Safeguarding Hospitals From Data Infections

As electronic medical records, mobile devices and cloud computing become inextricable parts of healthcare environment, we are facing new risks of data security breaches. It is time for us to investigate, how safe our hospitals are from such data related infections

By Shally Makin, Elets News Network (ENN)

Hospitals are a great source of acquiring information – not only of patients, but also of staff members. There have been instances in hospitals where once a system was hit by a malware, the staff had to be sent back to work on paper records. The virus disabled the interconnectivity of hospital computers, so the devices could not communicate internally and share information. The increased use of electronic medical records, mobile devices and cloud computing in the healthcare environment is also increasing the risk of data security breaches. Regulators are already conducting rigorous security compliance reviews to address the serious nature of security complaints. In addition, phase I requires hospitals to perform a security risk analysis and to address all identified security deficiencies as part of its risk management process.  Security issues have long been into discussions and thus are a major drawback that can impede an organisation’s risk management strategies. The Health Insurance Portability and Accountability Act (HIPAA) and Health Level Seven (HL7) passed in the USA, which are now universally accepted, have laid down rules for access, authentications, storage and auditing, and transmittal of electronic medical records to addresses privacy concerns.

On the other hand, industries and hospitals are coming together to offer and implement new possibilities to bring innovation into the clinical app development. Tamil Nadu Government’s uniform health information system project was implemented by Tata Consultancy Services (TCS). This mundane building has showcased progress of electronic data basing of hospital records in the country. Microsoft tablets offer new possibilities for clinical use, but software vendors will need to bring new innovation to clinical app development. There is a huge demand in the healthcare fraternity for iPad and tablets, and these devices need to be integrated with the HIS and EMR systems of the hospitals. This actually puts hospital IT and the vendors on notice that they need to start innovating. “At the clinic and small hospital level, EMRs are used by 3-4 percent of the clinics; 16-18 percent of the clinics use some sort of a hospital or clinic management system. Core USP of an EHR is believed to be a simple to use tool, tailored for small to medium hospitals and highly secure. The installation costs can vary between `50,000 to `3 Lacs depending on the size of the organisation. This excludes licensing costs as well as cost for change requests in the system asked for,” says Nrip Nihalani, Director, Product Management, Plus 91.

An accountability tool embedded in an electronic health record system could help reduce unnecessary paper reports embedded in files with X-ray and CT scan images. Such practices can expose patients to unnecessary radiation and increase healthcare costs. Lalit Surana, Chief Technical Officer, Easy Clinic says, “We have a game-changer in offing, an enterprise grade EMR solution to manage all aspects end-to-end of a medical institution. Advantages of cloud in an environment which needs a high degree of scalability is many fold, and, it poses no extra risk as compared to a typical out-of-the box dedicated hosting. There really need not be a conflict in using a cloud and achieving security compliance.”  Doctors may order fewer lab tests when they have access to a patient’s electronic medical records, but the efficiency may be confined to state-of-the-art records exchanges for now. The great thing about EMR is that it allows patients to become empowered and play a much bigger role in their own medical care. They will reduce medical errors, and encourage openness and transparency. They will also help to save the patient’s time and money, because they will not need to go to the doctor’s clinic for every minor problem.

MV Saneesh, Senior Manager-ICT, GCS Medical College Hospital & Research Centre believes, “Cloud computing is anticipated as the inevitable necessity of future computing, healthcare domain could not ignore the imperative advantages of the technology.  Penetration of EMR is limited to select hospitals and few set standards from NABH could make a difference.”  He adds, “The challenge faced by hospitals is the total cost of ownership and change management. However such scenario is not foreseen in near future, anywhere any time accessible EHR/EMR could ensure better patient safety and quality care delivery. In lighter side few people comment ‘Cloud is more secure, as it’s away from insiders’.”

With the advent of EHRs – digitised medical history, a doctor would be able to deliver care with improved quality on the premises of information sharing/exchange. A study in the US found that 80 percent of consumer adoption of interoperable EHRs could result in a net savings of USD 19 billion/ year. On the other hand, unavailability of complete and accurate medical history often leads to extensive or repeated health examinations which delay timely treatment and increase costs. “LV Prasad Eye Institute has made every effort to upgrade technology. eyeSmart –indigenously built Electronic Medical Records (EMR) was made with a view to facilitate electronic retrieval of medical records across their pyramid model of eye care from remote rural primary care units to tertiary level experts in cities,” says Dr Usha Gopinathan, Executive Director, LV Prasad Eye Institute.

In a cloud offering, more control could be exercised with private cloud, the concerns of human threats (hacking), natural environment threats and technology failures still loom – similar to public cloud. With healthcare interoperability becoming more normal, institutions shall adopt globally accepted standards, which are seriously addressing the privacy concerns on global basis. Logica has proven systems and processes to ensure patient confidentiality and role-based access solutions to support, ‘Secure data collection’, ‘Reporting that demonstrates patient safety via KPI’s’ and ‘Evidence for the Annual Health Check with the Healthcare Commission’ says Vijayshankar Andani, Senior Product Manager – Healthcare, Logica.

Adopting EHRs would not only help immediate users such as healthcare providers and patients/citizens, but also other healthcare stakeholders – insurance, government. When the wealth of health information from nation’s populace is available, the government can identify diseases patterns, health afflicted regions and direct its effort towards improving the same.

HIPAA CompliantDr Vinoy Singh, Head, Health Informatics, Srishti Software

EMR adoption in India is approximately around 18 percent of all hospitals. There are several reasons contributing to slow pace of adoption. First, majority of the hospitals lack funds to invest in an EMR. Since the patient to doctor ratio is high, doctors usually work long hours. Out of exhaustion, they prefer to write the prescription manually than spend more time with one patient and enter their details in EMR.

Below are the key differentiators of PARAS EMR-

-  Structured EHR centric clinical modules -nursing, clinical assistant, consultant and OT conforming to global standards
-  Structured clinical information exchange mechanism
-  ‘Clinical Library’ to handle Specialty specific form sets; patient education material and templates (consent forms, OT notes etc)
-  Seamless integration with LIS and RIS modules showing lab results and Image thumbnails
-  Medical drawings annotation module integrated with EMR
-  Provision of integrating CDSS
-  Ability to aggregate clinical data e.g. disease registry, maternity register etc

One of the main challenges that we face is user adoption of the new technology. It takes considerable training and encouragement to transform them into productive users. EHR can be a key to better patient care if used to its full potential. Its ability to integrate with any standard clinical system enhances patient portability. Further, availability of clinical information on real time basis helps in better diagnosis and improves the quality of patient care. Also, PARAS EMR can integrate with CDSS helping doctors in reducing diagnostic errors drastically.
PARAS EMR is HIPPA compliant to protect the security, privacy and confidentiality of patient data. When hosted on cloud, it is also compatible with stringent audit control of the cloud platforms.



Think Safe Rather than Big

M Vennimalai, CEO, Aavanor Systems

There has been a rapid increase in adoption of EMR’s in the USA, where adoption in clinics has risen from 17 to 60 percent in a short span of two years. Adoption rates in hospitals have reached 87 percent according to some surveys. There is high penetration level of state and central governmental insurance schemes in India. With schemes such as the RSBY and Arogyashree becoming very popular among the people and hospitals, it has become mandatory for hospitals to start the process of getting electronic medical records in place. We believe that there will be a significant increase of activity in the EMR space in 2012-13.

Our USP is the ‘Patent Pending’ eBook EMR. The design of our EMR interface is unique in the sense that it looks like a paper file and doctors and nurses can flip through it as they would the paper file they currently use. We have nearly 50,000 approved brands of medicines while the western countries have less than 5,000 because of their patent regimes. It is here that our offerings are superior as they have been designed specifically for the Indian context and improved over the last 10 years.

“Think Safe rather than Big” – this seems to be the dominant approach at this point and users seek high levels of validation and references from their peer group, thus slowing down the speed of adoption of new technologies.

Entry costs can be as low as `10 lakhs for a small hospital wanting to setup an EMR, and may go up to a few crores of rupees for the large facilities. But the cloud has brought about remarkable affordability for the EMR and users can start using our system on the cloud for as little as `2,000 per month. Apart from the low entry costs, users do not have to worry about servers, maintenance, etc.
Patient confidentiality of information on the cloud is typically protected in four ways. All data stored is encrypted. If someone maliciously or inadvertently accesses the data stored in the cloud, they only see ‘gibberish’ and won’t be able to make any sense of it without coming through the application as an authorised user.

VPN Access for clinicians and authorised users. This ensures that while the data is available from anywhere in the world, it is only available to those who have the appropriate VPN (Virtual Private Network) software setup on their computer. While accessing the application through a VPN, all the data transmitted to and fro is protected and cannot be easily hacked.

One time passwords (OTP) or passwords with a specific time period of validity add a significant level of security as hackers cannot reuse a password to gain access to the application and data.

Machine Identification – As care givers and patients are pre-identified by the system, repeat visits to the application is permitted only from a machine that is already known and identified by its unique serial numbers. Any attempt to log in from another machine is recognised and permitted only upon confirmation by a secondary form of identification.

“The privacy issue does exist and cannot be wished away, how much ever the vendor promises about it. If someone wants to get his physical data and tries hard enough, he can do that too. Solutions can and should be found.” says
Dr SB Gogia, Consultant Plastic Surgeon



Doctors’ Require Customised EMR
Dr Aniruddha Malpani, Medical Director, HELP – Health Education Library for People

Doctors, who were early adopters had a bad experience with the first generation of EMRs available in India. Many of these EMRs were very crude and the companies which offered them went belly up, because they were start-ups who could not provide the handholding and service that the doctors needed. This bad experience coloured doctor’s perceptions of EMRs – and many still feel that it is just a lot of hot air, with a lot of promise but deliver very little delivery. They are understandably sceptical and reluctant to try out the new EMRs, since they have already burnt their fingers.

Many EMRs are poorly designed, they are created by software designers, and while programmers do take input from doctors when they do the initial coding, they are still not user friendly. Sadly, most companies do not provide this kind of flexibility. Also, companies which sell EMRs to hospitals realise that this is potentially a big market. So they are leaving no stone unturned in trying to convince Indian doctors to start using EMRs. Companies are adapting their products, to make them doctor-friendly. They are also learning from the success stories in USA. For instance, there is Practise Fusion, which offers cloud based EMRs to doctors, and has a very active doctor community.



Privacy in the Health Cloud

Aditya Mani, Director – Technology, Acuity Information Systems

High availability and massive scale on demand are the two forces that make a compelling case in healthcare for cloud computing as well as cloud storage. Cloud platform providers like Amazon Web Services (AWS) and Microsoft Azure ensure HIPAA compliance for Protected Health Information (PHI) addressing issues relating to physical location and security of data centres as well as policies relating to data deletion, backup and recovery in a virtualised cloud environment. While on one level the rules about information security and privacy need to be re-addressed for a virtualised cloud infrastructure, the emergence of universal identifiers like the UID to identify patient records requires providers to insure PHI is adequately secured in a single instance, multi-tenant application used by various clinics and hospitals. While it is imperative and non-negotiable that two hospitals sharing PHI of the same patient (same UID) working on the same instance of the application must not be able to see each other’s data, the value of a converged ecosystem is truly realized if summarized PHI owned by the patient is visible to a provider of the patient’s choice subject to the patient’s consent. PHI stored on the cloud should be encrypted while data moving between the user and server should be across a Secure Sockets Layer (SSL) or HTTPS layer. While all these layers may seem to add complexity, it is evident that once a vendor has achieved the above in a cloud infrastructure, the same can be shared across the industry as a service rather than having the IT teams of every hospital investing in many such individual projects with varying degrees of compliance.

“Such iron-clad guidelines have often been labeled overkill from an Indian perspective due to their US-centric outlook, their underlying principles can offer a strong foundation for insuring confidentiality and privacy of patient records on a health cloud.”



Securing Hospital Networks
Govind Rammurthy

MD & CEO, eScan

Can a hospital afford to provide unlimited bandwidth usage; will staff and clinicians use the guest network instead of the Enterprise WPA secured network because of the lack of monitoring, or probably because of an easier configuration? Moreover, with the number of phishing sites hosted online, can hospitals prevent users from accessing or being redirected to illegitimate sites? Again, what guarantee can they provide to patients of their digital records? After all, identity theft need not only be malware specific, hospital employees can also use this data for personal gains. In addition, mixing malware infected guest traffic with secure hospital applications is something any IT administrator will want to avoid.

eScan corporate edition is the Anti-Virus and Information Security Solution for large networks that is not only effective in securing the network, it is also very light on the system resources. With the web based eScan Management Console (EMC), network administrators can monitor and deploy a variety of security measures. To prevent usage of USB based devices, eScan comes with endpoint security. With endpoint security, network administrators can customise and monitor the needs of all connected machines.
Without the proper security suite installed, the chances of being infected are close to 95 percent. Their spread is rapid and the loss they can bring to hospitals can roll into millions. To curb such threats eScan comes with Host Intrusion Prevention System (HIPS), which monitors all the network activities on the system. This process is automated and does not require user or hospital administrators to intervene.



“US guidelines and underlying principles can offer a strong foundation for insuring confidentiality and privacy of patient records on a health cloud,” says Aditya Mani, Director-Technology, Acuity Information Systems

“The primary healthcare segment in India, receives no financial incentive from the central or state government. There are no legislative requirements being imposed on EMR vendors to encourage standardization.” says Lalit Surana, Chief Technical Officer, Easy Clinic

“Each node or PC within the hospital premises can be specifically blocked from accessing the internet. This not only increases the overall security of the network, but also prevents unauthorised users from gaining access to privileged resources,” says Govind Rammurthy, MD & CEO, eScan

“HIPPA has developed a framework to mitigate the risks from these threats that is comprehensive but not as specific as to limit the options of healthcare professionals who may have access to different technology”, says Vijayshankar Andani, Senior Product Manager – Healthcare, Logica

“Resistance from non-IT hospital staff is the last nail on the coffin. They require considerable amount of training before they can become productive users and many hospitals do not factor appropriate user adoption strategies and investments” says Dr Vinoy Singh, Head, Health Informatics, Srishti Software

“Technology solutions are available to ensure appropriate level of authentication and monitoring of sensitive data in order to secure privacy of a patient” says MV Saneesh, Senior Manager – ICT, GCS Medical College Hospital & Research Centre

“At the physician level, EMR’s are used by 1-2 percent of the physicians; however 9-10 percent of the physicians do use some sort of software or computer based system for clinic data management” says  Nrip Nihalani, Director, Product Management, Plus 91

“All in all, security of data on the cloud is today addressed to very satisfactory levels and often times, is a lot safer than data stored in the hospital’s servers” says  M Vennimalai, CEO, Aavanor Systems



Hospitals are a great source of acquiring information – not only of patients, but also of staff members. There have been instances in hospitals where once a system was hit by a malware, the staff had to be sent back to work on paper records. The virus disabled the interconnectivity of hospital computers, so the devices could not communicate internally and share information. The increased use of electronic medical records, mobile devices and cloud computing in the healthcare environment is also increasing the risk of data security breaches. Regulators are already conducting rigorous security compliance reviews to address the serious nature of security complaints. In addition, phase I requires hospitals to perform a security risk analysis and to address all identified security deficiencies as part of its risk management process.  Security issues have long been into discussions and thus are a major drawback that can impede an organisation’s risk management strategies. The Health Insurance Portability and Accountability Act (HIPAA) and Health Level Seven (HL7) passed in the USA, which are now universally accepted, have laid down rules for access, authentications, storage and auditing, and transmittal of electronic medical records to addresses privacy concerns.

On the other hand, industries and hospitals are coming together to offer and implement new possibilities to bring innovation into the clinical app development. Tamil Nadu Government’s uniform health information system project was implemented by Tata Consultancy Services (TCS). This mundane building has showcased progress of electronic data basing of hospital records in the country. Microsoft tablets offer new possibilities for clinical use, but software vendors will need to bring new innovation to clinical app development. There is a huge demand in the healthcare fraternity for iPad and tablets, and these devices need to be integrated with the HIS and EMR systems of the hospitals. This actually puts hospital IT and the vendors on notice that they need to start innovating. “At the clinic and small hospital level, EMRs are used by 3-4 percent of the clinics; 16-18 percent of the clinics use some sort of a hospital or clinic management system. Core USP of an EHR is believed to be a simple to use tool, tailored for small to medium hospitals and highly secure. The installation costs can vary between `50,000 to `3 Lacs depending on the size of the organisation. This excludes licensing costs as well as cost for change requests in the system asked for,” says Nrip Nihalani, Director, Product Management, Plus 91.

An accountability tool embedded in an electronic health record system could help reduce unnecessary paper reports embedded in files with X-ray and CT scan images. Such practices can expose patients to unnecessary radiation and increase healthcare costs. Lalit Surana, Chief Technical Officer, Easy Clinic says, “We have a game-changer in offing, an enterprise grade EMR solution to manage all aspects end-to-end of a medical institution. Advantages of cloud in an environment which needs a high degree of scalability is many fold, and, it poses no extra risk as compared to a typical out-of-the box dedicated hosting. There really need not be a conflict in using a cloud and achieving security compliance.”  Doctors may order fewer lab tests when they have access to a patient’s electronic medical records, but the efficiency may be confined to state-of-the-art records exchanges for now. The great thing about EMR is that it allows patients to become empowered and play a much bigger role in their own medical care. They will reduce medical errors, and encourage openness and transparency. They will also help to save the patient’s time and money, because they will not need to go to the doctor’s clinic for every minor problem.

MV Saneesh, Senior Manager-ICT, GCS Medical College Hospital & Research Centre believes, “Cloud computing is anticipated as the inevitable necessity of future computing, healthcare domain could not ignore the imperative advantages of the technology.  Penetration of EMR is limited to select hospitals and few set standards from NABH could make a difference.”  He adds, “The challenge faced by hospitals is the total cost of ownership and change management. However such scenario is not foreseen in near future, anywhere any time accessible EHR/EMR could ensure better patient safety and quality care delivery. In lighter side few people comment ‘Cloud is more secure, as it’s away from insiders’.”

With the advent of EHRs – digitised medical history, a doctor would be able to deliver care with improved quality on the premises of information sharing/exchange. A study in the US found that 80 percent of consumer adoption of interoperable EHRs could result in a net savings of USD 19 billion/ year. On the other hand, unavailability of complete and accurate medical history often leads to extensive or repeated health examinations which delay timely treatment and increase costs. “LV Prasad Eye Institute has made every effort to upgrade technology. eyeSmart –indigenously built Electronic Medical Records (EMR) was made with a view to facilitate electronic retrieval of medical records across their pyramid model of eye care from remote rural primary care units to tertiary level experts in cities,” says Dr Usha Gopinathan, Executive Director, LV Prasad Eye Institute.

In a cloud offering, more control could be exercised with private cloud, the concerns of human threats (hacking), natural environment threats and technology failures still loom – similar to public cloud. With healthcare interoperability becoming more normal, institutions shall adopt globally accepted standards, which are seriously addressing the privacy concerns on global basis. Logica has proven systems and processes to ensure patient confidentiality and role-based access solutions to support, ‘Secure data collection’, ‘Reporting that demonstrates patient safety via KPI’s’ and ‘Evidence for the Annual Health Check with the Healthcare Commission’ says Vijayshankar Andani, Senior Product Manager – Healthcare, Logica.

Adopting EHRs would not only help immediate users such as healthcare providers and patients/citizens, but also other healthcare stakeholders – insurance, government. When the wealth of health information from nation’s populace is available, the government can identify diseases patterns, health afflicted regions and direct its effort towards improving the same. //

Comments

comments

Share this post

PinIt

Leave a Reply