Medical Record Privacy: Is it a Façade?

Aubrey Baker Abstract

Virginia Tech Part of the job of healthcare providers is to manage
250 Durham Hall patient information. Most is routine, but some is
Blacksburg, VA 24060 USA sensitive. For these reasons physicians’ offices provide
AABaker@VT.edu a rich environment for understanding complex,
sensitive information management issues as they
Laurian Vega pertain to privacy and security. In this paper we
Virginia Tech present findings from interviews and observations of 15
2202 Kraft Drive offices in rural-serving southwest Virginia. Our work
Blacksburg, VA 24060 USA demonstrates how the current socio-technical system
Laurian@VT.edu fails to meet the security needs of the patient. In
particular, we found that the tensions between work
Tom DeHart practice and security, and between electronic and paper
Virginia Tech records resulted in insecure management of files.
2202 Kraft Drive
Blacksburg, VA 24060 USA Keywords
TDeHart@VT.edu Healthcare, security, usable security, privacy, work
practice
Steve Harrison
Virginia Tech ACM Classification Keywords
2202 Kraft Drive H.5.3 [Information Systems] Group and Organization
Blacksburg, VA 24060 USA Interfaces
SRH@VT.edu
General Terms
Human factors, security
Copyright is held by the author/owner(s).
CHI 2011, May 7–12, 2011, Vancouver, BC, Canada. Introduction
ACM 978-1-4503-0268-5/11/05. Traditionally, electronic and physical security have been
concerned with creating rules, locks, and passwords.
However, security systems that neglect people as a
significant part of the equation “are seldom secure in
practice” [3]. Practice is what happens in the moment;
it is the activity; it is what is actually done. It is often in
the human-centered moment, and not in the computer-
centered planning stages, when security policies or
mechanisms break down and the safety of sensitive
information is compromised. For this reason we
propose that there exists a need to study socio-
technical systems to understand and evaluate what role
both humans and technology play in creating usable
security [1]. Specifically, we propose focusing on
physician’s offices, where there is a plethora of
sensitive patient information that exists in various
stages and forms of documentation. Physicians’ offices
are valuable loci of study given the collaborative nature
of the work, the increasing adoption of electronic
medical records [6], and the implicit assumption of
security by the patient.
Prior work has documented that when systems are
provided to users that do not account for how they
work, the system is circumvented and used
“inappropriately” [2-4]. Within secure places, this can
mean writing down passwords, or as was observed in
this study, shouting them. This is because the
management of patient information is both socially
constructed and mediated while also being entered and
navigated in medical record systems. To further discuss
these issues in this paper we present data from
interviews and observations of 15 physicians’ offices in
Southwest rural-serving Virginia to continue the
discussion of usable security within a particular location
and with a focus on practice. By focusing on practice
within physicians’ offices our work represents an
important contribution of where security in action is
and is not located.
Related Work
The work of usable security in healthcare is an
amalgamation of prior work on healthcare, security,
and HCI [1]. Patients serve as users, owners of
sensitive information, and as part of the healthcare
system. In regards to security, prior work has
demonstrated balance is essential between policies and
software solutions that are constructed accounting for:
social and organizational context, temporal factors from
actions in that context, possible threats from
information usage, and trade-offs made by the user
[1]. Some considerations would be the location of
computers and paper files within the physician’s office
and users being inconvenienced by extra steps, such as
using a password every time they return to a computer
or putting files back on the shelving unit in between
frequent access. These factors demonstrated that all
solutions are not technical: the social context must be
accounted for in order to fully represent the needs of
the users – as argued more generally in the work of
Palen & Dourish [4]. Despite the need for such context,
there has been little work done in real social practices
in regards to privacy and security. Thus, our work is a
valuable contribution to the growing need of
observations in social environments.
In prior work within the medical context, Adams &
Blanford [1] discussed with members of two hospitals
the use of passwords to protect access to sensitive data
when computers were unattended. They found that
many users were simply ignoring the password
protection system -- so many that it became difficult to
enforce the security mechanisms in place. Similarly,
Adams & Sasse discussed that system security often
lacks “user-centered design and user training” [2];
however, users are a critical component in a successful
secure system. Additionally, the adoption of policies
such as the Health Insurance Portability and
Accountability Act (HIPAA) are stipulating how users
should be managing patient information, with little
consideration for local policies. However, considering
security beyond password use has received little
attention. For this reason we present findings below
that include an analysis of security mechanisms that
extend beyond password usage (or the lack there of).
Within prior work there have been few examples of
qualitative analysis in regards to security and privacy in
healthcare (with valuable exceptions [1]). Qualitative
methods, such as interviews and observations, allowed
researchers to gain a “deeper understanding of lived
experiences by exposing taken-for-granted
assumptions” by witnessing how “participants live in
their environment” [5]. In particular, what work that is
being done has focused on technologically adept
locations, with little research regarding those who opt
not to use technology [7]. For these reasons we
present qualitative data from rural-serving physicians’
offices in regards to their security practices.
Methods
Fifteen interviews were conducted with directors of
physicians' offices; and, 61.25 hours of observation
were carried out at 5 locations. The participants had, on
average, 20.16 years of experience as a director. The
average staff size was 10 people with approximately
128 patients seen weekly. All offices provided non-life-
critical care. Given the dearth of diversity of physician’s
offices, more identifying information cannot be provided
as to the type of centers that were observed due to
participant anonymity. All participants were unpaid.
The interview protocol was developed and vetted by
two external researchers to the project. Participants
were asked demographic questions, questions in
regards to their daily information management
practices, and questions in regards to their electronic
systems. Pictures and forms were collected from offices
during interviews. Prior to starting each of the
observations each student re-read all prior interviews
and reports. The observer was centrally located in the
physician’s office and able to watch over the shoulder
of the healthcare staff. Observations were spanned to
watch during all times of the day and across days of the
week where patient load and temporal work rhythms
can vary.
We used a phenomenological approach to data analysis
to derive the essence of security and privacy within
collaborative management of patient information.
Phenomenology is a qualitative method used frequently
in healthcare research; see [5] for more information
about the details of phenomenology. For our study,
data was analyzed by creating a set of themes,
clustering the data into sets of meanings, establishing
agreement between the researchers, and then
examining the resulting body of data related to the
essence of security and privacy.
Results
We present these results not to point at any one place
where security and privacy were not accounted for.
Instead, we present these results to provide interlaced
examples to construct a broader understanding of
security and privacy.
 Password Sharing
There were two instances where a participant with
special access would log in for another office member
with a lower level access or no
access at all to utilize the system.
In one case, it was observed that
the employee that worked primarily
with Medicare needed to log into
the hospital’s electronic database to
collect information. However, she
had not attended the required
course and received her own
individual access. To get this
information she asked one office
staff who did have this access to
log her in. What is important and
relevant is that this same office did
not use any passwords for their
Figure 1. One participants patient’s files open for own electronic medical record
anyone to access. system.
General Lack of Passwords
Even more prevalent was the complete lack of
password use. There was only one observed use of
passwords to enter an individual center’s electronic
system. During interviews we additionally learned that
of the physician’s offices that did have electronic
systems, only 6 even used passwords. For instance, the
observer writes while watching the director, “<the
director> brings a paper over and punches it on the
counter next to me. She leaves her office with it,
leaving her computer unlocked.” This example is
canonical of how office staff would (a) leave their
computers open when they would leave their
workstation, and (b) the general lack of concern about
leaving a computer insecure. There were three
additional instances represented in interviews about
similar lack of password use.
When asked why the staff did not use passwords one
director responded that the staff at her office use each
other's machines because everyone "has the same
access" and "there is really no privacy act between
employees." Because everyone has the same
permission, there is not a need to have an explicit rule
specifying that they can or cannot use each other’s
computer. This fact is inherent in the work that they do
and the information that they are all allowed to
see/access/modify.
Difficulty Locating Patient File
There were fourteen occurrences of medical staff
having difficulty locating patient files. This was because
of the participant’s inability to use the system – either
electronic or paper – that breakdowns occurred. These
breakdowns resulted in additional patient files being
created, files not being in the correct location, and lost
patient information. The remaining instances were
derived from observations of three physicians’ offices.
Example causes for these problems are unusual
spellings of names, transposed names, and office staff
misspelling and/or misfiling. These problems are
interrelated because the patient’s name was the
primary and only key for locating a patient’s file at
these offices. When a patient’s file could not be located
based on the primary key, it was difficult it not
impossible to find the file again.
Electronic Systems Crashing & Loosing Information
Out of the nineteen physician’s offices that we visited,
eighteen of them had some form of electronic records
used to manage their patient’s care. There were five
instances where the offices’ electronic system crashed
and lost pertinent information. One director explained
how her office had been making automated electronic
back-ups when they experienced a fatal crash. This
crash led to the discovery that the back-ups had not
been properly collected for three weeks. As a result the
director “worked a lot of weekends” in order to re-enter
all of the lost information back into the electronic
system from their paper records, which they had still
been maintaining. Similar experiences occurred at the
other practices. All offices still had their paper-based
files.
Patient Information Left in the Open
There were two incidents where private patient
information was mistakenly left out of a patient's file
which resulted in the information being exposed.
During an observation the observer noticed a patient x-
ray that was left on the counter that was detached from
a patient’s file. A nurse came over, randomly picked up
the x-ray, looked at it, and then put it back on the
desk. All offices had patient records freely available to
anyone to access as shown in Figure 1. No filing
cabinets were observed to be locked at night.
Discussion & Conclusion
These findings present obvious security risks of
confidential patient information within physicians’
offices, whether those risks are the loss of crucial
information or exposure of sensitive material. In order
to progress toward a more usable system, it is essential
to identify why these phenomena are occurring to
assist in presenting a usable solution for these security
risks. However, it is critical to recognize the social
nature of how patient information is currently being
managed. Staff share passwords or do not use
passwords because of the social nature of their work.
Passwords ascribe to a one user – one machine – one
account system. Yet, the work that people do is open,
social and shared across both the electronic and paper-
based systems. Researchers may surmise that these
findings are not surprising. However truthful that may
be, the question remains, why are designs not
accounting for them. Our work represents a first take at
trying to understand and account for these
phenomenon and point at future design considerations.
For this reason we present the following issues in
relation to designing a system that is beyond usable for
managing patient information, but also social.
Passwords are Not Social
The breakdown in password utilization and personal
password security reflect that the need for this feature
is not represented in the work carried out in systems
that have password functionality. Because users do not
see the need for passwords, individual passwords are
not used. Similarly, office staff often leave information
out of files or do not return files to shelves
immediately. This means that systems should account
for quick access to information not based on
restrictions, but upon making knowledge of who is
accessing the system visible to all. Additionally,
breaking away from the one person – one computer –
one account model of supporting access to information
would better support social work.
Systematic Flaws
Electronic record systems crashing, data backups
failing, difficulty of locating patient files, and leaving
files in the open can all be attributed to flaws within the
socio-technical system. The unreliability of electronic
systems require practices to maintain their paper files
as a reliable backup source, resulting in twice the
amount of files to maintain and twice the amount of
data to secure. Leaving information out of files or files
off the shelf, even temporarily in between uses, is in
direct conflict with keeping the information secure in
the sense that it is not locked away and protected from
prying eyes. Redundant information represents a
system flaw in regards to security, but was created to
support the social system. Designers should consider
the affordances of paper files that are difficult for
electronic systems such as having a physical location,
recognizable handwriting, and spotting inconsistencies
in the system (e.g., missing information within a file).
Is Patient Privacy a Fallacy?
Further improvements can be made to enhance the
reliability and security of electronic systems. Updates
can be tracked as well as regular backups that alert the
system administrator when they fail to run successfully.
Additionally machine learning algorithms can process
individual user access to patient files in order to identify
unusual behavior. For example, if a nurse is updating
the file of patient X, she will access and update X’s file
multiple times. However, if a nurse were to look at the
file of patient Y, her neighbor, she would only have a
need to look at the file once. This unusual pattern could
then be reported for investigation.
However, solutions like these can be accused of
throwing more technology at the problem without
accounting for the work that people do. A tenant of
usable security literature states that people will find a
way to circumvent a security measure when it comes in
conflict with another task. We therefore have presented
the previous security issues that demonstrate security
flaws in the everyday work of a physician’s office staff.
These are not flaws of malice, but flaws of negligence
where the work of making patient information secure
and private is not clearly embodied in the practice of
managing patient information. Our future work is to
respond to these issues by prototyping solutions that
do represent the social needs of information
management. Additional work should be done to
identify the costs and benefits of open access systems,
especially in life-critical situations.
Acknowledgements
We thank Laura Agnich for helping collect and analyze
the data and the VT Usable Security Group for their
feedback. This work was funded, in part by NSF Grant
#0851774.
References
[1] Adams & Blandford (2005). Bridging the gap
between organizational and user perspectives of
security in the clinical domain, IJHCS, 63(1-2).
[2] Adams & Sasse (1999). Users are not the enemy.
Communications of the ACM, ACM.
[3] Bellotti & Sellen (1993). Design for Privacy in
Ubiquitous Computing Environments, Conference on
CSCW, Kluwer Academic Publishers.
[4] Palen & Dourish (2003). Unpacking "privacy" for a
networked world, Conference on Human Factors in
Comp Sys, ACM.
[5] Starks & Trinidad (2007). Choose your method: A
comparison of phenomenology, discourse analysis, and
grounded theory, Qual Health Res, 17(10).
[6] Berner, Detmer & Simborg (2005). Will the Wave
Finally Break? A Brief View of the Adoption of Electronic
Medical Records in the United States, JAMIA, 12(1).
[7] Satchell & Dourish (2009). Beyond the user: Use
and non-use in HCI, OZCHI, ACM.