eHealth - electronic health care services

eHealth

electronic health care services

Flavio Gerbino
by Flavio Gerbino
time to read: 18 minutes

The trend towards digitization of healthcare is obvious. It’s summed up by eHealth, a term now ubiquitous in the media and which refers to all the digital and information technologies that affect healthcare. This can encompass a multitude of different processes, services and resources that make use of information technology to structure and support healthcare functions. These digitization activities have taken place under the label of eHealth.

The term can also reflect a broad diversity of goals. The coordinating body of the federal eHealth Suisse uses the term: My healthcare information. At the right time, at the right place., also refers in a general sense to an increase in efficiency, improved quality, heightened security and promotion of the economic sustainability of existing health service processes. Here – and this is a point that is often misunderstood – technology should not be the primary focus. Information security and data protection should assume the highest priority.

Technical innovations should indeed support and strengthen existing processes and structures through electronic imaging. But eHealth is also positioned and established as a substantial driver for overall considerations, improvements and innovation within the structure of healthcare services.

In more specific terms, we can expect opportunities for improvement in the following areas:

The implementation activities in these action areas are expected to create the essential organizational, normative and technical foundations that are key to the development of eHealth. They are:

This is not about vision or strategy, but a rapidly advancing reality. The Swiss parliament adopted the federal legislation on the electronic patient record (EPDG) on June 19, 2015. The law is set to come into force in 2017, and paves the way for new opportunities in electronic health services:

The finance sector: catch-up and comparison

Although it has come much later, the healthcare sector is currently experiencing the kind of explosive expansion and penetration that revolutionized the finance sector.

We can draw a broad analogy here with developments in the finance sector. Analog approaches were digitized, transferred to mobile platforms and automated as far as possible.

Analog Digital Mobile Automated
Analog banking eBanking Mobile banking (mBanking) Fintech
Analog health care eHealth Mobile health (mHealth) Health-tech (vision)

The difference is most apparent in the perspective of risk: in the finance sector, risk means the loss of money; in the healthcare sector, extreme risk can mean the loss of lives. This fact should be borne in mind when considering eHealth.

Clearly, the healthcare sector has a lot of catching up to do when it comes to digitization in medical and healthcare administrative areas. The networking of such a sensitive and complex area as the healthcare sector is associated with considerable risks. This is particularly true when digital usage is expanded and intensified in every direction, bringing it closer to the patient and closer to the doctors, specialists and healthcare personnel in general.

Paradigm shift, acceptance

At the same time, we must not ignore the complex issues and risks implicit in this approach of IT and medicine. It will require a comprehensive paradigm shift on the part of all concerned. Hospitals, clinics, medical practices, administrative functions in the healthcare sector, and doctors and patients must all accept the new conditions, and recognize their potential and benefits in order to generate added value and an overriding sense of purpose for themselves and for society.

This means that questions concerning the minimum requirements for security standards must be treated categorically. And we must remember that ultimately it all comes down to people. The implementation of new technical systems alone will amount to little if we do not introduce clarity around the high security requirements that the sensitive nature of health data demands.

Technology should follow process. It is important that processes are first mapped in their entirety and allotted to clearly defined specialist requirements in order to stimulate public discourse.

Information protection and data protection

Data protection assumes a particular importance when it comes to the sensitive health data of patients in digital form. Clearly, with the expanded availability of patient data, a categorical assurance should be given that all health professionals and involved parties with access to electronic patient data must comply with the same strict rules of medical professional confidentiality and data protection.

The basic problem is readily apparent – the more people with knowledge of sensitive, confidential data, the less secure it is and the more difficult it is to maintain privacy. The rights of patients in relation to their health data must also be rigorously secured. Here, data protection advocates and experts see diverse risks and challenges. Data protection violations may occur through (Swiss eHealth Forum, paper by Dr. Georg Sasse):

It is worth bearing in mind that hospital employees are both the most frequent offenders and the most likely victims in terms of data protection violations.

We know that information processes between patients, general practitioners, clinics, hospitals, laboratories and pharmacists, etc, are not always efficient or error-free. This raises the risk of medical error and unnecessary duplication of treatment.

As the complexity of procedures in the healthcare sector increases, so too does the volume of information about patients and the number of professionals and authorities that require access to this data to ensure efficient treatment. The electronic patient record aims to compensate for this loss of efficiency by enabling proper access.

An important point is that patients must be able to decide themselves whether they want an electronic patient record. They must also retain the right to determine who can view and access their records, and to what extent. As this affects sensitive data in particular, neither employers nor health insurance authorities should have access to this data. A new identification number will be introduced to clearly identify patients and attending doctors.

The electronic patient record has the potential to improve the quality, safety and efficiency of treatment. Its introduction is a response to a pressing current need, but proper data protection is vital. Patients must have control over their own data at all times.

HIPAA digression

In the US, for instance, advances in data protection repeatedly emerge as a consequence of previous data protection incidents. But a comprehensive, overarching federal law on data protection does not exist. Consequently, regulations to determine the way companies and organizations use, store and process personal data, and the safeguards that should be in place, are lacking.

Instead, individual collections of various laws, regulations and standards exist both at federal and state level. One notable example of this kind of regulation in the healthcare sector is the HIPAA standard.

HIPAA stands for the US Health Insurance Portability and Accountability Act, which codifies the strict specifications that companies in the healthcare sector must observe in order to guarantee the protection of patient data. The HIPAA specifications have a broad scope that extends from health insurers and settlement agents to all healthcare service providers. It thus applies to all entities that come into contact with patient information.

Companies or organizations subject to the HIPAA may deviate from the guidelines only with the express consent of the patient. The HIPAA requires affected entities to take adequate measures to protect patient information from conceivable threats and risks, and unauthorized access, usage or disclosure.

Violation of the rules may result in severe civil and criminal penalties. So despite the ad hoc emergence of US guidelines, it would be a mistake to assume that a guideline violation or a data breach are regarded in the US as only a minor offense.

HIPAA standard at a glance

The primary requirements of the HIPAA are captured under Part 164 – Security and Privacy. Among the top-level extracts of this specification are (extract from Part 164):

Subpart Description
102 Statutory basis
103 Definitions
104 Applicability
105 Organizational requirements
106 Relationship to other parts
306 Security standards: General rules
308(a)(1) Administrative safeguards: Security management process: Preventing, detecting, containing and correcting security violations
308(a)(3) Workforce security
308(a)(4) Information access management – implementation of policies and procedures for the authorization of access to electronic protected health information
310 Physical safeguards
312 Technical safeguards
312(a)(1) Access control
312(b) Audit controls – recording and examination of activities in information systems that contain or use electronic protected health information.
314 Organizational requirements
316 Policies and procedures, and documentation requirements
316(b)(1) Documentation – maintenance of written (which may be electronic) reports on actions, activities and assessments.
502 General rules: Uses and disclosures of protected health information
504 Uses and disclosures: Organizational requirements
506 Uses and disclosures to carry out treatment, payment or healthcare operations
508 Uses and disclosures for which an authorization is required
510 Uses and disclosures that require patient consent
512 Uses and disclosures that do not require patient consent
514 Other requirements relating to uses and disclosures of protected health information
520 Notice of privacy practices for protected health information
522 Rights to privacy of protected health information
524 Access of individuals to protected health information
526 Amendments to protected health information
528 Logging and tracking of disclosures of protected health information
530 Administrative requirements
532 Transition provisions

The most important measures that companies subject to the HIPAA (covered entities) must fulfill:

The HIPAA security measures focus on protection of data integrity, confidentiality and availability of electronic personal health information (EPHI):

Parallels with other known standards (e.g. ISO)

However, ISO has already launched standards intended to address the more specific security requirements of the healthcare sector. For example, ISO 27799 for IT security in health based on ISO 27001 and 27002 – Guidelines for information security management.

Standard Title
ISO 27799:2014 Health informatics – information management in health using ISO/IEC 27002
ISO 27789:2013 Health informatics – audit trails for electronic health records
ISO/TS 14265:2011 Health Informatics – classification of the purpose of processing personal health information
ISO/TS 17975:2015 Health informatics – principles and data requirements for consent in the collection, use and disclosure of personal health information

These standards have been developed to reflect the specific requirements of the highly sensitive healthcare sector beyond the normal IT security sphere. The healthcare sector is subject to a strong dynamic in the field of IT, not least because much medical equipment is now directly connected to IT networks and marked by a hugely enhanced accessibility.

Numerous advances in eHealth development have led to the digital performance and shared networks of many functions and processes in medical practices, hospitals and clinics, and medical supply centers, and, as we have seen, traditional patient records and files are gradually being digitized:

As we have seen, these developments have a significant data protection component. From this perspective, the establishment of such minimum standards appears to be common sense.

With eHealth this results in new aspects of IT security for the healthcare sector. Despite the broad scope and the cross-sector nature of the ISO 27001 family, the relevant standards and specifications related to IT security must acknowledge and adapted accordingly to the specific nature of the healthcare sector.

For the standard ISO 27799:2008 Health informatics – information security management, this results in the following structure and breakdown. Sections 3, 5 and 7, and annexes A and B reflect guidelines that acknowledge the specific nature of the healthcare sector:

Challenges and priorities of eHealth

Although data security plays a central role in the eHealth debate and is currently the subject of widespread discussion among experts, it is striking that many people know little about the topic. This applies to patients as well as many other stakeholders in the healthcare sector. Precautions to increase data security at the technical, organizational and normative levels are of little use if the information and training aspects are ignored.

Data protection violations can be one of the most significant security problems a company faces. With the introduction of the electronic patient record, this applies all the more to hospitals, clinics, medical practices, etc. Infrastructure suppliers and IT service providers in the healthcare sector should therefore collaborate and define a robust and rigorously observed minimum standard.

As benefits increase, so too do the challenges associated with data security arising from the free movement of data between the networks of all relevant parties. In the future, technologies such as cloud computing and mobile computing (mHealth) are likely to assume even greater significance, in turn heightening the risk even more.

When we consider the breakneck progress of the mobile health field (Keyword IoT, Internet of Things), further problems emerge, such as a massive increase in data volumes (Big Data), as well as the need for legal provisions that allow data evaluation (data mining) in line with legal and ethical standards (prevention of profiling, etc.). Since the fundamental right to protect one’s own health data naturally applies, and particularly in mass data processing.

Furthermore, in the longer term, joint interoperability standards and procedures should be established in a national, European and international context to ensure that electronic health services can exchange information across borders and communicate with each other as required, in compliance with agreed minimum standards of data protection, for the benefit of the patient.

Source

Federal Office of Public Health FOPH

Organizations, forums

Federal Data Protection and Information Commissioner (FDPIC)

Standards

About the Author

Flavio Gerbino

Flavio Gerbino has been in information security since the late 1990s. His main areas of expertise in cybersecurity are the organizational and conceptual security of a company.

Links

You want to bring your logging and monitoring to the next level?

Our experts will get in contact with you!

×
I want a "Red Teaming"

I want a "Red Teaming"

Michael Schneider

Human and AI

Human and AI

Marisa Tschopp

Vehicle forensics

Vehicle forensics

Michèle Trebo

Isn’t business continuity part of security?

Isn’t business continuity part of security?

Andrea Covello

You want more?

Further articles available here

You need support in such a project?

Our experts will get in contact with you!

You want more?

Further articles available here