Abstract
This chapter reports the authors’ experiences regarding security of the electronic medical record (EMR). Although the EMR objectives are to support shared care and healthcare professionals’ workflow, there are some barriers that prevent its successful use. These barriers comprise not only costs, regarding resources and time, but also patient / health professional relations, ICT (information and communication technologies) education as well as security issues. It is very difficult to evaluate EMR systems; however some studies already made show problems regarding usability and proper healthcare workflow modeling. Legislation to guide the protection of health information systems is also very difficult to implement in practice. This chapter shows that access control, as a part of an EMR, can be a key to minimize some of its barriers, if the means to design, develop and evaluate access control are closer to users’ needs and workflow complexity.
TopIntroduction
Healthcare is information and knowledge driven. Good healthcare depends on taking decisions at the right time and place, according to the right patient data and applicable knowledge (Friedman C and Wyatt J, 2006). Communication is of most relevance in today’s healthcare settings, as health related activities, such as delivery of care, research and management, depend on information sharing and teamwork (Coiera, 2003).
Providing high-quality health care services is an information-dependent process. Indeed, the practice of medicine has been described as being dominated by how well information is processed or reprocessed, retrieved, and communicated (Barnett, 1990). An estimated 35 to 39 percent of total hospital operating costs has been associated with patient and professional communication activities (Richart, 1970). Physicians spend over a quarter (Commission, 1995, Mamlin and Baker, 1973) and nurses half (Korpman and Lincoln, 1998) of their time writing up patients’ charts.
Patient records exist to memorize and communicate the data regarding a particular individual and to help deliver care to him or her. Records are not only an information system but also a communication system, to enable communication between different health professionals and between the past and present (Dick and Steen, 1997, Nygren et al., 1998). Patient records, the patient and published evidence are the three sources needed for the practice of evidence-based medicine (Friedman C and Wyatt J, 2006).
After decades of development of information systems, designed primarily for physicians and other healthcare managers and professionals, there is an increasing interest in reaching consumers and patients directly through computers and telecommunication systems (Chuva Mt et al., 2006). Consumer health informatics is designed to empower consumers by putting health information into their hands, including information on their own health, such as diagnoses, lab results, personal risk factors and prescribed drugs. All this information requires strong security means.
Information security is usually defined by three main characteristics (Cen/Tc251), (Harris S, 2003): confidentiality – the prevention of unauthorized disclosure of the information; integrity – the prevention of unauthorized modification of the information; availability – the prevention of unauthorized withholding of the information. Confidentiality is often used interchangeably with privacy but they are not exactly the same. Privacy is the right of an individual to not have their private information exposed (and this is usually enforceable by law), whilst confidentiality is limiting access to information to authorised individuals only.
The complexity of building secure information systems relates mainly to three fundamental and competing factors: the complexity of the security technology itself; the difficulty of classifying the information that is to be protected; and the use of the technology by humans (usually the most problematic factor (Schneier B, 2004)). Other important but secondary competing factors are: protecting information from unauthorised access whilst needing to be able to access it for audit or law enforcement purposes; and making it easy for an authorised user to gain access to the information but complex for an unauthorised user to do the same.
Key Terms in this Chapter
EMR: Electronic medical record (EMR) is a medical record in digital format. A Medical record is a systematic documentation of a patient’s medical history and care. The term ‘Medical record’ is used both for the physical folder for each individual patient and for the body of information which comprises the total of each patient’s health history. Although medical records are traditionally compiled and stored by health care providers, personal health records maintained by individual patients have become more popular in recent years.
Access Control: Set of security features that control how users and systems communicate and interact with other systems and resources. They protect systems and resources from unauthorized access and can be a component that participates in defining the level of authorisation after an authentication is successful. Access control is extremely important because is one of the 1st lines of defence used to fight against unauthorized access to systems and network resources. Shon Harris, CISSP. All in one CISSP Certification. MCGrawHill, Osbourne, 2003.
Information Security: Is the process of protecting data from unauthorized access, use, disclosure, destruction, modification, or disruption. This means protecting the confidentiality, integrity and availability of data regardless of the form the data may take: electronic, print, or other forms.
Medical Informatics: The rapidly developing scientific field that deals with biomedical information, data, and knowledge - their storage, retrieval, and optimal use for problem solving and decision making. The emergence of this new discipline has been attributed to “advances in computing and communications technology, to an increasing awareness that the knowledge base of medicine is essentially unmanageable by traditional paper-based methods, and to a growing conviction that the process of informed decision making is as important to modern biomedicine as is the collection of facts on which clinical decisions or research plans are made.” Edward Shortliffe, M.D., Ph.D. What is medical informatics? Stanford University, 1995.
IS: An information system (IS) is a system, automated or manual, that comprises people, machines, and/or methods organized to collect, process, transmit and disseminate data that represent user information.