The health information system security threat lifecycle: An informatics theory

https://doi.org/10.1016/j.ijmedinf.2009.08.006Get rights and content

Abstract

Purpose

This manuscript describes the health information system security threat lifecycle (HISSTL) theory. The theory is grounded in case study data analyzing clinicians’ health information system (HIS) privacy and security (P&S) experiences in the practice context.

Methods

The ‘questerview’ technique was applied to this study of 26 clinicians situated in 3 large Australian (across Victoria) teaching hospitals. Questerviews rely on data collection that apply standardized questions and questionnaires during recorded interviews. Analysis (using Nvivo) involved the iterative scrutiny of interview transcripts to identify emergent themes.

Results

Issues including poor training, ambiguous legal frameworks containing punitive threats, productivity challenges, usability errors and the limitations of the natural hospital environment emerged from empirical data about the clinicians’ HIS P&S practices. The natural hospital environment is defined by the permanence of electronic HISs (e-HISs), shared workspaces, outdated HIT infrastructure, constant interruption, a P&S regulatory environment that is not conducive to optimal training outcomes and budgetary constraints. The evidence also indicated the obtrusiveness, timeliness, and reliability of P&S implementations for clinical work affected participant attitudes to, and use of, e-HISs.

Conclusion

The HISSTL emerged from the analysis of study evidence. The theory embodies elements such as the fiscal, regulatory and natural hospital environments which impede P&S implementations in practice settings. These elements conflict with improved patient care outcomes. Efforts by clinicians to avoid conflict and emphasize patient care above P&S tended to manifest as security breaches. These breaches entrench factors beyond clinician control and perpetuate those within clinician control. Security breaches of health information can progress through the HISSTL. Some preliminary suggestions for addressing these issues are proposed.

Study limitations

Legislative frameworks that are not related to direct patient care were excluded from this study. Other limitations included an exclusive focus on patient care tasks post-admission and pre-discharge from public hospital wards. Finally, the number of cases was limited by the number of participants who volunteered to participate in the study. It is reasonable to assume these participants were more interested in the P&S of patient care work than their counterparts, though the study was not intended to provide quantitative or statistical data. Nonetheless, additional case studies would strengthen the HISSTL theory if confirmatory, practice-based evidence were found.

Introduction

Electronic health information system (e-HIS) frameworks are being pioneered worldwide to improve standards of patient care. For this work, the term ‘health information system’ (HIS) describes the unified collection of different types of information systems used by clinicians in health services [1]. By contrast, the term ‘health information technology’ (HIT) refers to the devices and computer networks that support the information system rather than the system itself [2]. The acronym ‘e-HIS’ refers to a HIS supported by HIT. As more practices adopt e-HISs, robust privacy and security (P&S) implementations have become increasingly relevant in patient care settings [3]. ‘Privacy’ concerns control over access to oneself and associated information, including health information, while ‘security’ refers to all measures that protect information privacy [4], [5]. P&S implementations are those preserving the data confidentiality, data integrity and the data availability of patient information on an e-HIS [5]. Securing private patient information remains one of the more pressing problems in modern health care provision [6]. Therefore, this paper seeks to improve our understanding of elements affecting P&S in the practice context by proposing the concept of the health information system security threat lifecycle (HISSTL) theory.

Informatics literature about the application of HIT to secure private patient health records tends to be inconclusive [7], [8], [9], [10], [11]. A series of studies suggest the shift to computerized systems enhances clinical P&S and may improve patient health outcomes overall. Other studies suggest that the application of HIT can actually cause security problems. The problems, generally inherent to standard HIS design, manifest in many a clinical context [12], [13], [14], [15], [16], [17], [18], [19]. An e-HIS poses both potential risks and benefits with respect to the security of patient care practice [7], [10]. Westbrook et al. and others argue that the extent to which computers actually deliver benefits for HIS P&S rely upon multiple technical and workflow issues centred on e-HIS usability [12], [10]. Thus, many theorists suggest that usability concerns underpin key e-HIS P&S experiences of the way clinicians work to provide patient care in the practice context.

Table 1 illustrates the knowledge distilled from relevant publications. The table shows that while usability is a key characteristic of key e-HIS P&S experiences of the way clinicians work to provide patient care in the practice context, other variables also influence these experiences. Preliminary analysis of pertinent publications highlighted seven key P&S characteristics of an e-HIS.

Data fragmentation was reported as a threat because clinicians did not update e-health records contemporaneously. Conversely e-HISs controlled threat in clinical settings too due to standardized data formats [6], [21], [22], [32]. ‘Data fragmentation’ is a term referring to records that are scattered, incomplete or isolated [1].

  • 1.

    The universal application of an e-HIS may mean the end of the clinical need for transcription where appropriate e-HIS applications are available. However, transcribing data remains a transitory challenge for countries which have not fully implemented usable e-HIS application in their hospitals [29], [41], [6], [32]. Still others showed that time-poor clinicians collude with unqualified staff over access controls to transcribe hand written records into computers at the end of a work shift [26], [23], [27]. Transcription is a common source of security error on patient records, resulting in partially used, fragmented health systems leading to incomplete patient care information [41], [3], [16], [19].

  • 2.

    A range of usability errors, from never-ending system demands, challenging user interfaces, and time costs are attributed to e-HISs, thereby increasing both the number and range of data confidentiality, integrity and availability threats [29], [17]. Usability measures how easy, controllable, intuitive, and satisfactory it is for users to work with systems and devices in specific environments [42], [30]. However other publications show robust P&S implementations on computerized systems reduce the number and range of threats to HISs due to electronic audit trails and individual logon processes [11], [32].

  • 3.

    The time cost associated with e-HISs result in productivity trade-offs. The trade-offs are due to skills shortcomings and interruptive and obtrusive e-HIS workflows [15], [10], [34]. By contrast, other studies focus on the efficiency that e-HISs afford to clinicians, such as eliminating the need to duplicate information over a range of services due to improved information sharing practices [1], [32].

  • 4.

    The table shows publications indicating that e-HISs are more auditable than paper systems due to robust access controls [35], [20], [39]. Still other publications suggest clinicians collude with other staff, such as by sharing Passwords, so audits of e-HIS access cannot identify the actual end-user [6], [37], [22], [38].

  • 5.

    It seems IT magnifies pressure on already inadequate health budgets due to training, capital equipment and maintenance costs, not to mention interoperability shortcomings. Often two applications on a single computer cannot interoperate, let alone between different computers, rooms, buildings or other location [3]. Conversely other research finds evidence suggesting e-HISs are more cost-effective than other systems due to the eradication of data fragmentation and duplicated work [35], [39], [22].

  • 6.

    Finally, Table 1 shows findings that suggest the magnitude of P&S threat, which cannot ever be completely eliminated, is far greater on e-HIS than on other systems [40], [33], [39]. By contrast other results suggest robust protection of data on e-HIS control information threat while ensuring it is constantly available and accurate for clinicians providing patient care over more than one location or period of time [20], [43].

At the same time, international confusion over privacy jurisdictions has prompted professional organizations, such as the Australian Medical Association, to ask health authorities to determine consistent and unequivocal P&S rules to ease understandable clinical confusion about protecting the confidentiality of patient records [3], [44]. Contradictory laws and policies at various government levels have fostered widespread confusion about ways to mitigate HIS P&S risks [3], [37], [44]. The confusion ensures the generality of security advice that many clinician associations across the globe are able to provide to members.

If they existed, national or international standards might alleviate the confusion [3]. Standards document specifications against which a series of best practices for a process or technology can be measured [37]. In the absence of a national information security standard, “HB174-2003 Information security management—Implementation guide for the health sector” outlines practical HIS security measures for Australian clinicians [45]. HB173-2003 acknowledges the P&S information vacuum that clinician associations highlight and provides a common information security management reference for the health sector [45].

Many clinicians’ perceptions of productivity are bolstered by the Oslerian tradition, which may be understood in a range of ways [46]. The tradition generally incorporates ethical beliefs designed to improve patient health care outcomes. It often refers to internal medicine (treatment and diagnoses that do not require surgery), although the Oslerian tradition sometimes refers to medicine in general.

As Bryan (1994) points out, the tradition can also refer to the enduring influence William Osler's life has had on generations of clinicians. It can refer to a professional hero or icon, or the ideal of academic humanism in medicine [46], [47]. The Oslerian tradition is an implicit part of clinical commitment to the quality of patient care outcomes [46], [47], [48], [49]. Yet it has been neither operationalized nor refreshed since its inception in the 1800s, well before computers were applied in health care settings [46]. An implicit part of clinician training and practice, modern day clinicians are implicitly influenced by the Oslerian tradition, although no-one actually understands what it means [47], [48], [49], [50].

Evidence of clinician commitment to the Oslerian tradition can be found globally in organizations named after William Osler. Commentaries and studies of it in academic journals, and training advice as to associated methods and systems of patient care abound [47], [48], [50], [51], [52], [53]. Although modern day clinical practice is implicitly influenced by the tradition, it is rarely articulated as such.

Clinicians are also influenced by the notion of primum non nocere, “do no harm”. “Do no harm” is as much at the ethical core of professional clinician values as are other Oslerian concepts, such as maintaining a “virtuous approach to medicine” [46], [52]. Consequently, this work considers the term “the Oslerian tradition” as incorporating a commitment to high quality patient care outcomes and clinical notions of “do no harm”.

The key aim of this paper is to present and discuss case study data collected for a dissertation about clinicians’ real-life e-HIS P&S experiences in the practice context [54]. Analysis of the data drove the development of the HISSTL theory introduced in this paper. The HISSTL contributes a fundamental structured understanding of P&S practice based on empirical data and current literature to support established and emerging international e-health initiatives.

The main objective of the research was to answer the following research question—“How do clinicians work with HIS P&S to provide patient care?” The emphasis was on how clinicians actually used HIS P&S in practice settings at public hospitals, not what the literature, regulatory environment or local health authorities said they should be doing. To investigate this question we interviewed clinicians who worked with e-HIS to care for patients.

The broad research question was broken down into four sub-questions. Each question addressed clinical work in practice settings and is outlined here. The questions are as follows:

  • What influences clinicians’ P&S practice?

  • How is P&S practiced?

  • How does the regulatory environment affect clinical work? and

  • Why does a P&S practice manifest itself in patient care environments?

The research questions provided a rich source of qualitative data to analyse HIS P&S practices within the real-life context of patient care tasks.

Section snippets

Methods

A qualitative, case study, research approach was applied to this study because it furnished a contextual explanation of clinicians’ beliefs about e-HIS P&S implementations in patient care settings. It enabled us to pose ‘how’ and ‘why’ questions to clinicians [55]. The case study provided a depth of understanding about a phenomenon that has been previously investigated with inconclusive results while laying the groundwork for good e-HIS P&S research in the future [56].

Results

This section summarizes participant accounts of HIS P&S implementations in practice settings, as is illustrated in Table 4. It breaks down the broad research theme into sub-questions about four concepts that were either beyond clinician control or ostensibly, within control (albeit provided via natural hospital environments (NHEs)) because there is no technical reason for their continued existence in an NHE. The first concept summarizes participant evidence about influences on clinicians’ P&S

Discussion

Fig. 3 describes a framework based on the abstract themes that were grounded in the case study results and linked together by the data analysis. This framework outlines two major aspects of P&S—factors which are beyond the control of clinicians and factors that can be seen as within control of clinicians. The framework establishes a well-grounded conceptual understanding of factors influencing clinician HIS P&S practices in Australian public hospitals. Supported by the evidence, the framework

Conclusion

Pervasive computer use in NHEs has changed the boundaries of HIS P&S practices forever. There are many competing claims about how e-health influences the P&S of patient information, while current approaches by governments, health authorities and hospital management are inadequate. Consequently, this manuscript contains the first significant study of the changed boundaries of HIS practices to analyse the way Australian clinicians actually work with the P&S of patient information in the practice

Authors contributions to study

The authors, Juanita Fernando and Linda Dawson made the following contributions to the study: (1) the conception and design of the study, acquisition of data, analysis and interpretation of data, (2) drafting the article and revising it critically for important intellectual content, (3) final approval of the version to be submitted.

The manuscript reports findings from original research conducted for Dr. Fernando's Ph.D. Thesis. No other body has copyright over it and, with the exception of some

Acknowledgements

We extend our sincere thanks to the reviewers and acknowledge their valuable critique, which informed this manuscript.

References (63)

  • J.D. Ralston et al.

    Patient web services integrated with a shared medical record: patient use and satisfaction

    J. Am. Med. Inform. Assoc.

    (2007)
  • CEN/TC 251, Guidance [web page] 2006 5 June 2004, Available from: <http://www.centc251.org/> (cited...
  • Southeast Wyoming Telehealth Network (SEWTON) SWTN, Telemedicine terminology, 2008, Available from:...
  • J. Fernando

    Factors that have contributed to a lack of integration in health information system security

    JITH

    (2004)
  • I. Cheong

    Privacy and security of personal health information

    Inform. Prim. Care

    (1996)
  • M. Paterson

    Freedom of Information and Privacy in Australia: Government and Information Access in the Modern State

    (2005)
  • J. Fernando et al.

    Clinician assessments of workplace security training—an informatics perspective

    eJHI

    (2008)
  • A. Garg et al.

    Effects of computerized clinical decision support systems on practitioner performance and patient outcomes: a systematic review

    JAMA

    (2005)
  • W. Hersh et al.

    A systematic review of the efficacy of telemedicine for making diagnostic and management decisions

    J. Telemed. Telecare

    (2002)
  • R. Koppel et al.

    Workarounds to barcode medication administration systems: their occurrences, causes, and threats to patient safety

    J. Am. Med. Inform. Assoc.

    (2008)
  • S. Kripalani et al.

    Deficits in communication and information transfer between hospital-based and primary care physicians: implications for patient safety and continuity of care

    JAMA

    (2007)
  • J.S. Ash et al.

    The unintended consequences of computerized provider order entry: findings from a mixed methods exploration

    Int. J. Med. Inform.

    (2009)
  • E. Balka et al.

    Technology, governance and patient safety: systems issues in technology and patient safety

    Int. J. Med. Inform.

    (2007)
  • Y.Y. Han et al.

    Unexpected increased mortality after implementation of a commercially sold Computerized Physician Order Entry system

    Pediatrics

    (2005)
  • R. Koppel et al.

    Role of computerized physician order entry systems in facilitating medication errors

    JAMA

    (2005)
  • NEHTA, Privacy blueprint on unique healthcare identifiers—report on feedback [homepage on the internet-report] 2007...
  • D.J. Protti, The use of computers in health care can reduce errors, improve patient safety, and enhance the quality of...
  • S. Timmons

    Nurses resisting information technology

    Nurs. Inq.

    (2003)
  • K. Bisset, Unscripted errors [news story] 2006, Available from:...
  • R. Black et al.

    Variation in the transcription of laboratory data in an intensive care unit

    Anaesthesia

    (2004)
  • J.F. Rodriguez-Vera et al.

    Illegible handwriting in medical records

    J. R. Soc. Med.

    (2002)
  • Cited by (52)

    • Analysis of health professional security behaviors in a real clinical setting: An empirical study

      2015, International Journal of Medical Informatics
      Citation Excerpt :

      The number of passwords an individual needs has an impact on the security of an information system [29]. Several models have been developed to represent the main problems for humans as regards remembering their passwords [23,29,45]: too many passwords to remember, the infrequent use of a password, too many systems requiring passwords, complexity (length and composition) of passwords, and labor productivity. Three main system security vulnerabilities can be found as a consequence of these problems: weak, common, or visible passwords [29].

    • Performance of Machine Learning and Big Data Analytics Paradigms in Cyber Security

      2023, AI, Machine Learning and Deep Learning: a Security Perspective
    View all citing articles on Scopus
    View full text