Newer
Older
Discussion_Papers / Papers / 2002 / 2002-06 / dp2002-06-paper.tex
\documentclass[12pt,a4paper]{article}

\usepackage{a4wide}
\usepackage{palatino}


\title{Are Health Professionals meeting the minimum-security requirements for Health Information Systems (HIS) in the New Zealand Health Service? (A pilot study in Residential Care)}

\author{Han Roeters\thanks{Manager, Reevedon Elderly Care Complex, PO Box 142, Levin 5500, New Zealand.}\thanks{Health Informatics Group, University of Otago, Wellington School of Medicine, Wellington, New Zealand.} \and Alec Holt\thanks{Health Informatics Group, Department of Information Science, University of Otago, Dunedin, New Zealand.}}

\begin{document}

\bibliographystyle{plain}

\maketitle

{\raggedright\itshape
Corresponding Author \\
Han Roeters \\
Health Informatics Group \\
University of Otago \\
Dunedin \\
New Zealand \\
Email: roeters.nz@xtra.co.nz
}

\begin{abstract}
\textbf{Background:} Due to the accelerating development of technology and the globalisation of HIS, it is becoming increasingly important for health professionals to implement and maintain security measures for their HIS.

\textbf{Objective:} This research compares, British, American and New Zealand HIS security standards and researches minimum-security requirements available to compare this with the results of a survey in the NZ Residential Care Industry.

\textbf{Methods:} The research is a cross-sectional study that evaluates and compares descriptive qualitative data derived from a population sample by means of a questionnaire, and literature research with descriptive qualitative data on minimum-security requirements from other studies, established standards or legislation and literature. A survey is designed and conducted in the facilities of a large residential (elderly) care provider in New Zealand. It is targeted to Managers, Care Managers, Registered Nurses and Administrators. The questionnaire investigates how HIS security in the residential care industry compares.

\textbf{Results:} The results of the literature search failed to return minimum-security requirements for HIS for any of the countries targeted in the research. The survey had a 58\% return rate, this equates to a sample population of 28. Compliance with minimum-security requirements was below 50\%. Statistics and graphs were designed and calculated in MSExcel with PHStat add-inn.


\textbf{Conclusions:} Minimum-security requirements establish an important basis for consistency in developing health companies HIS security policies and procedures. Continuation of inconsistency in security procedures jeopardises the quality of patient care, the HIS and increases risk of litigation for health professionals and organizations. The minimum-security requirements in the NZ residential care industry are severely compromised and the risk of security breaches and data loss is high. Minimum-security requirements for HIS in the targeted countries are not available.

In
this article the terms privacy, confidentiality, and security are used
as defined by

L.Gostin [1]:

“Privacy
is defined as the right of an individual to limit access by others to some
aspect of the person.

Confidentiality
is a form of information privacy characterized by a special relationship,
such as the physician-patient relationship. Personal information obtained
in the course of this relationship should not be revealed to others unless
the patient is first made aware and consents to the disclosure.

Security
encompasses a set of technical and administrative procedures designed to
protect data systems against unwanted disclosure, modification, or destruction
and to safeguard the system itself.
\end{abstract}



Keywords

Security,
Health Information Systems, Privacy, Confidentiality, New Zealand, Residential
Care.


Introduction

Since the
1990’s the use of computerised HIS in New Zealand and other first world
countries has developed at an accelerating pace. In conjunction with this
the “concerns about privacy transcend the health care setting. Americans
believe that their privacy rights are not adequately protected” [2].
These concerns were reflected in other countries including New Zealand.
The New Zealand government developed the Health Information Privacy Code
1994 (http://www.knowledge-basket.co.nz/privacy/comply/HIPCWWW.pdf)
to ensure privacy of health information.

It is becoming
increasingly difficult for the lawmakers to stay in line with new developments
in our ever-accelerating technology. Privacy and security requirements
are no exception.

“With
the advance of technology have come a variety of challenges to our privacy.
It’s not that the Internet causes loss of privacy-but it has made us more
aware of the issues surrounding privacy. The complexities involved in maintaining
our privacy and security in a world where information is increasingly public
can be daunting.” [3].
Compounding this problem is the globalisation of information and the lack
of global legislation to protect the privacy of our health information,
“it
is easy to understand why some kinds of information should be accorded
special status and legal protection based on their sensitivity and the
great damage that can occur from unconsented disclosure.”[4].
The protection of our health information is imperative to maintaining the
individual’s privacy.

“The essence
of security is to protect the availability, integrity and confidentiality
of data and systems”[5].
The lack of security has the potential to put: the patient, the clinician,
the system and the organization at risk, the reason is that medical organizations
“tend
to focus our greatest emphasis on patient care. But once you understand
how profoundly a lack of IT security can effect your organization, right
down to the clinical level, you come to appreciate the importance of it.”[6]

Unfortunately
“most
hospitals and health systems don’t understand how much at risk they are”
[7].

Global security
principles for health information systems do not exist because nobody owns
or regulates the Internet. Most countries developed their own security
legislation and principles. It is concerning that HIS have been in generalised
use since the early 1980’s and most legislation and security guidelines
originate from the late 1990’s.


HIS risk assessment
and implementation of security measures to ensure a secure, private and
dynamic HIS is possibly one of the major tasks that the NZ Health Service
and other countries need to have to deal with.



Methods



Comparing
British, American and New Zealand HIS security principles.



Dr Ross J.
Anderson describes 9 security principles for the individual patient record,
in his research, Security in Clinical Information Systems, which was commissioned
by the British Medical Association (BMA) they are related to the following
security elements [8]:





Access control


Record opening


Control


Consent and notification


Persistence


Attribution


Information flow


Aggregation control


The trusted computing base




The
American security principles are found in a recommendation on the Health
Insurance Portability and Accountability Act 1996 (HIPAA).

“
The Department of Health and Human Services has previously sent Congress
recommendations for legislation to protect health information, which set
forth the following 5 key principles[9]:



Boundaries


Security


Consumer control


Accountability


Public responsibility”




The American
Congress adopted these principles during the discussions of the HIPAA bill.
HHS (Department of health and Human services) and announced a final rule
for the electronic standards for healthcare transactions in December 2000.



The British
and American security principles are incorporated in New Zealand in the
health Information Privacy Code 1994 and the New Zealand security principles
for health information standards for the NZ Health Intranet, which ensure
that three security components are maintained [10]:





“System integrity - the
functionality of the computer system should be maintained with all modules
and subsystems functioning properly and in the way that the user expects
and believes them to be operating


Data
availability - the data stored are preserved from damage or disorganisation,
and are available to the user as and when required


Information
privacy - the personal and confidential material stored is protected from
access by unauthorised personnel, and is available only to those with a
need to know and with the necessary privilege and authority to access it.”




The New Zealand
security principles for health information standards for the NZ Health
Intranet consist of 6 principles [11]:



Confidentiality


Integrity


Authenticity


Non-repudiation


Auditing


Accountability




In addition
the NZ Health Information Privacy act provides the following Health Information
Privacy Rules [12]:



1.Purpose
of collection of health information



Source of health information


Collection of health information
from individual


Manner of collection of health
information


Storage and security of health
information


Access to personal health
information


Correction of health information


Accuracy etc of health information
to be checked before use


Retention of health information


Limits on use of health information


Limits on disclosure of health
information


Unique identifiers




Although
all these standards are important building blocks for secure HIS and EDI
(Electronic Data Interchange) they do not establish consistent minimum-security
requirements.

With the
establishment of NZ e-government some progress is made towards the implementation
of minimum standard. In the document on minimum standards for Internet
Security in the New Zealand Government the following policies and guidelines
for security management standards are set [13]:



“An IS management system
following AS/NZS17799 Information Security Management (available from www.standards.co.nz
)should be employed for all systems processing Government classified (including
In-confidence) information or hosting government services.


It security risks should
be managed following the processes in either:


-NZ
Security of IT (MNSIT) Publication 104: Risk Analysis (www.gcsb.govt.nzit/index.htm)
or

-Standards
New Zealand AS/NZS4360: Risk Management and HB231: IT Risk Management



The
document is still in draft form, completion and implementation might take
several years and Internet security is only one element of HIS Security
systems



There
are 5 major barriers to HIS security systems.


First:The
human factor where required to operate HIS system. Any system is only as
secure as the weakest link and no system is fully secure. Staff ‘s major
concern is patient care; this in itself provides a heavy workload. Many
people think that the greatest security concern for our health information
is unauthorised on line access by “hackers”, this is possibly due to the
front page news it makes and the embarrassment it causes when a hacker
gains access.

However most
organizations largest concern is internal, “an angry employee or a simple
mistake is much more likely to occur than an outside hack and is tremendously
harder to stop” [14], lack of compliance
with security policies due to other work pressures and /or lack of understanding
and education would be the next largest concern.

Second:
There is a lack of global HIS security standards and there is no minimum-security
requirement that could be reflected in consistent policies and procedures
throughout the health care industry.

Third:The
accelerating speed of development of new technology. Technology is developing
fast than the tool to secure the HIS. This is an ongoing concern that will
continue to exist. There are a number of countermeasures available to protect
the HIS. The NZHIS security publications describes that some of these measures
include [15]:


Access control (comprising
up to 3 parts: Something you know, something you have, something unique
to you)


Transaction logs and audit
trails (for system and file access)


Encryption (of the electronic
health information prior to transfer)


Archiving (relating to the
ease of access, off-line storage and destroying of data)


Virus protection and software
fitness (appropriate software for it’s use)


Informed users (who understand
the follow the security policies)


Fourth:
The cost factor, good security systems are usually expensive to implement
and there is no tangible evidence that they are effective. Most countries
have problems stretching the health dollar to meet requirements. HIS security
does not appear on the priority list.

Fifth:
Education, security education is not a common part of the HIS operators
training.

Security
is often viewed as an issue the IT department needs to solve and not as
a common problem.



To allow
different health service software applications to communicate with each
other, Health Level 7 (HL7) protocol was developed as a standard for health
networks this has been adopted by New Zealand. The HL7 protocol managers
have appointed a group that will focus on secure transactions and Internet
security. “The group will focus on the use of HL7 in communications
environments where there is a need for authentication, encryption, non-repudiation,
and digital signature. This group will focus on mechanisms for secure HL7
transactions and not on standardizing security policies.” [16].

It is concerning
that HL7, which is considered the most advanced and widely adopted data
transfer protocol is still developing their security mechanisms.




To establish
the degree of risk encountered by individuals and/or the health industry
is difficult. “The Internet is unlike anything humankind has ever experienced.
It has no borders, no nationality, few rules, and is restricted only by
the creativity of its users. As such, it defies many traditional roles
of government and rules of order. This openness is its greatest strength
and also its most defining weakness.”[17].
There is a multitude of factors which impact on the degree of risk and
the Internet is only one aspect of these. Some other aspects are Access,
System integrity, Date integrity and availability and Confidentiality/Privacy.
It would be an impossible task to eliminate all the risks, paper based
HIS have incurred a degree of risk as well. It is beneficial to minimise
these risks factors because the cost both social and financial can be high.

For example
if a person’s health information would be available to insurances or employers,
certain privileges might be denied (justified or not), or a disgruntled
employee could destroy valuable databases and compromise treatments and/or
New Zealand health providers could be held liable under the Health Information
Privacy Act and incur hefty fines.



HIS security survey in the Residential
Care Industry

See Appendix
one for Survey questions

There
is a difference in nature between the residential care industry (long term
care) and other health information systems (more acute). In the acute setting
there is a much higher need for online patient information transfer and
due to this the protocols are more advanced using Health Level 7 compatible
programs policies and procedures. Although it would be beneficial, the
residential care industry in general is not connected to the NZ Health
Intranet and electronic transfer of patient information is rather the exception
than the norm.

To
ascertain to what level minimum-security requirements in the residential
care industry are met,questions were compiled
from security principles illustrated in the book Protect Yourself on Line
[18] and NZ Government Security Publications
[19]

The
questionnaire was structured around the following security areas:



Virus screeners.


Computer access


Backup


Encryption


Audit trails


Education




Structure
of the 31 questions:

First question
was to establish if staff was eligible to take part in the survey, to reduce
redundant data. Staff who were not eligible because they did not use computerised
HIS, were asked to complete demographic data only.18 of the questions had
yes/no, or yes/no/don’t know answers and there were 8 other security questions.
The survey finished with 4 demographic questions, which would establish
the occupation, gender, age group and length of employment.

If the majority
95% (to allow a 5% margin of error) of the questions 2.1 to 7.3 were answered
correctly the residential care provider would be considered to meet the
minimum-security requirements for HIS.

The mean
of the yes/no/(don’t know) provides and indication of compliance with minimum-security
requirements. If the survey mean is high, compliance is high because the
population answers comply with the preferred answers (see Table 1).
Table1 Preferred answers (Table1.jpeg)


Results

The survey
was designed in Infopoll Designer [20] and
transferred to a MSWord format to make this suitable for a mail out and
targeted to Registered Nurses (RN), Administrators and Managers. After
approval was obtained from the general manager, 48 Questionnaires were
distributed by mail and there was a 58% return rate.

82 % of the
returned surveys were staff that used health information systems. 18% of
this category of staff did not. It is difficult to establish if this is
a true reflection of the total population of staff. There might be bias
in the fact that staff that do not use HIS are less likely to return the
research survey. This 18 % was made up of 1 RN and 4 managers.

The
acceptable mean would be around 95

The survey
mean was 41.95, with a standard deviation of 28.76. This means that the
majority of preferred answers are within 28.76 around the mean. The standard
error is 6.13 with a 95 % confidence level.

I am unable
to compare statistics in regard to compliance with minimum-security standards
in the NZ health industry because they do not exist. There is only advisory
material available which does not give a minimum standard.

100% of the
HIS computers was found to be equipped with a virus screener. There appears
to be uncertainty about who is responsible to update the virus screener,
35 % of the surveyed population said they were not responsible and 26 %
didn’t know.


17% of the
population updated and scanned their HIS computer fortnightly which is
considered insufficient, due to the increasing speed of new viruses being
developed, a minimum of a weekly update and scan is advisable. In addition
to this 26% is not aware if the virus screener is set on automatic screening
of all incoming information.

Control of
access to the HIS computer is an essential part of minimum-security standards.

The survey
results show that 78 % of the surveyed population share HIS computers with
other staff, 70% share passwords and 48% know passwords of other staff.
52% of the computers carry only one password to access the computers and
35% carry no password. The majority of passwords are relatively uncomplicated
(57% consists of letters only and 17% is made up of letters and numbers).
This makes unauthorised access easy, in addition there are no audit trails
and 57% of the staff use networked computers. This places the system at
high risk of undetected unauthorised computer and network access.

The risk of
unauthorised access is increased; only 30% of the survey results indicate
that the computers carry a screen saver password.

For the computers
who do carry passwords access is at risk. Access via an administrator’s
password is minimal (only 22%) in addition, only 26% of the passwords are
stored in a safe or comparable safe storage.

Protection
of what is considered sensitive information is severely challenged, only
48% is password protected and only 4% of the files are encrypted or password
protected when Emailed, digital signatures are not used which make authentication
of the sender impossible and interception easy.

78% of the
surveyed staff backup their HIS computer, unfortunately 17 % does this
less than fortnightly. This equates to only 61% of the surveyed staff correctly
backup their HIS information, therefore the risk of information loss is
potentially high. A preset cyclical backup would be the preferred backup
method.

52% of the
survey population has received education in regard to computer security,
but the level and the type of education is not known.

There were
no obvious correlations between the demographic and the other survey data

In using the
preferred answers the overall mean of the survey is 41.9%. This translates
in 41.9% of the survey population returning the preferred answer. To maintain
an acceptable minimum-security standard this figure should be 95% (this
allows for a 5% margin of confidence), in all the surveyed areas (see Tables
2 -10.).
Tables 2-10. Survey Statistics and Graphs (Table1.jpeg
to Table10.jpeg)

Discussion

Security
of HIS is a complex concept and an area of concern to the consumer, the
health care providers / companies and the New Zealand Government.

The security
components of the NZ HIS aredisjointed,
most parts are available but I have been unable to find evidence that these
components have been combined in a minimum- security standard. This would
ensure some consistency in HIS security throughout the NZ Health Industry.
Currently the NZHIS security consists of:



Health
Information Privacy act 1994, in particular rule 5-9. Endorsable by the
New Zealand Privacy and Health and Disability Commissioner


NZ Health
Intranet Security Standards


HL7 Standards


Individual
Health providers HIS Security policies and procedures




NZHIS
Security standards have incorporated both the British and the American
standards.

The
residential care industry is no exception in the apparent lack of minimum-security
standards for HIS.

“Fundamental
to any attempt to secure an information system is that the users are aware
of and follow appropriate routines and procedures. It will remain beyond
the realms of practical reality to develop preventive strategies that make
it impossible for user to breach security, and it is the authorised users
of the system who are generally the weakest link in the security system”[21]
Some “clinical users consider computerisation offers significant advantages
in terms of security and confidentiality. Provided security systems are
activated and used properly, computerised notes are more secure than paper
notes; likewise e-mail is more secure than for example hard copy facsimiles.
Most practices were careful about this issue, but in others the attitude
to security was more ‘loose’, with clerical staff not only accessing the
notes, but being responsible for writing the patient summaries”[22].

It is surprising
to find that minimum-security requirements have not been established in
New Zealand and available security standards are open to interpretation
of its users. This potentially creates concerns for the security of the
entire New Zealand HIS. “A health-data technical security policy should
be adopted by each Health Care Establishment site”[23]

Most
literature refers to generalized security principles that users should
adhere to, but minimum-security standards either national or international
are not available.


For best practice
purposes Standards New Zealand has released the security management standard
AS/NZS ISO/ICE 17799:2001 Information Technology – Code of practice for
information security management, there is no evidence that this document
has been adopted and implemented by the New Zealand Health service.

“The bad
news is that even basic security measures are new to the health care industry,
generally considered to be 10 to 15 years behind other industries with
regard to security”[24].

Minimum-security
requirements establish an important basis for consistency in developing
health companies HIS security policies and procedures. There are still
grave concerns. The NZ West Coast District Health Board identified in their
Board report in September 2001 that in the area of E-security there was
“Lack of policy/standards, no official policy, however good attention
to security within Information group compensates to a large degree”.
[25]

Continuation
of inconsistency in security policies and procedures jeopardises the quality
of patient care, and increases risk of litigation for health professionals
and organizations. The minimum-security requirements in the NZ residential
care industry are severely compromised and the risk of security breaches
and data loss is high.

The
outcome of the HIS security surveyconcludes
that minimum-security requirements in this residential care organization
are severely compromised and the risk of security breaches and data loss
is high. This potentially threatens the HIS and the safety of the residents.
The degree of risk encountered by the health company is high, this does
not reflect in risk for the NZ Health Intranet because the Residential
Care Provider is not connected.

The sample
size if large enough to conclude that this is a fair representation of
the entire industry. We need to take in account that the sample originates
from one company only and is not cross-sectional for the residential care
industry. This has the potential to create bias due to the culture of the
organization surveyed.



Acknowledgements


The
authors would like to acknowledge the support and encouragement from the
Otago University Post-Graduate Diploma in Health Informatics tutors. The
support, co-operation and time dedicated by the General manager Elderly
Care and staff of the Residential Care Provider that was surveyed. There
was no funding sourced for this article.





Conflict of Interest

Possible conflict of interest
is that one author is the Manager, Reevedon Elderly Care Complex.


Appendix 1
Health Information Systems Security Survey 2002 (Appendix1.htm)



References






Gostin LO, Turek-Brezina J,
Powers M. Privacy and Security of Personal Information in a New Health
Care System. JAMA 1993 Nov; 270(20):2487-93 [Medline]






Gostin LO, Turek-Brezina J,
Powers M. Privacy and Security of Personal Information in a New Health
Care System. JAMA 1993 Nov; 270(20):2487-93 [Medline]






Danda M. Protect Yourself
On Line. Washington: Microsoft Press; 2001. p. xvii






Szekely D, Milam S, Khademi
J. (1996). Legal Issues of the Electronic Dental Record: Security and Confidentiality.
J Dent Educ, 1996 Jan: 60(1):19-23.[Medline]






NZ.Government. (1995, 02-07-97).
Information Systems Security and Data Protection. URL:http://www.nzhis.govt.nz/publications/Security.html
[accessed 2002 Mar 27]






Rodsjo S. Hack Attack. Healthc
Inform [Serial online] 2001 Jan [cited 2002 Mar 27];18(1):37-40, 42, 44
URL:http://www.healthcare-information.com/issues/2001/01_01/rodsjo.htm
[Medline]






Tabar P. A Security Strategy:
possibly the biggest task on the healthcare's to-do list. Healthc Inform.
[Serial online]2001
[cited 2002 Mar 27]; Feb;18(2):46, 48. URL:http://www.healthcare-information.com/issues/2001/02_01/cover.htm#security
[Medline]






Anderson RJ. Security in Clinical
Information Systems. Cambridge: University of Cambridge: 1996






Hodge J, Jr, Gostin LO, Jacobson
PD. Legal issues Concerning Electronic Health Information. JAMA, 1999 Oct
20; 282(15):1466-71.[Medline]






NZ.Government. Information
Systems Security and Data Protection. URL:http://www.nzhis.govt.nz/publications/Security.html[accessed
2002 Mar 27]






NZ.Government. Standards (Health
Intranet) URL:http://www.nzhis.govt.nz/intranet/standards.html
[accessed 2002 Mar 27]






NZ.Government. Health Information
Privacy code 1994. Office of the NZ Privacy Commissioner. URL:http://www.privacy.org.nz/comply/HIPCWWW.pdf
[accessed 2002 Mar 27]






NZ.Government. Minimum Standards
for Internet Security in the New Zealand Government URL:http://www.e-government.govt.nz/docs/iss-draft/iss-draft.pdf[accessed
21-6, 2002]






Rodsjo S. Hack Attack. Healthc
Inform [Serial online] 2001 Jan [cited 2002 Mar 27];18(1):37-40, 42, 44
URL:http://www.healthcare-information.com/issues/2001/01_01/rodsjo.htm
[Medline]








NZ.Government. Information
Systems Security and Data Protection URL:http://www.nzhis.govt.nz/publications/Security.html
[accessed 2002 Mar 27]






Unknown. Health Level Seven
Southern Africa. URL:http://www.hl7.org.za/HealthLevelSevenGuide1.htm
[accessed 2002 Apr 16]






Danda M. Protect Yourself
On Line. Washington: Microsoft Press; 2001. p 8






Danda M. Protect Yourself
On Line. Washington: Microsoft Press; 2001






NZ.Government. Information
Systems Security and Data Protection. URL:http://www.nzhis.govt.nz/publications/Security.html
[accessed 2002 Mar 27]






Infopoll.com, Infopoll Designer
Version 7.URL:http://infopoll.com/download/
[accessed 2002 Mar 30]






NZ.Government. Information
Systems Security and Data Protection. URL:http://www.nzhis.govt.nz/publications/Security.html
[accessed 2002 Mar 27]






Nielson A. C. Attitudes towards
information technology in Australian General Practice. URL:http://www.health.gov.au/pubs/gpit/gpit2.pdf
[accessed 2002 Apr 26]






Ilioudis C, Pangalos G.A
framework for an Institutional High Level Security Policy for the Processing
of Medical Data and their Transmission Through the Internet. J Med Internet
Res.[serial online] 2001 Apr-Jun [cited 2002 June 21]; 3(2):E14.URL:http://www.jmir.org/2001/2/e14/
[Medline]






Kibbe DC. A problem-Orientated
Approach to the HIPAA Security Standards. Fam Prac Manag, [serial online]
2001 July/August [cited 2002 Mar 27]; 8(7):37-43 [22 screens] URL:http://aafp.org/fpm/20010700/37apro.html[Medline]






NZ.West.Coast.DHB. Board Report
28 Sept. 2001 URL:www.westcoastdhb.org.nz/board/Papers/SeptHACPapers.pdf[accessed
2002 June 21]






Abbreviations



BMABritish
Medical Association

EDIElectronic
Data Interchange

HEINHealth
Informatics

HHSHealth
and Human Sciences

HIPAAHealth
Insurance Portability Act

HISHealth
Information System

HL7Health
Level 7

ITInformation
Technology

NZNew
Zealand

RNRegistered
Nurse




\end{document}