Original paper

 
 



Are Health Professionals meeting the minimum-security requirements for Health Information Systems (HIS) in the New Zealand Health Service? (A pilot study in Residential Care)
 
 

Han Roeters12 and Alec Holt3

Manager, Reevedon Elderly Care Complex, PO Box 142, Levin 5500, New Zealand.

Health Informatics Group, University of Otago, Wellington School of Medicine, Wellington, New Zealand.

3 Health Informatics Group, Department of Information Science, University of Otago, Dunedin, New Zealand

Corresponding Author

Han Roeters
Health Informatics Group
University of Otago
Dunedin 
New Zealand
Email: roeters.nz@xtra.co.nz



 

Abstract 

Background: Due to the accelerating development of technology and the globalisation of HIS, it is becoming increasingly important for health professionals to implement and maintain security measures for their HIS.
Objective: This research compares, British, American and New Zealand HIS security standards and researches minimum-security requirements available to compare this with the results of a survey in the NZ Residential Care Industry.
Methods: The research is a cross-sectional study that evaluates and compares descriptive qualitative data derived from a population sample by means of a questionnaire, and literature research with descriptive qualitative data on minimum-security requirements from other studies, established standards or legislation and literature. 
A survey is designed and conducted in the facilities of a large residential (elderly) care provider in New Zealand. It is targeted to Managers, Care Managers, Registered Nurses and Administrators. The questionnaire investigates how HIS security in the residential care industry compares.
Results: The results of the literature search failed to return minimum-security requirements for HIS for any of the countries targeted in the research. The survey had a 58% return rate, this equates to a sample population of 28. Compliance with minimum-security requirements was below 50%. Statistics and graphs were designed and calculated in MSExcel with PHStat add-inn.

Conclusions: 

Minimum-security requirements establish an important basis for consistency in developing health companies HIS security policies and procedures. Continuation of inconsistency in security procedures jeopardises the quality of patient care, the HIS and increases risk of litigation for health professionals and organizations. The minimum-security requirements in the NZ residential care industry are severely compromised and the risk of security breaches and data loss is high. Minimum-security requirements for HIS in the targeted countries are not available.

In this article the terms privacy, confidentiality, and security are used as defined by 

L.Gostin [1]:

“Privacy is defined as the right of an individual to limit access by others to some aspect of the person. 

Confidentiality is a form of information privacy characterized by a special relationship, such as the physician-patient relationship. Personal information obtained in the course of this relationship should not be revealed to others unless the patient is first made aware and consents to the disclosure.

Security encompasses a set of technical and administrative procedures designed to protect data systems against unwanted disclosure, modification, or destruction and to safeguard the system itself.”

Keywords

Security, Health Information Systems, Privacy, Confidentiality, New Zealand, Residential Care.

Introduction

Since the 1990’s the use of computerised HIS in New Zealand and other first world countries has developed at an accelerating pace. In conjunction with this the “concerns about privacy transcend the health care setting. Americans believe that their privacy rights are not adequately protected” [2]. These concerns were reflected in other countries including New Zealand. The New Zealand government developed the Health Information Privacy Code 1994  (http://www.knowledge-basket.co.nz/privacy/comply/HIPCWWW.pdf) to ensure privacy of health information.
It is becoming increasingly difficult for the lawmakers to stay in line with new developments in our ever-accelerating technology. Privacy and security requirements are no exception.
“With the advance of technology have come a variety of challenges to our privacy. It’s not that the Internet causes loss of privacy-but it has made us more aware of the issues surrounding privacy. The complexities involved in maintaining our privacy and security in a world where information is increasingly public can be daunting.” [3]. Compounding this problem is the globalisation of information and the lack of global legislation to protect the privacy of our health information, “it is easy to understand why some kinds of information should be accorded special status and legal protection based on their sensitivity and the great damage that can occur from unconsented disclosure.”[4]. The protection of our health information is imperative to maintaining the individual’s privacy.
“The essence of security is to protect the availability, integrity and confidentiality of data and systems”[5]. The lack of security has the potential to put: the patient, the clinician, the system and the organization at risk, the reason is that medical organizations “tend to focus our greatest emphasis on patient care. But once you understand how profoundly a lack of IT security can effect your organization, right down to the clinical level, you come to appreciate the importance of it.”[6
Unfortunately “most hospitals and health systems don’t understand how much at risk they are” [7]. 
Global security principles for health information systems do not exist because nobody owns or regulates the Internet. Most countries developed their own security legislation and principles. It is concerning that HIS have been in generalised use since the early 1980’s and most legislation and security guidelines originate from the late 1990’s. 

HIS risk assessment and implementation of security measures to ensure a secure, private and dynamic HIS is possibly one of the major tasks that the NZ Health Service and other countries need to have to deal with.

Methods

Comparing British, American and New Zealand HIS security principles.
Dr Ross J. Anderson describes 9 security principles for the individual patient record, in his research, Security in Clinical Information Systems, which was commissioned by the British Medical Association (BMA) they are related to the following security elements [8]:
  1. Access control
  2. Record opening
  3. Control
  4. Consent and notification
  5. Persistence
  6. Attribution
  7. Information flow 
  8. Aggregation control
  9. The trusted computing base
The American security principles are found in a recommendation on the Health Insurance Portability and Accountability Act 1996 (HIPAA).
“ The Department of Health and Human Services has previously sent Congress recommendations for legislation to protect health information, which set forth the following 5 key principles [9]:
  1. Boundaries
  2. Security
  3. Consumer control
  4. Accountability
  5. Public responsibility” 
The American Congress adopted these principles during the discussions of the HIPAA bill. HHS (Department of health and Human services) and announced a final rule for the electronic standards for healthcare transactions in December 2000.
The British and American security principles are incorporated in New Zealand in the health Information Privacy Code 1994 and the New Zealand security principles for health information standards for the NZ Health Intranet, which ensure that three security components are maintained [10]:
  1. “System integrity - the functionality of the computer system should be maintained with all modules and subsystems functioning properly and in the way that the user expects and believes them to be operating 
  2. Data availability - the data stored are preserved from damage or disorganisation, and are available to the user as and when required 
  3. Information privacy - the personal and confidential material stored is protected from access by unauthorised personnel, and is available only to those with a need to know and with the necessary privilege and authority to access it.” 
The New Zealand security principles for health information standards for the NZ Health Intranet consist of 6 principles [11]:
  1. Confidentiality
  2. Integrity
  3. Authenticity
  4. Non-repudiation
  5. Auditing
  6. Accountability
In addition the NZ Health Information Privacy act provides the following Health Information Privacy Rules [12]:
1.Purpose of collection of health information
  1. Source of health information
  2. Collection of health information from individual
  3. Manner of collection of health information
  4. Storage and security of health information
  5. Access to personal health information
  6. Correction of health information
  7. Accuracy etc of health information to be checked before use
  8. Retention of health information
  9. Limits on use of health information
  10. Limits on disclosure of health information
  11. Unique identifiers
Although all these standards are important building blocks for secure HIS and EDI (Electronic Data Interchange) they do not establish consistent minimum-security requirements.
With the establishment of NZ e-government some progress is made towards the implementation of minimum standard. In the document on minimum standards for Internet Security in the New Zealand Government the following policies and guidelines for security management standards are set [13]:
-NZ Security of IT (MNSIT) Publication 104: Risk Analysis (www.gcsb.govt.nzit/index.htm) or
-Standards New Zealand AS/NZS4360: Risk Management and HB231: IT Risk Management
The document is still in draft form, completion and implementation might take several years and Internet security is only one element of HIS Security systems
There are 5 major barriers to HIS security systems. 

First:The human factor where required to operate HIS system. Any system is only as secure as the weakest link and no system is fully secure. Staff ‘s major concern is patient care; this in itself provides a heavy workload. Many people think that the greatest security concern for our health information is unauthorised on line access by “hackers”, this is possibly due to the front page news it makes and the embarrassment it causes when a hacker gains access. 

However most organizations largest concern is internal, “an angry employee or a simple mistake is much more likely to occur than an outside hack and is tremendously harder to stop” [14], lack of compliance with security policies due to other work pressures and /or lack of understanding and education would be the next largest concern.

Second: There is a lack of global HIS security standards and there is no minimum-security requirement that could be reflected in consistent policies and procedures throughout the health care industry.

Third: The accelerating speed of development of new technology. Technology is developing fast than the tool to secure the HIS. This is an ongoing concern that will continue to exist. There are a number of countermeasures available to protect the HIS. The NZHIS security publications describes that some of these measures include [15]:

  1. Access control (comprising up to 3 parts: Something you know, something you have, something unique to you)
  2. Transaction logs and audit trails (for system and file access)
  3. Encryption (of the electronic health information prior to transfer)
  4. Archiving (relating to the ease of access, off-line storage and destroying of data)
  5. Virus protection and software fitness (appropriate software for it’s use)
  6. Informed users (who understand the follow the security policies)
Fourth: The cost factor, good security systems are usually expensive to implement and there is no tangible evidence that they are effective. Most countries have problems stretching the health dollar to meet requirements. HIS security does not appear on the priority list.
Fifth: Education, security education is not a common part of the HIS operators training.
Security is often viewed as an issue the IT department needs to solve and not as a common problem.
To allow different health service software applications to communicate with each other, Health Level 7 (HL7) protocol was developed as a standard for health networks this has been adopted by New Zealand. The HL7 protocol managers have appointed a group that will focus on secure transactions and Internet security. “The group will focus on the use of HL7 in communications environments where there is a need for authentication, encryption, non-repudiation, and digital signature. This group will focus on mechanisms for secure HL7 transactions and not on standardizing security policies.” [16].
It is concerning that HL7, which is considered the most advanced and widely adopted data transfer protocol is still developing their security mechanisms.

To establish the degree of risk encountered by individuals and/or the health industry is difficult. “The Internet is unlike anything humankind has ever experienced. It has no borders, no nationality, few rules, and is restricted only by the creativity of its users. As such, it defies many traditional roles of government and rules of order. This openness is its greatest strength and also its most defining weakness.”[17]. There is a multitude of factors which impact on the degree of risk and the Internet is only one aspect of these. Some other aspects are Access, System integrity, Date integrity and availability and Confidentiality/Privacy. It would be an impossible task to eliminate all the risks, paper based HIS have incurred a degree of risk as well. It is beneficial to minimise these risks factors because the cost both social and financial can be high. 

For example if a person’s health information would be available to insurances or employers, certain privileges might be denied (justified or not), or a disgruntled employee could destroy valuable databases and compromise treatments and/or New Zealand health providers could be held liable under the Health Information Privacy Act and incur hefty fines.

HIS security survey in the Residential Care Industry

See Appendix one for Survey questions
There is a difference in nature between the residential care industry (long term care) and other health information systems (more acute). In the acute setting there is a much higher need for online patient information transfer and due to this the protocols are more advanced using Health Level 7 compatible programs policies and procedures. Although it would be beneficial, the residential care industry in general is not connected to the NZ Health Intranet and electronic transfer of patient information is rather the exception than the norm. 
To ascertain to what level minimum-security requirements in the residential care industry are met, questions were compiled from security principles illustrated in the book Protect Yourself on Line [18] and NZ Government Security Publications [19
The questionnaire was structured around the following security areas:
  1. Virus screeners.
  2. Computer access
  3. Backup
  4. Encryption
  5. Audit trails
  6. Education
Structure of the 31 questions:
First question was to establish if staff was eligible to take part in the survey, to reduce redundant data. Staff who were not eligible because they did not use computerised HIS, were asked to complete demographic data only.18 of the questions had yes/no, or yes/no/don’t know answers and there were 8 other security questions. The survey finished with 4 demographic questions, which would establish the occupation, gender, age group and length of employment.
If the majority 95% (to allow a 5% margin of error) of the questions 2.1 to 7.3 were answered correctly the residential care provider would be considered to meet the minimum-security requirements for HIS. 
The mean of the yes/no/(don’t know) provides and indication of compliance with minimum-security requirements. If the survey mean is high, compliance is high because the population answers comply with the preferred answers (see Table 1).
Table1 Preferred answers (Table1.jpeg)
 

Results

The survey was designed in Infopoll Designer [20] and transferred to a MSWord format to make this suitable for a mail out and targeted to Registered Nurses (RN), Administrators and Managers. After approval was obtained from the general manager, 48 Questionnaires were distributed by mail and there was a 58% return rate. 
82 % of the returned surveys were staff that used health information systems. 18% of this category of staff did not. It is difficult to establish if this is a true reflection of the total population of staff. There might be bias in the fact that staff that do not use HIS are less likely to return the research survey. This 18 % was made up of 1 RN and 4 managers.
The acceptable mean would be around 95 
The survey mean was 41.95, with a standard deviation of 28.76. This means that the majority of preferred answers are within 28.76 around the mean. The standard error is 6.13 with a 95 % confidence level.
I am unable to compare statistics in regard to compliance with minimum-security standards in the NZ health industry because they do not exist. There is only advisory material available which does not give a minimum standard. 
100% of the HIS computers was found to be equipped with a virus screener. There appears to be uncertainty about who is responsible to update the virus screener, 35 % of the surveyed population said they were not responsible and 26 % didn’t know. 

17% of the population updated and scanned their HIS computer fortnightly which is considered insufficient, due to the increasing speed of new viruses being developed, a minimum of a weekly update and scan is advisable. In addition to this 26% is not aware if the virus screener is set on automatic screening of all incoming information.

Control of access to the HIS computer is an essential part of minimum-security standards.

The survey results show that 78 % of the surveyed population share HIS computers with other staff, 70% share passwords and 48% know passwords of other staff. 52% of the computers carry only one password to access the computers and 35% carry no password. The majority of passwords are relatively uncomplicated (57% consists of letters only and 17% is made up of letters and numbers). This makes unauthorised access easy, in addition there are no audit trails and 57% of the staff use networked computers. This places the system at high risk of undetected unauthorised computer and network access. 

The risk of unauthorised access is increased; only 30% of the survey results indicate that the computers carry a screen saver password. 

For the computers who do carry passwords access is at risk. Access via an administrator’s password is minimal (only 22%) in addition, only 26% of the passwords are stored in a safe or comparable safe storage.

Protection of what is considered sensitive information is severely challenged, only 48% is password protected and only 4% of the files are encrypted or password protected when Emailed, digital signatures are not used which make authentication of the sender impossible and interception easy.

78% of the surveyed staff backup their HIS computer, unfortunately 17 % does this less than fortnightly. This equates to only 61% of the surveyed staff correctly backup their HIS information, therefore the risk of information loss is potentially high. A preset cyclical backup would be the preferred backup method.

52% of the survey population has received education in regard to computer security, but the level and the type of education is not known.

There were no obvious correlations between the demographic and the other survey data

In using the preferred answers the overall mean of the survey is 41.9%. This translates in 41.9% of the survey population returning the preferred answer. To maintain an acceptable minimum-security standard this figure should be 95% (this allows for a 5% margin of confidence), in all the surveyed areas (see Tables 2 -10.).

Tables 2-10. Survey Statistics and Graphs (Table1.jpeg to Table10.jpeg)

Discussion

Security of HIS is a complex concept and an area of concern to the consumer, the health care providers / companies and the New Zealand Government.
The security components of the NZ HIS are disjointed, most parts are available but I have been unable to find evidence that these components have been combined in a minimum- security standard. This would ensure some consistency in HIS security throughout the NZ Health Industry. Currently the NZHIS security consists of:
  1. Health Information Privacy act 1994, in particular rule 5-9. Endorsable by the New Zealand Privacy and Health and Disability Commissioner
  2. NZ Health Intranet Security Standards
  3. HL7 Standards
  4. Individual Health providers HIS Security policies and procedures
NZHIS Security standards have incorporated both the British and the American standards.
The residential care industry is no exception in the apparent lack of minimum-security standards for HIS.
“Fundamental to any attempt to secure an information system is that the users are aware of and follow appropriate routines and procedures. It will remain beyond the realms of practical reality to develop preventive strategies that make it impossible for user to breach security, and it is the authorised users of the system who are generally the weakest link in the security system”[21] Some “clinical users consider computerisation offers significant advantages in terms of security and confidentiality. Provided security systems are activated and used properly, computerised notes are more secure than paper notes; likewise e-mail is more secure than for example hard copy facsimiles. Most practices were careful about this issue, but in others the attitude to security was more ‘loose’, with clerical staff not only accessing the notes, but being responsible for writing the patient summaries”[22].
It is surprising to find that minimum-security requirements have not been established in New Zealand and available security standards are open to interpretation of its users. This potentially creates concerns for the security of the entire New Zealand HIS. “A health-data technical security policy should be adopted by each Health Care Establishment site”[23]
Most literature refers to generalized security principles that users should adhere to, but minimum-security standards either national or international are not available. 

For best practice purposes Standards New Zealand has released the security management standard AS/NZS ISO/ICE 17799:2001 Information Technology – Code of practice for information security management, there is no evidence that this document has been adopted and implemented by the New Zealand Health service. 

“The bad news is that even basic security measures are new to the health care industry, generally considered to be 10 to 15 years behind other industries with regard to security”[24].

Minimum-security requirements establish an important basis for consistency in developing health companies HIS security policies and procedures. There are still grave concerns. The NZ West Coast District Health Board identified in their Board report in September 2001 that in the area of E-security there was “Lack of policy/standards, no official policy, however good attention to security within Information group compensates to a large degree”. [25]

Continuation of inconsistency in security policies and procedures jeopardises the quality of patient care, and increases risk of litigation for health professionals and organizations. The minimum-security requirements in the NZ residential care industry are severely compromised and the risk of security breaches and data loss is high.

The outcome of the HIS security survey concludes that minimum-security requirements in this residential care organization are severely compromised and the risk of security breaches and data loss is high. This potentially threatens the HIS and the safety of the residents. The degree of risk encountered by the health company is high, this does not reflect in risk for the NZ Health Intranet because the Residential Care Provider is not connected.

The sample size if large enough to conclude that this is a fair representation of the entire industry. We need to take in account that the sample originates from one company only and is not cross-sectional for the residential care industry. This has the potential to create bias due to the culture of the organization surveyed.

Acknowledgements

The authors would like to acknowledge the support and encouragement from the Otago University Post-Graduate Diploma in Health Informatics tutors. The support, co-operation and time dedicated by the General manager Elderly Care and staff of the Residential Care Provider that was surveyed. There was no funding sourced for this article.

 

Conflict of Interest

Possible conflict of interest is that one author is the Manager, Reevedon Elderly Care Complex.
 
Appendix 1
Health Information Systems Security Survey 2002 (Appendix1.htm)
 

References

  1. Gostin LO, Turek-Brezina J, Powers M. Privacy and Security of Personal Information in a New Health Care System. JAMA 1993 Nov; 270(20):2487-93 [Medline]
  1. Gostin LO, Turek-Brezina J, Powers M. Privacy and Security of Personal Information in a New Health Care System. JAMA 1993 Nov; 270(20):2487-93 [Medline]
  1. Danda M. Protect Yourself On Line. Washington: Microsoft Press; 2001. p. xvii
  1. Szekely D, Milam S, Khademi J. (1996). Legal Issues of the Electronic Dental Record: Security and Confidentiality. J Dent Educ, 1996 Jan: 60(1):19-23.[Medline]
  1. NZ.Government. (1995, 02-07-97). Information Systems Security and Data Protection. URL: Linkout http://www.nzhis.govt.nz/publications/Security.html [accessed 2002 Mar 27]
  1. Rodsjo S. Hack Attack. Healthc Inform [Serial online] 2001 Jan [cited 2002 Mar 27];18(1):37-40, 42, 44 URL: Linkout http://www.healthcare-information.com/issues/2001/01_01/rodsjo.htm [Medline]
  1. Tabar P. A Security Strategy: possibly the biggest task on the healthcare's to-do list. Healthc Inform. [Serial online] 2001 [cited 2002 Mar 27]; Feb;18(2):46, 48. URL: Linkout http://www.healthcare-information.com/issues/2001/02_01/cover.htm#security [Medline]
  1. Anderson RJ. Security in Clinical Information Systems. Cambridge: University of Cambridge: 1996
  1. Hodge J, Jr, Gostin LO, Jacobson PD. Legal issues Concerning Electronic Health Information. JAMA, 1999 Oct 20; 282(15):1466-71.[Medline]
  1. NZ.Government. Information Systems Security and Data Protection. URL: Linkout http://www.nzhis.govt.nz/publications/Security.html[accessed 2002 Mar 27]
  1. NZ.Government. Standards (Health Intranet) URL: Linkout http://www.nzhis.govt.nz/intranet/standards.html [accessed 2002 Mar 27]
  1. NZ.Government. Health Information Privacy code 1994. Office of the NZ Privacy Commissioner. URL: Linkout http://www.privacy.org.nz/comply/HIPCWWW.pdf [accessed 2002 Mar 27]
  1. NZ.Government. Minimum Standards for Internet Security in the New Zealand Government URL: Linkout http://www.e-government.govt.nz/docs/iss-draft/iss-draft.pdf[accessed 21-6, 2002]
  1. Rodsjo S. Hack Attack. Healthc Inform [Serial online] 2001 Jan [cited 2002 Mar 27];18(1):37-40, 42, 44 URL: Linkout http://www.healthcare-information.com/issues/2001/01_01/rodsjo.htm [Medline]
  1. NZ.Government. Information Systems Security and Data Protection URL: Linkout http://www.nzhis.govt.nz/publications/Security.html [accessed 2002 Mar 27]
  1. Unknown. Health Level Seven Southern Africa. URL: Linkout http://www.hl7.org.za/HealthLevelSevenGuide1.htm [accessed 2002 Apr 16]
  1. Danda M. Protect Yourself On Line. Washington: Microsoft Press; 2001. p 8
  1. Danda M. Protect Yourself On Line. Washington: Microsoft Press; 2001
  1. NZ.Government. Information Systems Security and Data Protection. URL: Linkout http://www.nzhis.govt.nz/publications/Security.html [accessed 2002 Mar 27]
  1. Infopoll.com, Infopoll Designer Version 7.URL: Linkout http://infopoll.com/download/ [accessed 2002 Mar 30]
  1. NZ.Government. Information Systems Security and Data Protection. URL: Linkout http://www.nzhis.govt.nz/publications/Security.html [accessed 2002 Mar 27]
  1. Nielson A. C. Attitudes towards information technology in Australian General Practice. URL: Linkout http://www.health.gov.au/pubs/gpit/gpit2.pdf [accessed 2002 Apr 26]
  1. Ilioudis C, Pangalos G. A framework for an Institutional High Level Security Policy for the Processing of Medical Data and their Transmission Through the Internet. J Med Internet Res.[serial online] 2001 Apr-Jun [cited 2002 June 21]; 3(2):E14.URL: Linkout http://www.jmir.org/2001/2/e14/ [Medline]
  1. Kibbe DC. A problem-Orientated Approach to the HIPAA Security Standards. Fam Prac Manag, [serial online] 2001 July/August [cited 2002 Mar 27]; 8(7):37-43 [22 screens] URL: Linkout http://aafp.org/fpm/20010700/37apro.html [Medline] 
  1. NZ.West.Coast.DHB. Board Report 28 Sept. 2001 URL: Linkout www.westcoastdhb.org.nz/board/Papers/SeptHACPapers.pdf [accessed 2002 June 21]

 

Abbreviations

BMABritish Medical Association
EDIElectronic Data Interchange
HEINHealth Informatics
HHSHealth and Human Sciences
HIPAAHealth Insurance Portability Act
HISHealth Information System
HL7Health Level 7
ITInformation Technology
NZNew Zealand
RNRegistered Nurse