Beruflich Dokumente
Kultur Dokumente
We S a v e B u s i n e s s e s
( H Q ) 3 7 8 5 C h a n t i c l e e r C t , Ta l l a h a s s e e , F L ( P ) 8 8 8 - 5 8 7 - 4 7 6 9 ( E ) i n f o @ B C M P r o f e s s i o n a l s . c o m w w w. B C M P r o s . c o m
Introduction
Healthcare information data breeches are a cause for concern, given their sensitivity and accessibility through physical access, internal networking systems, the internet, and mobile technology systems. The privacy, integrity, and confidentiality of a patient's data are key factors to be considered in the transmission of medical information for use by authorized healthcare personnel. Mobile communication has enabled medical consultancy, treatment, drug administration and the provision of laboratory results to take place outside the hospital. With the implementation of electronic patient records, the Internet, and intranets, medical information sharing amongst relevant healthcare providers is made possible. The vital issue in this method of information sharing is security. The patient's privacy, as well as the confidentiality and integrity of the healthcare information system, should not be compromised. This paper will illustrate how to use integrated processes to ensure the security and privacy of a patient's electronic medical information to ensure the integrity, availability, and confidentiality of the information.
B C M P r o f e s s i o n a l s!
70%
Consumers concerned about HIE privacy
sure of patient information from those who are not authorized to view the patient data. The confidentiality of patient information is being breached at an alarmingly high rate. An all-encompassing list goes beyond the scope of this paper, but the following are just some of the more recent breaches that caught the publics attention:
St. Francis hospital in Broken Arrow, Oklahoma, reported that someone broke into a secured area and stole a computer containing personal health information on 84,000 patients. The information contained names, addresses, Social Security numbers, and a host of other personal information that could identify the patients.
40-64
Highest age group with concerns over privacy and security
A Maryland banker who was on the board of health for his respective state was able to look at his customers records to see who had cancer and then had those clients loans cancelled.
Integrity ensures the accuracy of the patients data while intransit. However,
82%
Consumers concerned about EHR security
2011 research has demonstrated that impacts by data breeches out stripped drug trafficking with an estimated $56.6B in costs (not including fines) with 80% of data losses due to malware. Availability of a patients Electronic Health Record (EHR) means ensuring that all patient information will be accessible
to the physician when necessary, without any disruptions in service. Yet, we frequently hear of attacks (e.g, Denial of Service) against online service providers. Recent news pointed out that if the government has determined that a web-
75%
Consumers concerned about HIE security
site presents a viable threat, they will shut the site down. Online electronic medical record
B C M P r o f e s s i o n a l s!
providers are not exempt from this rule. Any delays caused by identity theft are delays in making patient data available to the physician, which hinders the physicians ability to render the correct diagnoses.
Internet!
A c c e s s
Wireless Transfer!
Intranet!
Local Server!
Patient Data!
A c c e s s
C o n t r o l !
Sensitive information Infrastructure that houses the information People that interface and interact with the information
Generally, the approach to organizational sustainability naturally incorporates risk and security management. The term naturally reflects a natural change migration, as opposed to a hard lined shutting down of one practice to engage in a new practice. This often ends on frustration and failure throughout the organizations operational, tactical, and strategic platforms.
B C M P r o f e s s i o n a l s!
A c c e s s
C o n t r o l !
C o n t r o l !
virtually. This saves time and reduces general risks due to contagious illnesses and travel. Actionable processes are needed now more than ever, given that patient information is routinely distributed across a healthcare systems intranet, mobile / wireless architecture, and the internet. Regarding patient informatics, actionable processes are a proactive means of identifying risks to the:
DOCUMENT CURRENT-STATE
DEVELOP MITIGATIONSTRATEGIES
productive change management initiatives. The first steps include determining and documenting what activities are conducted on a daily basis to meet the needs of the organization and the patient. A solidly documented AsIs process flow will help identify gaps,
TRAINING'&'AUDIT
risks, and weak areas, when compared to best practices, standards, and compliance requirements.
B C M P r o f e s s i o n a l s!
Risk exposure is determined by the percentage probability that the risk could occur and the level of impact that would be realized if the risk became a reality. The formula generally used to determine (quantify) the level of exposure is RiskExposure (RE)= RiskProbability (RP) * Impact An example of the formula being used could be as follows: Risk: An unauthorized person could get gain access to patient records (not concerned with the why). Environment: The only barrier between the person in question and the records is the counter and administrative staff performing patient checkin (i.e., no wall or secure window as a minimum protective barrier). Probability Qualification: Could someone leap over the counter? Has this happened before (no matter the reason)? If the answers are Yes and No respectively, then the probability may be lower that 50%. If the answer is Yes and Yes, then the probability can go significantly higher. The higher the probability of this situation occurring, the closer the quantifier would be to 100%. This example will be conservative and use 1% (a person can jump over the counter, but it has never happened in 20-years). Impact Qualifier: If the penalty for exposing a patients record is $20,000.00 per incident and per record (regardless of the reason and short of a court order), then the impact would be significant to catastrophic. Given the average small doctors office has approximately 2000 active records, the math is straightforward $20,000 X 2000 = $40,000,000 Risk Exposure: RE = RP * Impact RE = 0.01 * $40M RE = $400,000
B C M P r o f e s s i o n a l s!
The question resulting from the above example should be whether it is less painful to avoid, transfer, accept, or mitigate the risk. The analysis process would include determining the opportunity cost for each of the decision points.
B C M P r o f e s s i o n a l s!
Six sigma (continual improvements) Baseline standards (e.g., International Standards Organization (ISO)) Regulatory laws (e.g., Health Information Technology for Economic and Clinical Health (HITECH) Act) For example, the next illustration will show how the governing body leverages Six Sigmas Define process within the IT Service Managements Change Management process to highlight the need for Project Management processes to carry out a requirement change. The roadmap will also reflect how the Project Management process will feed back into the Six Sigma process which will feed back into the IT Service Management process.
IT Service Management
Service Strategy
Initiate
Service Design
Change Management
Plan
Execute
Control
B C M P r o f e s s i o n a l s!
Overall, leveraging an evolutionary integrated approach results in organizational sustainability, which in turn drives continuity, and ensures compliance by design and definition. As a result, information / data security can truly succeed as the cornerstone for healthcare information systems as they contain extremely sensitive information. The aim is to provide healthcare personnel access to the right information at the right time while ensuring high patient privacy.
B C M P r o f e s s i o n a l s!
Security audits of the Information System will discourage legitimate users against the indiscriminate misuse of their privilege(s). Although this approach does not necessarily enforce control, it does detect misuse by legitimate users.
Vision!
Dene Future State! Assess Current State!
Strategy!
Engage Primary Sponsor! Form and Prepare Project Team! Select Deployment Strategy!
Implementation!
Build Project Team! Create Change Management Plan! Create and Present Business Case! Implement Integrated Plan!
Industry data shows qualitative affects of poorly managed change can be realized in many ways, including productivity declines, passive resistance, employee disengagement, attrition, active resistance, arguments, slow adoption, work arounds, and divides between us and them. Effective change management provides a structure to solve many of these issues while achieving project objectives and return on investment. Since the purpose of this article is leveraging integrated processes for security, the core competencies that will be re-
B C M P r o f e s s i o n a l s!
quired to ensure the necessary change expectations of command, control, and communications will be met. This includes: Security Continuity Project Management Disaster Management IT Service Management Continuous Improvement
Conclusion
This paper illustrates examples of concerns raised by consumers and industries alike regarding ongoing healthcare information data breeches, the sensitivity and accessibility through physical access, internal networking systems, the internet, and mobile technology systems. The goals and objectives of information conveyance were met with the level of research and intelligence presented as a source of scholarly intelligence for organizations to leverage, without promoting a sense of paranoia. The use of integrated processes were demonstrated in such a way as to support change management and patient data privacy, integrity and confidentiality, especially during the transmission of medical information by authorized healthcare personnel. It is vital to leverage evolutionary changes to ensure organizational sustainability, continuity, and compliance for the benefit of all consumers and professionals involved.
B C M P r o f e s s i o n a l s!
10
References
Ademla 0. Adesina, A., Agbele, K., Februarie, R., Abidoye, A., & Nyongesa, H. (2011). Ensuring The Security And Privacy Of Information In Mobile Health-care Communication Systems. South African Journal Of Science, Vol. 107, Doi;10.4102/sajs. Retrieved April 9, 2012 Bambauer, D. & Day, O. (2011). The Hackers Aegis. Emory Law Journal, Vol. 60. Retrieved April 14, 2012. Dimitropoulos, L., Patel, V., Scheffler, S., & Posnack, S. (2011). Public Attitudes Toward Health Information Exchange: Perceived Benefits and Concerns. Special Issue: The American Journal Of Managed Care, Vol. 17. Retrieved April 12, 2012 Hewlett-Packard Development Company, L.P. (2009). Four Starting Points For Effective IT Project And Portfolio Management. Retrieved January 31, 2010 from http://www.hp.com/hpinfo/newsroom/press_kits/2009/lasvegasevents2009/WP_4s tartingpoints.pdf IT Governance Institute (ITGI). (2007). COBiT 4.1: Framework, Control Objectives, Management Guidelines, And Maturity Models. Rolling Meadows: ITGI. IT Governance Institute (ITGI). (2009). Retrieved on January 31, 2010 from http://www.itgi.org/template_ITGI.cfm?Section=About_IT_Governance1&Template= /ContentManagement/HTMLDisplay.cfm&ContentID=19657 Kovalchuk, Y., McDonald-Maier, K., and Howells, G. (2011). Overview of ICmetrics Technology Security Infrastructure for Autonomous and Intelligent Healthcare System. International Journal of u- and e- Service, Science and Technology, Vol. 4, No. 3. Retrieved April 14, 2012. Kumar, P. & Lee, H. (2012). Security Issues in Healthcare Applications Using Wireless Medical Sensor Networks: A Survey. Sensors, 12, 55-91, doi:10.3390/s120100055. Retrieved April 15, 2012
B C M P r o f e s s i o n a l s!
11
Lenert, L. & Sundwall,D. (2012). Opportunity Forged by Crisis: Public Health Surveillance and Meaningful Use RegulationsA Crisis of Opportunity. American Journal of Public Health Government, Politics, and Law, Vol 102, No. 3. Retrieved April 15, 2012. Mohanty, P. (2009). Using E-Tools For Good Governance & Administrative Reforms. Retrieved January 16, 2010 from http://www.cgg.gov.in/workingpapers/eGovPaperARC.pdf Project Management Institute (PMI). (2004). A Guide To The Project Management Body Of Knowledge: PMBOK Guide, 3rd Edition. Newtown Square: Project Management Institute. Sarrico. C. & Hauenstein, J. (2011). Can EHRs and HIEs Get Along With HIPAA security Requirements? Journal of Healthcare Financial Management. Retrieved April 15, 2012. Prosci. (2009). What, Why And How Of Enterprise Change Management (ECM). Prosci Change Management Learning Center. Retrieved April 22, 2012 from http://www.change-management.com/Prosci-ECM-What-Why-How.pdf TIBCO. (2009). The Role Of Governance In Ensuring SOA Success. Retrieved January 31, 2010 from http://www.tibco.com/multimedia/wp-role-of-governance-ensuring-soa-success_tcm 8-8998.pdf Warkentin, M., Moore, R., Bekkering, E., & Johnston, A. (2009). Analysis Of Systems Development Project Risks: An Integrative Framework. ACM SIGMIS Database, 40(2), 8-27
B C M P r o f e s s i o n a l s!
12