Electronic health records management systems present medical facilities with a wide range of benefits. These benefits include improved patient outcomes, a decline in medical errors and a reduction in operating costs (Menachemi & Collum, 2011). Given the many benefits that EHR systems deliver, it is little wonder that an increasing number of medical providers are embracing these systems. As they adopt the new systems, the facilities need to be wary of various risks. Left unaddressed, these risks could impair the delivery of medical services (Yanamadala et al., 2016). Pivotal to any health institution is implementing risk management plans to address the various issues associated with safety and handling of patients’ health records, which can help avoid compromising patient outcomes.
Project definition
The project involves a medical provider that wishes to move its patient records to the cloud. Cloud computing is redefining nearly all human pursuits. It presents such benefits as lower costs and easier access to data (Marston et al., 2011). Whereas it is true that cloud storage is largely beneficial, it also presents challenges and risks. If the medical provider in the project is to be successful, it needs to address these challenges. The following are the risks and the corresponding threat level that the provider is likely to face:
Delegate your assignment to our experts and they will do the rest.
Privacy violations- High
Cloud provider downtime/outage- Medium
Security breaches- Medium
Data loss- Low
Loss of control over data- Medium
Government surveillance- Low
Unauthorized access- High
Consequences of risks
In general, the risks listed above present negative consequences. In the following discussion, the particular consequences associated with each risk are addressed.
Privacy Violations
In regard to EHR systems, privacy violations are plausible. There are a number of possible outcomes of privacy violations. Loss of patient confidence and trust is among these (Simon et al., 2009). When patients learn that their data has been lost of accessed without proper authorization, they may be reluctant to provide personal information. As a result, the capacity of the medical providers to deliver care will be compromised. Another possible consequence concerns legal action. Such laws as the Health Insurance Portability and Accountability Act (HIPAA) require medical providers to safeguard patient privacy (Ness, 2007). The privacy violations amount to a departure from the provisions of this act. A patient is likely to file a civil lawsuit against a health institution for mishandling their information. Especially when it comes to high-profile patients, their medical information is considered of value and this can be a motivation for health providers to sell it to journalists. Doing so would compromise the culprit as well as the entire organization.
Cloud Provider Downtime/outage
The nature of HER systems is that they, in part, rely on cloud services in order to promote remote access. However, this exposes such systems to issues, which might arise due to cloud provider downtime or outage. Most providers of cloud storage solutions strive to ensure efficiency and reliability. However, there are instances when the providers suffer outages and downtime. The main consequence of downtime or outage is inaccessibility of data. Another possible consequence is disruption of service delivery (Antonopoulos & Gillam, 2010). Without access to patient records, medical providers may be unable to deliver care. During patient routine check-ups, a physician is likely to demand access to a patient’s record in order to, for instance, assess whether one is eligible for discharge or whether they can be operated on. In the event that data cannot be retrieved in a timely manner, this will lead to backlog of tasks, as the physicians as well as nurses will be unable to determine what action should be taken regarding a patient’s condition. An outage can cause disruption of services for a considerable amount of time.
Security Breaches
Apart from cloud provider downtime, security breaches are also a possible occurrence when it comes to EHR systems. In most cases, these breaches result in the loss of sensitive and personal information (Wong, 2013). If a security breach occurs, the medical provider should expect to lose the patient records. It is also possible that one breach could set the stage for other breaches. Another consequence that is likely to result from a security breach is financial loss. There have been instances where hackers use stolen information such as credit card details to rob individuals.
Data Loss
Equally important to EHR records is the likelihood of data being lost, for instance, through improper recording or placement of patient information, or simply through security breaches, whereby individuals can steal and wipe out a patient’s record. In the event of such an occurrence, a decline in patient’s confidence regarding the reliability of the EHR system and cloud storage is one of the possible outcomes. Another possible consequence is disruption of service delivery. The data that medical facilities collect are essential for service delivery. When this data is lost, it follows that the facilities are unable to deliver care. Therefore, to ensure that service delivery is not disrupted, facilities should take all necessary steps to guarantee data security.
Government Surveillance
Among already discussed factors is the issue of government surveillance. Using such agencies as the National Security Administration (NSA), the US government is known to conduct mass surveillance (Madsen, 2013). Through the surveillance, NSA has collected massive amounts of personal data. The medical provider could be the subject of such surveillance. If this happens, the overall security of the cloud storage system will be compromised. Furthermore, the provider may face calls to move away from cloud storage and return to the traditional in-house data storage system. Another possible consequence of surveillance is the provider being investigated if it is learnt that its operations are in violation of the law.
Unauthorized Access
Because EHR systems use cloud storage, there is a possibility of unauthorize access by a third party. The nature of cloud storage is that it allows multiple users to access data from different devices. While this benefit delivers convenience, it also increases the risk of data theft. As an example, a health worker might visit a restaurant with their device and log in to the system using the Wi-Fi provided. As soon as they log in to their system, they expose themselves to hacking as there are some individuals who have the technical knowledge of accessing devices, which have logged into their networks. This can lead to theft of patient information. Unauthorized access could also result in the corruption of data.
Risk elements
According to Alberts (2006), there are four elements that constitute risk: context, action, conditions and consequences. The consequences of the identified risks have already been addressed in the discussion above. The following list contains the context, actions and conditions associated with the identified risks.
Context
The context concerns the environment and background which define how an issue is evaluated. Some of the components of this element of risk are:
Efficiency in healthcare delivery: In its adoption of cloud computing, the facility is seeking to enhance efficiency. It wishes to deliver care quickly and at lower costs.
Need to comply with such laws as the HIPAA: The privacy provision of the HIPAA is another issue that would compel the facility to embrace HIPAA. How well the facility ensures patient privacy will inform how its adoption of cloud computing is evaluated.
Cybersecurity threats: Cyber-attacks have become common. The facility will need to protect sensitive patient data against such attacks.
Safeguarding patient welfare and rights: The primary purpose of embracing cloud computing is to guarantee the welfare and rights of patients. If the facility manages to secure patient welfare, its adoption of cloud computing will be judged as successful.
Actions
Alberts (2006) described actions as the measures and failures that set the stage for the occurrence of risk. In regard to the project in question, the following actions could lead to the realization of the identified risks:
Medical personnel sharing login credentials with unauthorized personnel: When practitioners share such details as passwords with unauthorized parties, they expose their EHR systems to the threat of hacks and other forms of cyber-attacks.
Facility enlisting the services of incompetent cloud storage provider: There are many providers of cloud storage solutions. While most are competent, others lack the expertise needed to ensure data security. Working with an incompetent provider increases the risk of breaches and data loss.
Failure to update system: Updates help to address flaws that can be exploited to carry out attacks. When a facility fails to update its system, it creates room for attacks to occur.
Conditions
In use and management of HER systems, there are certain activities or conditions, which increase the likelihood of risk, such as security breaches. Alberts (2006) described these conditions as realities, which facilitate the occurrence of risk. Listed below are some of the conditions which could lay the ground for the identified risks.
Ineffective authorization procedures: Should the facility fail to confirm that individuals accessing information are properly authorized, they set the stage for hacks and other attacks.
Poorly designed cloud infrastructure: EHR systems that lack proper controls and safeguards expose facilities to risks of data theft and security breaches.
Lack of insight on the need for caution: If personnel do not recognize the importance of being cautious and following security guidelines, an attack could occur.
Mitigation Strategies
Thus, various risks have been identified regarding the vulnerability of HER systems. However, there are a number of strategies that can be implemented to shield the provider against service disruption. One of the ways to achieve such an objective is through establishing clear and strict authorization protocols that shield the provider against the risks identified. Shah, Murtaza, and Opara (2014) provided some of these measures noting that “Restricting access to work areas by the authorized personnel only is required, logging visitor access, and securing the visibility of data on the communication devices must be ensured” (p. 197). This means that there should be limited access to patients’ records through focusing on, which individuals are allowed access. Other recommended measures were such as securing virtual private networking from remote locations, as well as allowing authorized personnel to handle the health institution’s software and hardware (Shah, Murtaza, & Opara, 2014). Only authorized personnel should be permitted to access the patient records stored in the cloud. The medical provider could also conduct routine monitoring exercises. These exercises should be aimed at evaluating the security situation of the cloud storage. If any suspicious activity is detected, the provider should move with speed to investigate and take appropriate action. The medical facility also needs to sensitize its employees on the need for caution and adhering to established protocols. This measure will go a long way in ensuring that employees do not trigger the risks.
Contingency plans
In essence, adherence to the mitigation strategies mentioned earlier on could help health institutions avoid the various risks associated with managing patients’ records through EHR systems. The mitigation strategies developed above could insulate the medical facility against the risks. However, it is possible that even with these strategies in place, the risks could still occur. This is why it is important for the facility to create contingency plans. These plans should stipulate the course of action when the risks occur. Isolating the files stored on the cloud is one of the essential elements of the plans. In support, Shah, Murtaza, and Opara (2014), noted that, one of the ways to achieve such is through, “… isolation of network and storage devices, granting of physical access to the workstations, servers, and network and storage devices only to authorized personnel, and creating backup of patients’ data” (p. 200). The isolation will help to limit the spread of a risk. For example, when the medical facility cuts access to files stored on the cloud, it will protect offline files from corruption and theft. Informing patients and other stakeholders that a risk has occurred is another element of the contingency plan. The purpose of this measure is to protect the image of the medical facility and to retain the trust and confidence of the patients. It is common for firms to take too long before informing their clients that they have suffered a security breach. Another measure that the facility should institute as part of the contingency plan is having a team of experts that are ready to investigate any and all risks that occur. The investigation will help to ensure that the risk does not recur. These measures are likely to help protect not only the patient, but also the organization from suffering the various negative impacts that arise from having an inefficient health records system, such as poor service delivery, exposure to civil lawsuits when patient information is released to unauthorized individuals, inter alia.
Conclusion
Electronic health records systems have the potential of promoting quality in healthcare services. However, they are vulnerable to various risks such as security breaches, theft of patient records, unauthorized access, cloud storage outage, inter alia. The outcome of these risks is that they affect patients’ outcome because hospitals are rendered inefficient, for instance when it comes to prompt response to a patient’s medical needs. While these systems have revolutionized the operations of medical facilities, it is important to consider mitigation strategies, such as limiting access to authorized personnel only, isolation of networks preventing remote access, among others, to prevent the identified risks. To ensure that their operations remains secure, the facilities should create and implement mitigation and contingency plans.
References
Alberts, C. J. (2006). Common elements of risk. Retrieved March 22, 2018 from https://resources.sei.cmu.edu/asset_files/TechnicalNote/2006_004_001_14687.pdf
Antonopoulos, N., & Gillam, L. (2010). Cloud Computing: Principles, Systems and Applications. New York: Springer.
Madsen, W. (2013). National Security Agency Surveillance: Reflections and Revelations 2001-2013. Morrisville, NC: Lulu.com.
Marston, S., Bandyopadhyay, S., Zhang, J., & Ghalsasi, A. (2011). Cloud Computing- The Business Perspective. Decision Support Systems, 51 (1), 176-189.
Menachemi, N., & Collum, T. H. (2011). Benefits and Drawbacks of Electronic Health Record Systems. Risk Management and Health Care Policy, 4, 47-55.
Ness, R. B. (2007). Influence of the HIPAA Privacy Rule on Health Research. JAMA, 298 (18), 2164-2170.
Simon, S. R., Evans, J. E., Benjamin, A., Delano, D., & Bates, D. W. (2009). Patients’ Attitudes Toward Electronic Health Information Exchange: Qualitative Study. Journal of Medical Internet Research, 11 (3). DOI: 10.2196/jmir.1164
Shah, J., Murtaza, M., & Opara, E. (2014). Electronic health records: Challenges and opportunities. Journal of International Technology and Information Management, 23 (3), 189-205. Retrieved from http://scholarworks.lib.csusb.edu/cgi/viewcontent.cgi?article=1082&context=jitim
Wong, R. (2013). Data Security Breaches and Privacy in Europe. New York: Springer.
Yanamadala, S., Morrison, D., Curtin, C., McDonald, K., & Boussard, T. H. (2016). Electronic Health Records and Quality of Care. Medicine (Baltimore), 95 (19). DOI: 10.1097/MD.0000000000003332
