Security of Computerized Patient Record

Overview of Computerized Patient record

Computer and information technology has provided us a new way to store vast amounts of information without requiring huge physical storage space. This method offers the convenience where multiple people can access information at the same time and from different locations.. In keeping up with the complexity of managing the patients’ health-related information, the healthcare industry started to computerize the information over a decade ago. From 1984 to 1994, the number of healthcare related transactions increased from 5 percent to 36 percent.[1]

A Computerized Patient Record (CPR) is a comprehensive database system used to store and access patients’ healthcare information. The Computer-based Patient Record Institute (CPRI) defines a CPR as “electronically maintained information about an individual's lifetime health status and healthcare. The computer-based patient record replaces the paper medical record as the primary source of information for healthcare meeting all clinical, legal, and administrative requirements.  It is seen as a virtual compilation of non-redundant health data about a person across a lifetime, including facts, observations, interpretations, plans, actions and outcomes. The CPR is supported by a system that captures, stores, processes, communicates, secures and presents information from multiple disparate locations as required." [2]

CPR is used widely today in hospitals, nursing facilities, home healthcare, clinics, laboratory facilities, treatment centers, and physician offices. However, there are some disadvantages of CPR. These disadvantages include:

1)      High initial setup cost.

2)      Every error on the record can have major impact because multiple people can access the record at once.

3)      Failures in hardware or software can result in loss of information.

 

Some advantages of CPR include:

1)      It is convenient.

2)      It facilitates remote access.

3)      The information is more organized and easier to read compared to paper patient record.

4)      It allows simultaneous access.

5)      It improves the efficiency of processes such as data collection, data management and data retrieval.

 

There are many issues pertaining to CPR. We primarily focus on security issues in this paper.  A CPR system with adequate security measures will help to protect the privacy and confidentiality of the patients. For healthcare providers, the unauthorized use of information betrays the trust of patients and as a result, patients may refuse to disclose important healthcare information due to fear of unauthorized use of his/her information.

Background of Security issue

Today, an increasing amount of healthcare information is being automated and it is estimated that more than 400 million electronic heath care transactions take place yearly.[3] 

The information stored on the CPR includes patient’s personal information such as addresses, phone number, social security number, data and place of birth, marital status and religion; family background and their personal information; treatment, medication, and diagnosis history of the patient. Thus, misuse of such information can have a negative impact on the patients and their families.

Patient privacy and confidentiality have long been concerns even before patient records were computerized. However, computerization improves the accessibility of data and thus posts a bigger threat to patient privacy and confidentiality. In 1996, The Health Insurance Portability and Accountability Act was passed to establish security standards and safeguards for the electronic transmission of certain health information.[4]

 

Fortunately, it is possible to protect the patient privacy and confidentiality in the CPR system through several security measures. Audit trails are commonly used to track authorized users who abuse the healthcare information stored on the CPR system. Information on every access and transactions made on the system are documented and logged.

 

                 Security of the system can be enhanced through authentication. Login procedures that require users to enter their passwords and user IDs serve as a minimum-security procedure on most CPR systems. Higher levels of authentication, such as biometrics and smart cards grant access when a user produces the card with an authorized password, fingerprint recognition, retinal scan or voice recognition. To ensure the integrity of data, the authentication of a user and the validity of content sent across a network, Digital Signature Standard (DSS) is employed by using cryptography technology that prevents electronic signatures from being forged. Signatures are also checked according to time and other electronically stamped information to verify that patient records have not been tampered with or altered.

 

Encryption systems and firewalls are used to protect data and internal networks such as an Intranet from potential security breaches whenever users access external networks such as the Internet or other wide area networks.

 

Hypothetical Case: A possible situation involving security issues with CPR

 

A software engineering consultant, Sam Simple was hired to design a CPR system for a hospital. Each patient’s record in the database consists of a patient’s name, address, age, phone number, next of kin, name of parents, phone number, birth date and place, social security number, occupation, marital status, religion, military service, treatment history, family background, lifestyle information such as drug history and sexual preferences, diagnostic and testing information, and insurance information.

 

At the initial meeting held to discuss the project requirements, a hospital representative indicated to Simple that the hospital had conducted research on CPR systems prior to hiring him. Based on the report produced from the hospital’s research, it considered that user authentication to verify users’ ID and password at login was sufficient for their system, as far as the system security was concerned.

 

However, Simple learned from a study that 85 percent of the passwords on a typical computer system were guessable.[5] In addition to this, another study pointed out that authorized users (insiders), who accessed the patient’s healthcare information illegally, committed the majority of security break-ins. Simple felt that the hospital should at least include audit trails of all users who had previously accessed or updated patient records, including date and time stamps and location of access. This way if there were any security breaches, violators could be tracked down and held accountable for their actions.

 

As Simple was hired as an outside consultant, he was not in the position to make significant changes to the system requirements. On top of that, the representative of the hospital did not want Simple involved in the critical decision making for the project with the claim that their budget was limited, and Simple was paid by the hour. The more hours Simple worked, the more money the hospital would have to spend on developing the system. Nevertheless, Simple was concerned about the privacy and confidentiality of the patient record that would be stored on the system. He was not sure how to handle this situation and figured that he should acquire help to achieve this goal. Simple approached some colleagues for advice.

 

Discussion of Issues

Our evaluation process involves identifying the stakeholders and possible alternatives for Simple. As this case involves ethical issues that arise from the CPR application, we felt that it is appropriate to evaluate each alternative based on its impact on the stakeholders and using the Software Engineering Code of Ethics as a guide, to determine the best alternative.

 

        The stakeholders identified in this case are Sam Simple, hospital, system users, patients,

and their relatives.

 

In analyzing the case, the possible alternatives for Simple were considered:

 

1)      Propose new requirements to improve on system’s security.

 

2)      Cancel the project and whistle blowing.

 

3)      Cancel the project without whistle blowing.

 

4)      Comply with client’s requirements and whistle blowing after the completion of the project.

 

5)      Comply with the client’s requirement and finish the project without whistle blowing.

 

The first alternative that we recommend for Simple to consider is that of proposing new requirements for the CPR system. Certain information stored in the system is sensitive and can be used to cause personal and financial harm to the patients. For instance, a patient’s social security number can be used in committing identity theft. Identity theft involving financial institutions has a significant impact on the public. According to the first principle of the code, “software engineers shall act consistently with the public’s best interest.” Simple has the responsibility to protect the public from personal and financial harm. To do so, Simple needs to produce a more secure system in order to prevent the information stored on the database from unauthorized use.

 

However, additional security features do cost more money. As there is no guarantee that the additional security measures will better protect the CPR system, it might not be cost effective to include all the security features available. According to the code 3.01 that advocates that software engineers to “strive for high quality product at an acceptable cost,” Simple has the responsibility to make his client aware of the fact that an expensive system does not necessary eliminated the security risk. In the case where the client declines his suggestion to equip the system with adequate security measures due to the budget constraints, he might want to consider compromising his rate so that the project cost is within the client’s affordability. This is consistent with the second principle of the code that “software engineers shall act in the best interests of their clients and employer, consistent with the public interest.”

 

In addition, a system without adequate security protection provides easier access to patients’ personal and medical information. Patients furnish the information to the hospital with the trust that the hospital will protect the information from unauthorized use. If patients were to find out otherwise, the hospital would be subjected to lawsuit by failing to protect the information provided by the patients. If Simple follows the second principle of the code, he will need to approach his client and provide them with appropriate evidence proving that a more secure system will do more good than harm. In the case that his client refuses to consider his suggestions, he should then consider the whistle blowing.

 

In order to ensure that whistle blowing is appropriate, Simple must first try to communicate his concerns within the channels acceptable by his client. If this does not prompt his client to take the actions needed to ensure a more secure system, Simple will need to go outside the boundaries of his normal working channels to address the security issues. By doing so Simple is facing risks that might end his contract with the hospital and possibly his career as a software engineer. However, we agreed that Simple would be acting in a manner that conforms to the fourth principle of the code which advocates that “software engineers shall maintain their integrity and independence in their professional judgment.”

 

The alternatives that to cancel the project with or without whistle blowing are not considered as acting in consistent with the code 4.01 that advocates that software engineers shall “temper all technical judgments by the need to support and maintain human values.” Canceling the project does not result in a better CPR system for the stakeholders involved. In fact, if the project is taken over by a consultant who is willing to comply with the client’s requirements, the patients’ privacy and confidentiality may be at risk due to inadequate security protection. In addition, Simple might forfeit all future opportunities of obtaining contracts not only with the hospital but other associated organizations, once the word is spread that he is not a compliant worker. Nonetheless, these alternatives will prevent Simple from being held liable for any security issues due to inadequate security protection of the system.

 

Although the alternatives that comply with the client’s requirements do provide job security for Simple, we feel that Simple should not follow the original system proposed by the hospital because of the consequences of inadequate security protection. Complying with the client, in this case, is inconsistent with the sixth principle of the code that “software engineers shall advance the integrity and reputation of the profession consistent with the public.” If Simple does not follow the code, he is producing software that diminishes the privacy and confidentiality of the patients and thus the reputation of software engineers will suffer. Also, whistle blowing upon completion of the project does not convince other stakeholders that Simple is really concerned about the patient privacy and confidentiality.

 

Summary

 

We considered the impact of each alternative against the code and felt that the first alternative – approach his client to improve on system security, was the best option for Simple. Although this alternative was not free from the risks, it reduced the chances for security breaches.

We also felt that Simple should act in the best interests of his client, employer and public. He should compromise his rate to accommodate the budget affordable by his client, in the case where the project cost is the reason that his client does not want to improve on the security of the CPR system.

As whistle blowing is an act that is sometimes viewed as being not in accordance with the client’s or employer’s best interest, we felt that Simple should not consider whistle blowing unless all attempts to fix the problems have been exhausted. Whistle blowing would do more harms than good to the stakeholders involved in this case because it does not necessarily help to produce a more secure system. Whistle blowing after the completion of the project is especially harmful to Simple’s reputation as an ethical software engineer, because it gives the impression that Simple does not really concerned about the patient privacy and confidentiality.

Similarly for the alternative that to cancel the project, it would not necessarily help to produce a more secure system. Hence, we felt that Simple should not consider this option.

 

Based on the code, we felt that Simple should not comply with his client at the expense of patients’ privacy and confidentiality.

List of References

Collmann, Jeff, Meissner ,Marion C., Tohme ,Walid G., Winchester,James, Mun,

Seong K. (1997, February). Comparing the security risks of paper-based and computerized   patient record systems: a case study of a renal dialysis telemedicine application. ,  In Proceedings of Society of Photo-Optical Instrumentation Engineers (SPIE): Picture    

Archiving and Communications System (PACS): System Design and Evaluation, Newport

Beach, CA. Retrieved April 04, 2002, from 

http://www.telemedicine.georgetown.edu/Phoenix/papers.htm

 

CPRI Work Group on CPR Description (WDES). (1995, May). Description of the Computer-Based Patient Record (CPR) and Computer- Based Patient Record system. Retrieved April 28, 2002, from http://www.cpri-host.org/resource/docs/hldd.html

 

Confidentiality: Ethical Topic in Medicine. (1999, February 22). Retrieved April 28, 2002, from University of Washington School of Medicine Web site: http://eduserv.hscer.washington.edu/bioethics/topics/confiden.html

 

Habel, Maureen, MA, RN. (n.d.). Documenting Patient Care, Part 2. Retrieved April 28, 2002, from http://www.nurseweek.com/ce/ce10a.html

 

Definition of  Electronic Medical Record. (2000, November 10). Retrieved April 2, 2002 from American Medical Association Web site:.

http://www.ama-assn.org/ama/pub/category/2900.html

 

Garlock, Barbara B. (1997, July 18). Carolina begins to address health privacy. Retrieved  April 26, 2001, from The Business Journal Web site: http://triangle.bizjournals.com/triangle/stories/1997/07/21/smallb3.html

 

Goodman, Kenneth W., Ph.D.,Anderson, James G., Detmer, William M., Phillips, Beverley Kane, M.D. & Sabbatini, Renato E.(1997). Ethical Issues in Internetable Healthcare. Retrieved April 28, 2002, from http://www.amia.org/pubs/symposia/D004435.pdf

 

Gotterbarn, Donald, Miller, Keith, Rogerson, Simon, Executive Committee, IEEE-CS/ACM Joint Task Force on Software Engineering Ethics and Professional Practices. (1998, September 2). Software Engineering Code of Ethics and Professional Practice(version 5.2). Retrieved April 26, 2001, from ACM Web site: http://www.acm.org/serving/se/code.htm

 

Kibbe, David, MD, MBA, and Bard, Mark R., MHA, MBA. (1997). How Safe Are Computerized Patient Records?. Journal of  Family Practice Management, May 1997 Vol. 4 No. 5 . Retrieved April 2, 2002 from American Academy of Family Physicians Web site: http://cpmcnet.columbia.edu/dept/dental/Dental_Informatics/AOFC_Course/DI_Clinical/CPR.html

 

Khoury, Allan T. (1998).The Computerized Patient Record: Somewhere over the Rainbow?  Effective Clinical Practice, October/November 1998:1:49-50. Retrieved April 28, 2002, from ACP-ASIM Web site:

http://www.acponline.org/journals/ecp/octnov98/record.htm

 

Kowalsky, Christopher A. (n.d.).The Computerized Patient Record. Retrieved April 2, 2002, from

http://journal.med.edu/v.3_n.3/5/v33cpr.htm

 

Ornstein, Steven M., MD, Jenkins, Ruth G., MS, & Edsall, Robert L. (1997). Computerized Patient Record Systems: A Survey of 28 Vendors. Journal of  Family Practice Management, November/December 1997. Retrieved April 28, 2002, from  http://www.aafp.org/fpm/971100fm/cprsystems.html

 

Protecting Privacy in Computerized Medical Information (office of Technology Assessment):Digest. (n.d.). Retrieved April 2, 2002 from The Health Law Resource Web site: http://www.netreach.net/~wmanning/otadig.htm

 

Retrived April 02, 2000 from Website owned by The SmartDoctor® Electronic Medical         Records/ Billing System by Intelligent Medical Systems, Inc. of Alpine, TX.:        http://www.smartdr.com/whtpap.htm#security

The 1996 Health Insurance Portability and Accountability Act. (n.d.). Health privacy project. Retrieved April 28, 2002, from Georgetown University Web site: http://www.healthprivacy.org/usr_doc/34226.pdf

 

Thurston, Wilfreda E., Burgess, Michael M. & Adair, Carol E. (1999). Commentary: Ethical Issues in the Use of Computerized Databases for Epidemiologic and Other Health Research. Chronic Diseases in Canada, volume 20, No. 3 , 1999. Retrieved April 28, 2002 from

http://www.hc-sc.gc.ca/hpb/lcdc/publicat/cdic/cdic203/cd203d_e.html

 

What is a computerized patient record?.(n.d.). Retrieved April 02, 2002, from http://www.temple.edu/gisection/idealemr2001/sld002.htm

 

Copyright 2002 Josephine Leong and Shakario Damallie.

This case may be published without permission and at no cost as long as it carries the copyright notice.



[1] Kibbe, David, MD, MBA, and Bard, Mark R., MHA, MBA. (1997). How Safe Are Computerized Patient Records?. Journal of  Family Practice Management, May 1997 Vol. 4 No. 5 . Retrieved April 2, 2002 from American Academy of Family Physicians Web site: http://cpmcnet.columbia.edu/dept/dental/Dental_Informatics/AOFC_Course/DI_Clinical/CPR.html

 

[2] Definition of  Electronic Medical Record. (2000, November 10). Retrieved April 02, 2002 from American Medical Association Web site:                                                               http://www.ama-assn.org/ama/pub/category/2900.html

 

 

[3] Kibbe, David, MD, MBA, and Bard, Mark R., MHA, MBA. (1997). How Safe Are Computerized Patient Records?. Journal of  Family Practice Management, May 1997 Vol. 4 No. 5 . Retrieved April 2, 2002 from American Academy of Family Physicians Web site: http://cpmcnet.columbia.edu/dept/dental/Dental_Informatics/AOFC_Course/DI_Clinical/CPR.html

 

[4] The 1996 Health Insurance Portability and Accountability Act. (n.d.). Health privacy project. Retrieved April 28, 2002, from Georgetown University Web site: http://www.healthprivacy.org/usr_doc/34226.pdf

 

[5] Kibbe, David, MD, MBA, and Bard, Mark R., MHA, MBA. (1997). How Safe Are Computerized Patient Records?. Journal of  Family Practice Management, May 1997 Vol. 4 No. 5 . Retrieved April 2, 2002 from American Academy of Family Physicians Web site: http://cpmcnet.columbia.edu/dept/dental/Dental_Informatics/AOFC_Course/DI_Clinical/CPR.html