Healthcare is not the only industry that has strict privacy and security regulations. For example, the financial industry also has very strict regulations, known as the Financial Pri
Discussion Prompt:
Healthcare is not the only industry that has strict privacy and security regulations. For example, the financial industry also has very strict regulations, known as the Financial Privacy Rule ( https://www.ftc.gov/legal-library/browse/rules/financial-privacy-rule ) .
Healthcare providers, patients, and administrators all say they are concerned about the privacy and security of health information. One of the main reasons that it has been difficult to implement a healthcare information exchange is the lack of trust in our ability to protect health information. Problems with privacy and security can be caused by providers, patients, and healthcare organizations.
Everyone says they value privacy and security, but it is difficult to get compliance about regulations. As you think about this, answer the following:
1. Why do you think it has been so difficult to get compliance around regulations related to health information privacy and security in healthcare?
2. Why do you think we still see large security/privacy breaches?
Angela
1. Why do you think it has been so difficult to get compliance around regulations related to health information privacy and security in healthcare?
I believe it is difficult to get compliance around regulations because employees might be trying to cut corners related to their job. If they find a task is easier to do without going through the necessary requirements for health information privacy, they might skip it. I also think its hard to remember simpler tasks such as locking your computer. Such things as this has to become a habit to protect health information privacy. Lastly I think its a convenience issue. If there is a shredder bin to walk to for PI close by, you could walk right there when you have something to shred. On the other hand, if its not convenient, you might hold of on shredding and it could get in the wrong hands.
2. Why do you think we still see large security/privacy breaches?
Although large organizations such as a hospital have their own Cybersecurity team, there are till hackers that can access the system although not as common. Human error such as what I mentioned before about not locking your computer workstation can result in there being a privacy breach. Large databases that hold secure patient information can be hacked into and leaked. Some organizations that are smaller might not even have a Cybersecurity team. Paper records could make it much easier to get lost, unorganized, and cause security and privacy breaches.
,
Financial Privacy Rule
Rule Summary
The regulations require financial institutions to provide particular notices and to comply with certain limitations on disclosure of nonpublic personal information. A financial institution must provide a notice of its privacy policies and practices with respect to both affiliated and nonaffiliated third parties, and allow the consumer to opt out of the disclosure of the consumer’s nonpublic personal information to a nonaffiliated third party if the disclosure is outside of the exceptions.
,
This section focuses on the hardware and software basics involved in electronic health records and other healthcare data systems.
The sections covered here are focused on the systems that support healthcare organizations. For this module, most of the systems are comprised of multiuser user's systems. This course reviews the basics of support of an EHR and other healthcare data systems.
This is a good place to start, even though this is a pretty big generalization. Mainframes are large single computers. The first mainframe was the Harvard Mark 1, it took over a dozen years to build, weighed 5 tons, and took up an entire warehouse. IBM started producing mainframes in the 50s and still produces mainframes for critical applications and data bulk processing. They are still producing mainframes; IBM has a model the size of a refrigerator that can process 25 billion transactions per day. The supercomputer is considered a mainframe and is distinguished by the processing speed. Standard mainframes are smaller and less expensive and are rated in MIPS millions of instructions per second. Most mainframes range between 2 and 100 MIPS. Supercomputers are typically larger and require more cooling and are measured in FLOPS or floating-point operations per second and are typically over 200 MIPS. A server can be two connected computers but are usually many computers and the data computing includes processing over multiple devices, also called distributed processes. Many applications can be built and run-on mainframes or servers and some are dependent on one system or another. A PC or personal computer is a single device, which can now be a desktop workstation, a laptop, a tablet, or a mobile device. The variation in size and capability of any of these computers is huge. We’ll look at some of the software and hardware for each of these, as well as how they are connected.
A mainframe has one operating system which may be broken down into different virtual systems. UNIX started out at AT&T propriety operating system and was slowly transformed to run on other hardware. LINUX was produced to provide even more flexibility. The purpose of the operating systems is to provide a programming environment for applications and programs to run. Mainframes typically have dedicated storage devices. For years, if you had an IBM mainframe, you could only use IBM storage devices. The storage devices started as magnetic tape drives, progressing to larger banks of hard disks. One approach to mainframe storage was Tandem devices, hardware storage that wrote simultaneously to two storage devices. This allowed instant failover if one of the storage units stopped working. The system was later named Tandem NonStop and had a high degree of reliability. Mainframes supporting banking institutions and the stock exchange use Tandem Storage. Another approach was RAID systems, or redundant arrays of inexpensive disks. Data was stored in several places and if one of the disk arrays was damaged, the other arrays would support the malfunctioning device. I worked with a RAID system at the Everett Clinic back in the 90s. The system have been upgraded six months previously with a RAID 5 system when one of the disks when out. With the previous Hitachi mainframe, this would result in several hours of downtime to repair the system and restore from backup tapes. For the new RAID, we “hot-swapped” a new array, which meant we replaced the broken drive without shutting down the computer and the system remained operational. It completely rewrote the info in the new drive in about three hours. One of the limitations of the mainframe was the number of terminals and devices that could be attached. For years, dedicated workstations that would only run mainframe applications could be used, which meant that there would only be a few EHR workstations per department, but networking made it possible to connect more devices.
Servers are processes that distribute and coordinate the processing across multiple devices. There are several operating systems that handle this coordination. Windows and MacOS are programs that are operating systems for windows and apple computers. There are many manufacturers that support server approaches, and the operating systems allow a variety of systems to be used. Cisco, Dell, Fijitsu and HP are some manufacturers, but there are many others. One type of server is a file server, which is a process that controls the storage and processes across several devices. A blade server is a device that hosts many servers in the same box or chassis. These are very compact and dense with each rack being considered a separate computer, or a blade, and the collection of blades providing storage and processing to the system. To support the users on the systems, the programs are distributed across networks. Servers are the storage and processers of information and routers connect multiple networks and route information to the PC or server.
Desktop computing is where a single device is standalone and has its own CPU, processor, and storage. PCs have different configurations and are now lighter laptops or tablets. When they first introduced to healthcare, they were heavy machines and needed to be on a table. There was an effort to make them mobile and many hospitals started using workstations on wheels or WOWs. They were also known as computers on wheels or COWs. These models were usually big and bulky, but this created some security. A visit to a New York hospital found they had taken the lightweight laptops and bolted them to the old WOW frames. Apparently, this was the only way to keep them from getting easily stolen. With a PC, the computer can complete all the processing, or it can be connected to a network. A fat client system is where the application program gets loaded onto the PC and thin client is where the computer has to connect to a network where a server contains the application. For the home health and hospice nurses in Snohomish and King counties, moving from fat client to thin clients was better because the devices were smaller and lightweight, and the information was always up to date. If they couldn’t connect to the network, the fat client programs that they once used to work offline couldn’t be used and no work could be completed. In some cases, the EHR is not hosted by a server or mainframe at the hospital or clinic, but is a service provided by a vendor like Cerner or GE. The application service provider creates a thin client approach – inexpensive PCs can be used for EHR documentation but fails when there is a lack of connectivity. PC’s can also create their own networks. The windows operating system makes it easy to connect two or more PCs to a small integrated network called peer to peer that can provide EHR functionality.
Network connectivity has some different approaches. The standard terms LAN, WAN, MAN and PAN are dependent on size, but even this definition is flexible. LAN is local area network and has been used to describe an organization or limited to within a building, but this is becoming more a relative differentiator. WAN is a wide area network, MAN is a metropolitan area network, and PAN is a personal area network. A PAN would be the same as a peer-to-peer network. The protocols of networks are more relevant and interesting to healthcare and EHRs. To start, basic connection between PC is through a modem, a device that turns computer language into phone signals and send them across a phone line then the modem takes the signal and turns it back into computer language. Network routing is based on this principle. For an Ethernet network, one PC has a network interface card, or NIC, that acts like a modem and connects to another PC that has a network interface card and converts the signal into computer language. Ethernet is one type of routing; TCP is a type of network that is common on the internet. HTTP on the internet network provides the address and what web servers and routers should do with the message. Wireless networks include Wi-Fi, which is also known as IEEE 802.11, and is able to transmit messages across wireless devices. Another wireless protocol is Bluetooth, which is built for shorter range and smaller devices. LTE is standard for broadband communication and is typically for connecting smart phones. One more thing to consider with wired networks. For many years, copper wire was the standard for transmitting any network but now there is fiber optics, which convert the computer signal into light and the light is transmitted across a filament. This creates greater speed and efficiency, but it is 20 times more costly than copper. There are only a small number of carriers providing long distance services and the limitation is that there needs to be a fiber optic node station close to the point of service.
A consideration for a hospital or healthcare organization is how closed or open the network is. A closed network means that patient privacy and data security can be controlled more easily, it would take access from within the network to get to sensitive data. This supports the privacy sections of HIPAA. An open network allows better access to healthcare providers, especially doctors, insurance companies, and patients, which also supports the goals of HIPAA. There is no single answer for both, the question of closed versus open network needs to meet the user requirements of the organization. When mainframes were terminal workstations and not networked, you had to have access through a workstation, which made privacy great and access to the system was poor. With networks, it was easier to give workstations access to the healthcare data. Simple Ethernet networks could be closed to anyone not in the physical location. With a growth in technology and user population, accessing the healthcare from outside the network was the next challenge. IT departments could set up direct dial number for modem access, which became a common way to transmit claim data to insurance companies. Another way to access a closed network is to allow VPN or virtual private network, a set up that allows a connection from a user on a public network to connect to a private or closed network. A VPN may be controlled by a password or by double authentication, where a token may be used. One approach to a token may be a smart card given to the user that is placed into the device to access the closed network. Another way is a token card, a device with random numbers where the random number are entered and are validated against a synchronized device with the same set of numbers. Some healthcare organizations have a business-to-business network setup with a secure protocol or encryption set up between networks that is seamless to the users. Having an open network seems like a conflict to the HIPAA rules and hosting an EHR where any shared resource can access it is generally a bad idea, however cloud storage and cloud computing has its place in healthcare IT. Generally speaking, cloud servers are virtual servers that can exist in any location and is accessed by the internet. Cloud storage is shared storage that can be configured to have security and encryption that performs like a closed network, it just doesn’t have a physical dedicated storage in the building. Cloud computing is analogous to a file server, where processing is distributed across computers. The cloud approach means the servers are virtual and not physical onsite devices. The internet includes access to public and private networks and involves a lot of cloud storage and computing. Hosted EHR, or ASPs (which are application service providers) may be closed networks or cloud storage and computing that requires VPN or encryption to access.
Another significant component for healthcare systems are the input and output devices. In simple systems, the inputs would be a keyboard and mouse and the output would be a printer and screen. These are key components but there are a few more to consider. Input devices that have a huge impact in healthcare are scanners and cameras. Scanners are devices that basically take pictures of documents, like photocopies, and store the image in the system. Some scanners have software that include OCR, optical character recognition, which can convert the words from the picture into text, but most scanned documents treat the input as a picture. One of the first issues with scanned documents is storage. The amount of computer storage to store an image is significantly larger than data in a database and planning and purchasing more storage on servers can be costly. Another issue is indexing. When an image is scanned or imported from a camera, the files need to be matched up to the patient. Even if the patient’s name is on the scanned document, there needs to be physical human intervention to attach the right file to the correct patient. If it took a couple of minutes to look up and verify the correct patient, a stack of 30 documents would take at least an hour. For a medium sized 400 bed hospital, paper documents can stack up pretty quickly. Another issue for healthcare is cameras. The images become part of the patients records and are governed by HIPAA and the regulations of PHI, patient health information. If a doctor snaps a picture on their cell phone, does the phone have the necessary security and encryption to safely connect to the EHR? Is there a process to index the photo to the correct patient? Personal devices have become a potential threat to EHR security and integrity. Another revolutionary input method is voice to text. For many years, doctors would record a note, send it to a transcriptionist, who would type it into text form. Now there is software that can convert spoken words into text. This takes some training and has some amazing capabilities. Barcodes are another type of input that has a significant impact on healthcare, especially medications. Barcodes are simply a font that allows numbers and letters to be written as vertical bars that can be read by a barcode reader. Barcodes are being used to prevent medication errors by verifying the correct medication by checking the barcode on the drug then verifying the patient by verifying a barcode on their wrist band. There are a variety of other input devices from equipment and monitors that becomes part of the patient’s medical record. Besides the barcode readers, there are a few output devices that use medical information. Some robotic processes can be programmed for output. One process that we will see in week 10 is the output to order supplies when levels are too low. Devices will count the number of supplies being used and send an order to central supply when there are only a few items left.
Interfaces provide the means for one system to communicate with another. This is performed within a network and the setup of the network needs to allow the connection between devices or systems. In some cases, the interface is a device connected to another device or a device that is connected to an EHR or other system. In some cases, the interface is the connection to other facilities or organizations, such as the government or insurance companies.
Part of the interface is the network connection and routing to make sure the messaging between devices or system is secure. The other part is the messages they transmit. HL7 is a standard interfacing protocol that coordinates between systems. Displayed is an example HL7 message. The first part is the MSH segment which is broken up into fields. The fields are separated by a pipe or the vertical line. Many of the fields contain standard format and commands. MSH9 which is circled here usually defines the message type and action. The ADT means this is an action for the patient registration system and A04 means a patient registration. The rest of the fields would be the same fields as a registration screen or form.
One of the main goals of the EHR and other healthcare systems is to allow access to the right people. The hospital and clinical staff need to be able to enter medical information and results and to view orders and actions. The security of the EHR is dependent on the procedures and policies of the organization. Technology vendors can build in programmatic and physical safeguards but it’s up to the organization to implement and use it properly. Access to the system has a lot of variation and its necessary to meet the needs of the organizational users. Creating secure points of entry is dependent on the network and the device and whether the users are accessing the EHR from the closed private network or outside from a public network. The use of passwords is one method that access is controlled and the organization may require secondary authentication procedures. Another security measure to review for accessing a private network through a public network is that a firewall is usually included whenever a secure network is set up. A firewall monitors and verifies all transmissions between the public and private networks. A firewall is used to screen out viruses or malicious software but can also restrict specific information. At Swedish, any outgoing message on VPN that contains a medical record number is blocked with a warning sent back to the message sender. At Providence, any outgoing message on VPN that contains a medical record number is sent to the system administrator and the privacy department for investigation of policy violation.
The EHR itself is typically a database or a set of databases. A simple database can be a flat file, or a text file that has no indexing or stores multiple files. Each record follows the same text format. Most EHRs are relational databases and contain multiple table structures. There may be a set of specific keys or values in an EHR that cross reference files. In most EHRs, the primary key is the patient’s medical record number. When we start looking at the information in the EHR, we’ll see how most of the hospital and clinical information is tied to the patient. In many EHRs, data dictionaries are used to store detailed information about a specific value. One of the largest data dictionaries is the charge master. The charge master is a list of all items that can be billable to a patient. The data dictionary contains all the detailed information of each charge in one place and this information is used over and over again. Most of the data in EHR resides in tables, some vendors have started used object-oriented database approaches, which are more complex in setup and programming but offer some more technical flexibility.
HIPAA are the set of regulation that balance security and access within an EHR. It also provides a set of standards to allow reimbursement of healthcare services. Privacy for the patient and their PHI, or patient health information is dependent on the setup and physical safeguards provided by the IT systems. Setting up policies to properly use the security and privacy systems need to be enforced by the organization. HIPAA also provides for backup and recovery, not just in redundant or failover storage, but backup and disaster recovery procedures and processes. HIPAA privacy and patient access is supported by state laws in the retention and release of information procedures that must be followed in any EHR. All the hardware and software options reviewed have an impact on privacy and access and the rules in HIPAA help facilitate this.
Collepals.com Plagiarism Free Papers
Are you looking for custom essay writing service or even dissertation writing services? Just request for our write my paper service, and we'll match you with the best essay writer in your subject! With an exceptional team of professional academic experts in a wide range of subjects, we can guarantee you an unrivaled quality of custom-written papers.
Get ZERO PLAGIARISM, HUMAN WRITTEN ESSAYS
Why Hire Collepals.com writers to do your paper?
Quality- We are experienced and have access to ample research materials.
We write plagiarism Free Content
Confidential- We never share or sell your personal information to third parties.
Support-Chat with us today! We are always waiting to answer all your questions.