health Information Systems: Past and Present
To understand the complexities of the emerging electronic health record system, it is helpful to know what the health information system has been, is now, and needs to become. The medical record, either paper-based or electronic, is a communication tool that supports clinical decision making, coordination of services, evaluation of the quality and efficacy of care, research, legal protection, education, and accreditation and regulatory processes. It is the business record of the health care system, documented in the normal course of its activities. The documentation must be authenticated and, if it is handwritten, the entries must be legible.
In the past, the medical record was a paper repository of information that was reviewed or used for clinical, research, administrative, and financial purposes. It was severely limited in terms of accessibility, available to only one user at a time. The paper-based record was updated manually, resulting in delays for record completion that lasted anywhere from 1 to 6 months or more. Most medical record departments were housed in institutions’ basements because the weight of the paper precluded other locations. The physician was in control of the care and documentation processes and authorized the release of information. Patients rarely viewed their medical records.
A second limitation of the paper-based medical record was the lack of security. Access was controlled by doors, locks, identification cards, and tedious sign-out procedures for authorized users. Unauthorized access to patient information triggered no alerts, nor was it known what information had been viewed.
Today, the primary purpose of the documentation remains the same—support of patient care. Clinical documentation is often scanned into an electronic system immediately and is typically completed by the time the patient is discharged. Record completion times must meet accrediting and regulatory requirements. The electronic health record is interactive, and there are many stakeholders, reviewers, and users of the documentation. Because the government is increasingly involved with funding health care, agencies actively review documentation of care.
The electronic health record (ERC) can be viewed by many simultaneously and utilizes a host of information technology tools. Patients routinely review their electronic medical records and are keeping personal health records (PHR), which contain clinical documentation about their diagnoses (from the physician or health care websites).
The physician, practice, or organization is the owner of the physical medical record because it is its business record and property, and the patient owns the information in the record [1]. Although the record belongs to the facility or doctor, it is truly the patient’s information; the Office of the National Coordinator for Health Information Technology refers to the health record as “not just a collection of data that you are guarding—it’s a life” [2]. There are three major ethical priorities for electronic health records: privacy and confidentiality, security, and data integrity and availability.
Privacy and Confidentiality
Justices Warren and Brandeis define privacy as the right “to be let alone” [3]. According to Richard Rognehaugh, it is “the right of individuals to keep information about themselves from being disclosed to others; the claim of individuals to be let alone, from surveillance or interference from other individuals, organizations or the government” [4]. The information that is shared as a result of a clinical relationship is considered confidential and must be protected [5]. The information can take various forms (including identification data, diagnoses, treatment and progress notes, and laboratory results) and can be stored in multiple media (e.g., paper, video, electronic files). Information from which the identity of the patient cannot be ascertained—for example, the number of patients with prostate cancer in a given hospital—is not in this category [6].Medical Records Security Paper
Patient information should be released to others only with the patient’s permission or as allowed by law. This is not, however, to say that physicians cannot gain access to patient information. Information can be released for treatment, payment, or administrative purposes without a patient’s authorization. The patient, too, has federal, state, and legal rights to view, obtain a copy of, and amend information in his or her health record.
The key to preserving confidentiality is making sure that only authorized individuals have access to information. The process of controlling access—limiting who can see what—begins with authorizing users. In a physician practice, for example, the practice administrator identifies the users, determines what level of information is needed, and assigns usernames and passwords. Basic standards for passwords include requiring that they be changed at set intervals, setting a minimum number of characters, and prohibiting the reuse of passwords. Many organizations and physician practices take a two-tier approach to authentication, adding a biometrics identifier scan, such as palm, finger, retina, or face recognition.
The user’s access is based on preestablished, role-based privileges. In a physician practice, the nurse and the receptionist, for example, have very different tasks and responsibilities; therefore, they do not have access to the same information. Hence, designating user privileges is a critical aspect of medical record security: all users have access to the information they need to fulfill their roles and responsibilities, and they must know that they are accountable for use or misuse of the information they view and change [7].
Under the HIPAA Privacy and Security Rules, employers are held accountable for the actions of their employees. In 2011, employees of the UCLA health system were found to have had access to celebrities’ records without proper authorization [8]. UCLA failed to “implement security measures sufficient to reduce the risks of impermissible access to electronic protected health information by unauthorized users to a reasonable and appropriate level” [9]. The health system agreed to settle privacy and security violations with the U.S. Department of Health and Human Services Office for Civil Rights (OCR) for $865,000 [10]. Controlling access to health information is essential but not sufficient for protecting confidentiality; additional security measures such as extensive training and strong privacy and security policies and procedures are essential to securing patient information.
Security
The National Institute of Standards and Technology (NIST), the federal agency responsible for developing information security guidelines, defines information security as the preservation of data confidentiality, integrity, availability (commonly referred to as the “CIA” triad) [11]. Not only does the NIST provide guidance on securing data, but federal legislations such as the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act mandate doing so. Violating these regulations has serious consequences, including criminal and civil penalties for clinicians and organizations.
The increasing concern over the security of health information stems from the rise of EHRs, increased use of mobile devices such as the smartphone, medical identity theft, and the widely anticipated exchange of data between and among organizations, clinicians, federal agencies, and patients. If patients’ trust is undermined, they may not be forthright with the physician. For the patient to trust the clinician, records in the office must be protected. Medical staff must be aware of the security measures needed to protect their patient data and the data within their practices.
A recent survey found that 73 percent of physicians text other physicians about work [12]. How to keep the information in these exchanges secure is a major concern. There is no way to control what information is being transmitted, the level of detail, whether communications are being intercepted by others, what images are being shared, or whether the mobile device is encrypted or secure. Mobile devices are largely designed for individual use and were not intended for centralized management by an information technology (IT) department [13]. Computer workstations are rarely lost, but mobile devices can easily be misplaced, damaged, or stolen. Encrypting mobile devices that are used to transmit confidential information is of the utmost importance.Medical Records Security Paper
Another potential threat is that data can be hacked, manipulated, or destroyed by internal or external users, so security measures and ongoing educational programs must include all users. Some security measures that protect data integrity include firewalls, antivirus software, and intrusion detection software. Regardless of the type of measure used, a full security program must be in place to maintain the integrity of the data, and a system of audit trails must be operational.
Providers and organizations must formally designate a security officer to work with a team of health information technology experts who can inventory the system’s users, and technologies; identify the security weaknesses and threats; assign a risk or likelihood of security concerns in the organization; and address them. The responsibilities for privacy and security can be assigned to a member of the physician office staff or can be outsourced.
Audit trails. With the advent of audit trail programs, organizations can precisely monitor who has had access to patient information.
Audit trails track all system activity, generating date and time stamps for entries; detailed listings of what was viewed, for how long, and by whom; and logs of all modifications to electronic health records [14]. Administrators can even detail what reports were printed, the number of screen shots taken, or the exact location and computer used to submit a request. Alerts are often set to flag suspicious or unusual activity, such as reviewing information on a patient one is not treating or attempting to access information one is not authorized to view, and administrators have the ability to pull reports on specific users or user groups to review and chronicle their activity. Software companies are developing programs that automate this process. End users should be mindful that, unlike paper record activity, all EHR activity can be traced based on the login credentials. Audit trails do not prevent unintentional access or disclosure of information but can be used as a deterrent to ward off would-be violators.
The HIPAA Security Rule requires organizations to conduct audit trails [12], requiring that they document information systems activity [15] and have the hardware, software, and procedures to record and examine activity in systems that contain protected health information [16]. In addition, the HITECH Act of 2009 requires health care organizations to watch for breaches of personal health information from both internal and external sources. As part of the meaningful use requirements for EHRs, an organization must be able to track record actions and generate an audit trail in order to qualify for incentive payments from Medicare and Medicaid. HIPAA requires that audit logs be maintained for a minimum of 6 years [13]. As with all regulations, organizations should refer to federal and state laws, which may supersede the 6-year minimum.
Integrity and Availability
In addition to the importance of privacy, confidentiality, and security, the EHR system must address the integrity and availability of information.
Integrity. Integrity assures that the data is accurate and has not been changed. This is a broad term for an important concept in the electronic environment because data exchange between systems is becoming common in the health care industry. Data may be collected and used in many systems throughout an organization and across the continuum of care in ambulatory practices, hospitals, rehabilitation centers, and so forth. This data can be manipulated intentionally or unintentionally as it moves between and among systems.
Poor data integrity can also result from documentation errors, or poor documentation integrity. A simple example of poor documentation integrity occurs when a pulse of 74 is unintentionally recorded as 47. Whereas there is virtually no way to identify this error in a manual system, the electronic health record has tools in place to alert the clinician that an abnormal result was entered.Medical Records Security Paper
Features of the electronic health record can allow data integrity to be compromised. Take, for example, the ability to copy and paste, or “clone,” content easily from one progress note to another. This practice saves time but is unacceptable because it increases risk for patients and liability for clinicians and organizations [14, 17]. Another potentially problematic feature is the drop-down menu. Drop-down menus may limit choices (e.g., of diagnosis) so that the clinician cannot accurately record what has been identified, and the need to choose quickly may lead to errors. Clinicians and vendors have been working to resolve software problems such as screen design and drop-down menus to make EHRs both user-friendly and accurate [17].
Availability. If the system is hacked or becomes overloaded with requests, the information may become unusable. To ensure availability, electronic health record systems often have redundant components, known as fault-tolerance systems, so if one component fails or is experiencing problems the system will switch to a backup component.
The Future
Some who are reading this article will lead work on clinical teams that provide direct patient care. Some will earn board certification in clinical informatics. Others will be key leaders in building the health information exchanges across the country, working with governmental agencies, and creating the needed software. Regardless of one’s role, everyone will need the assistance of the computer.
Medical practice is increasingly information-intensive. The combination of physicians’ expertise, data, and decision support tools will improve the quality of care. Physicians will be evaluated on both clinical and technological competence. Information technology can support the physician decision-making process with clinical decision support tools that rely on internal and external data and information. It will be essential for physicians and the entire clinical team to be able to trust the data for patient care and decision making. Creating useful electronic health record systems will require the expertise of physicians and other clinicians, information management and technology professionals, ethicists, administrative personnel, and patients.Medical Records Security Paper