Some security challenges for future health
We are experiencing some really interesting times, which is producing a qualitative and quantitative leap as far as health is concerned (in fact, already beginning to be called Health 2.0 … worth spending some time to read about it).
This change of approach, which I will summarize briefly, has to do with some new important factors, and not only redefines the role of technologies that support the processes of health but how society as a whole sees health services that should be getting.
To name a few:
Population mobility is a fact that alters the traditional view in which a health with decentralized powers operated as a quasi-tight model in each community. Health services “future” should share information standard and transparent manner, not only between different regions but also between countries (Spain, as a tourist destination par excellence, must show special interest at this point)
Patients most (in) formed: A large part of the patients have access to much more information about diseases, treatments, side effects … etc, via Internet.. It would not take this clever little tendency to pose moderate models for health services that exploit this interest.
Cost pressure: You can not say that it is a new point, but the search for greater efficiency in the use of resources is to remove costs, which ideally should not impact the quality of service offered to citizens.
For this one of the clearest ways it goes through optimizing care processes through information technology (from the EHR ( Electronic Health Record), the Telemedicine or approaches eHealth).
Customization: It is becoming increasingly anachronistic that every interaction with a service begins with little care about the patient. Given the amount of information that exists of it, he should receive only the information that is applicable (since vaccination schedules to access online health information relevant to the patient).
Patient-centered Health: There is a clear tendency to try to shift the focus from the hospital (as the health center) to the patient, and it should go to the hospital less and improve their quality of life (and incidentally, reduce fixed costs).
Aging population and increasing chronic diseases: One of the main pressures on costs for public administrations is related to chronically ill and elderly. Much of the new approaches are focused on improving health experience and quality of life of these groups as they try to optimize care processes.
All these factors will have / have an important role in everything related to the impact of information security, continuity management, privacy or data protection of personal character, and raised some pretty interesting challenges.
Security of the information
In my view, this will be one of the key points of the credibility of health information systems (HIS) in particular and the whole concept of Health 2.0 in particular. The citizens’ confidence that such systems are properly constructed, and protect his will be one of the keys to the adoption … information.
And I think the key is not only the security, but the trust, or perception of security … are already building systems like this: For example, in some health systems the patient name entered not only captured, stored and properly transmitted (SAFETY REAL), but to type it once each digit becomes an asterisk (perceived safety).
This point has to do with the fact that patients who share sensitive information with your doctor (certain diseases have a social dimension), watch the screen while you type it, and thus “feel” that the system is safe.
There are also various traditional disciplines in the world of security management, such as risk analysis, which can be exploited in health care settings to improve planning … For example, in the process of care to a patient, can be identified:
Threats (external elements to the process of care) that can happen, their likelihood and potential impact if they occur.
They can also identify the assets involved (health professionals, patients, information, materials … etc).
Vulnerabilities (weaknesses or internal process of care), as may be the lack of experience of the physician in a holiday period.
With all these factors it is possible to calculate the risk, and most importantly, make a plan that allows mitigate this risk by introducing measures of protection.
I know it’s a complicated stage and stating that I mention without any assessment … but would not it be interesting to apply some of the unfortunate incidents that have resulted in deaths this discipline, inexperience occurred by medical staff who took care of the attention? As usual, not about “rediscovering the wheel”, but rather to systematize the identification of potential risks.
With regard to the “classical” view of information security, from June 12, 2008 Fortunately you can turn to international standards” ISO 27999: 2008 – Health informatics – Information security management in health using ISO / IEC 27002 “This standard defines a set of controls and best practice guidelines for the management of health and safety information for healthcare organizations and other custodians of health information.
It is interesting to note that the standard focuses on ensuring a minimum required level of security appropriate to the organization and circumstances that will maintain the confidentiality, integrity and availability of personal health information.
The standard is based on the catalog of ISO 27002 controls, but raises the particularities of this type of environment, which is quite profitable. In any case, I encourage you to read it with a critical spirit, raising the real value in each organization (as are all more or less generic frames) … especially true given the complexity of standardizing processes (” there are no diseases but sick”).
Another point requiring special attention is the security of information as it is transmitted, as in the new approaches to health 2.0, it is considered likely that the patient use a large number of channels, ranging from SMS / MMS, chat, social networking, phone, fax, videoconferencing or telemedicine “to use” (with specific monitoring devices) …. Many channels pose a challenge to the security of health networks of the future, which should be sufficiently adaptable to make decisions based on the capabilities of each of these channels.
There is another category that is derived from the interaction of complex systems (invulnerability), which will be a large number of intersections in which they must make decisions that may affect the protection of information from patients or physicians.
In this sense, it is advisable to include as a factor in all possible designs interoperable architecture resulting safety and security of information.
The use of seems to be one of the best ways to solve the complexity associated with the use of various channels and systems, which depending on various factors must be able to decide if it is acceptable to transmit information or other …
Privacy and data protection
No doubt the quintessential area in which most citizens think (think) as is health challenges of the environment …. and it is no wonder, since the complexity of the processes of health , the number of actors involved in them and the applicable rules make the issue is deservedly into the limelight ….
As already mentioned, the main axis of confidence on which to work is the expectation of privacy of citizens. To further regulate the swilling Protection Act of Personal Data (and “recent” RD 1720/2007) there are other specific regulations that must be considered, as the Statute of the patient and rights and obligations clinical information and documentation, and presenting a complex scenario …
The personal data of patients should be treated by a large number of professionals with different interests , which causes many times the objectives of privacy and data protection are divergent: There are various pressure groups that act in opposite directions (from associations sick to professional associations through administrations … etc)
For example, no one questioned the use of our data on care clinic, but it is also the same data must then be processed by different groups with different needs, which is complex reconcile all the roles:
Areas of Public Health, which should be treated appropriately blinded and anonymous data … which at times is not useful, because the basis on which work is the quality of data (“if anonymised data is found in a male disease that only has an impact on women … how I can contact the originating center for review?”).
Epidemiology, focusing on the treatment of outbreaks, identical problems to Public Health (usually a subset) but with a significant time pressure in the event of pandemics, which sadly is current with Influenza A.
Administration, I focused on aspects of administrative management of the care provided.
Research groups and must be a consent and complete anonymisation of personal data.
Still, the process of anonymization or distortion of data, if not carried out properly (what happens in a surprisingly high number of cases) can allow the use of techniques of re-identification of patients or medical staff included in the files as he commented yesterday Enrique Dans in his blog.
In any case, it remains in full force the need for awareness of the need to comply strictly the security measures, both legal as established by the organization. The other day an expert environmental health commented:
Security and protection of personal data [… on the environment sanitation …] it is taken (by ICT professionals) as an additional value (attribute) of things to do, work that is “real”.
The law (and risks) is ahead of the feeling of the Spanish society and organizations have an improved degree of maturity.”
The last point that should be considered is the derivative of services aimed at creating groups or communities in which patients and physicians collaborate via the Internet, where privacy should be introduced as a requirement of the system (its operation would be similar to social networking with the challenges it poses).
There are two interesting aspects on which pose challenges associated with business continuity disaster related to the health sector:
It is less common than would be expected that agents in the chain of provision of health services (hospitals, health centers … etc) they have a continuity plan.
It is important, given the increasing complexity and dependence on IT systems by them, which plans and protective measures to allow it to operate on minimum upon the occurrence of a disaster that disables all or part of a process is defined. … This can be since there is a loss of connectivity until a picket blocking the entrance to the hospital or it is saturated by a global accident.
In these scenarios should be mechanisms (pre-planned, not improved) that define the steps (refer patients to area hospitals, p.ejemplo) and how to restore a minimum level of service.
With respect to other organizations and companies, the Influenza A has opened the eyes on stage in a short time a significant amount of the workforce (60%!) can be affected by the pandemic and be low, or that considers that the headquarters of the company’s risk zone and is closed in a quarantine.
In these cases, companies must activate secondary processes (telecommuting) to allow maintain a minimum service, and not opening vulnerabilities with this process … (Javier wide Cao in his blog theme in this great post).
These ideas are just some of the situations I can think we will have to raise IT professionals Health in the short / medium term, but I’m sure there are many more … What do you think are missing? What is the relative importance?