discussion#
Discuss some identified threats to health information privacy and security. Also what is the motivation of these bad actors
Chapter 9: Patient Safety, Quality and Value
Harry Burke MD PhD
Learning Objectives
After reviewing the presentation, viewers should be able to:
Define safety, quality, near miss, and unsafe action
List the safety and quality factors that justified the clinical implementation of electronic health record systems
Discuss three reasons why the electronic health record is central to safety, quality, and value
List three issues that clinicians have with the current electronic health record systems and discuss how these problems affect safety and quality
Describe a specific electronic patient safety measurement system and a specific electronic safety reporting system
Describe two integrated clinical decision support systems and discuss how they may improve safety and quality
Patient Safety-Related Definitions
Safety: minimization of the risk and occurrence of patient harm events
Harm: inappropriate or avoidable psychological or physical injury to patient and/or family
Adverse Events: “an injury resulting from a medical intervention”
Preventable Adverse Events: “errors that result in an adverse event that are preventable”
Overuse: “the delivery of care of little or no value” e.g. widespread use of antibiotics for viral infections
Underuse: “the failure to deliver appropriate care” e.g. vaccines or cancer screening
Misuse: “the use of certain services in situations where they are not clinically indicated” e.g. MRI for routine low back pain
Introduction
Medical errors are unfortunately common in healthcare, in spite of sophisticated hospitals and well trained clinicians
Often it is breakdowns in protocol and communication, and not individual errors
Technology has potential to reduce medical errors (particularly medication errors) by:
Improving communication between physicians and patients
Improving clinical decision support
Decreasing diagnostic errors
Unfortunately, technology also has the potential to create unique new errors that cause harm
Medical Errors
Errors can be related to diagnosis, treatment and preventive care. Furthermore, medical errors can be errors of commission or omission and fortunately not all errors result in an injury and not all medical errors are preventable
Most common outpatient errors:
Prescribing medications
Getting the correct laboratory test for the correct patient at the correct time
Filing system errors
Dispensing medications and responding to abnormal test results
5
While many would argue that treatment errors are the most common category of medical errors, diagnostic errors accounted for the largest percentage of malpractice claims, surpassing treatment errors in one study
Diagnostic errors can result from missed, wrong or delayed diagnoses and are more likely in the outpatient setting. This is somewhat surprising given the fact that US physicians tend to practice “defensive medicine”
Over-diagnosis may also cause medical errors but this has been less well studied
Medical Errors
Unsafe healthcare lowers quality but safe medicine is not always high quality
From the National Academy of Medicine’s perspective, quality is a set of six aspirational goals: medical care should be safe, effective, timely, efficient, patient-centered, and equitable
Value relates to how important something is to use
Cost-effective?
Necessary?
Affect morbidity, mortality or quality of life?
Quality, Safety and Value
Most adverse events result from unsafe actions or inactions by anyone on the healthcare team, including the patient
Missed care is “any aspect of required care that is omitted either in part or in whole or delayed”
Many of the above go unreported
Unsafe Actions
Most near-miss events are not reported. Many are not witnessed
The tendency is the blame the individual, but healthcare is complex and there are often “system errors”
Most safety systems are retrospective; we need to move to be proactive
We need good data, such as the ratio of detected unsafe actions divided by the opportunity of an unsafe action, over a specified time interval
Reporting Unsafe Actions
9
Patient Safety Reporting System: event is recorded and if it is a sentinel event, it is investigated.
Most systems are not integrated with the EHR
Root Cause Analysis: common approach to determine the cause of an adverse event. This has limitations
HEDIS measures can help track quality issues
Patient Safety Systems
Current reimbursement models mandate quality measures, e.g. Medicare Patient Safety Monitoring System, now operated by AHRQ. The new system is known as the Quality and Safety Review System. Still labor intensive and manual
Global Trigger Tool: evaluates hospital safety. Said to detect 90% of adverse events. Select 10 discharge records and two reviewers review the chart for any of the 53 “triggers”
Patient Safety Systems
Paper records have multiple disadvantages, as pointed out in the EHR chapter
Expectations have been very high regarding the EHR’s impact on safety, quality and value
Unfortunately, results have been mixed and there has not been a prospective study conducted to prove the EHR’s benefit towards safety and quality
Using the EHR to Improve Safety, Quality and Value
High expectations that CDS that is part of EHRs will improve safety
As per multiple chapters in the textbook, CDS has mixed reviews, in terms of safety and quality
Adverse events regarding CDS, includes ”alert fatigue”
The FDA will regulate software that is related to treatment and decision making
Clinical Decision Support
Results in altered workflow and decreased efficiency. Physicians are staying late to complete notes in the EHR
In an effort to save time physicians may “cut and paste” old histories into the EHR, creating new problems
EHRs may create new safety issues “e-iatrogenesis”
Because of the multiple issues, it is very common to see offices and hospitals change EHRs, not always solving the problem
Clinician’s Issues with EHRs
Roughly 2/3 of EHR data is unstructured (free text) so it is not computable.
While natural language processing (NLP) may help solve this, we are a long ways away from resolution
Multiple open source and commercial NLP programs exist but they require a great deal of time and expertise to match the results a manual chart review would produce
Clinician’s Issues with EHRs
Governmental Organizations Involved with Patient Safety
US Federal Agencies:
Department of Health and Human Services (HHS)
Agency for Healthcare Research and Quality (AHRQ)
Centers for Medicare and Medicaid Services (CMS)
Non-reimbursable complications: (3 examples)
Objects left in a patient during surgery and blood incompatibility
Catheter-associated urinary tract infections
Pressure ulcers (bed sores)
Hospitals must assemble, analyze and trend clinical and administrative data to capture baseline data and measure improvement over time
Health IT-based interventions are expected to assist
Governmental Organizations
Office of the National Coordinator for HIT
Learn: “Increase the quantity and quality of data and knowledge about health IT safety.”
Improve: “Target resources and corrective actions to improve health IT safety and patient safety”
Safety goals will be aligned with meaningful use objectives.
Lead: “Promote a culture of safety related to health IT”
Governmental Organizations
The Food and Drug Administration
MedWatch: posts drug alerts and offers online reporting area
Center for Devices and Radiological Health (CDRH)
Plan to regulate mobile medical applications designed for use on smartphones
State Patient Safety Programs: By 2010, 27 states and the District of Columbia passed legislation or regulation related to hospital reporting of adverse events to a state agency
Meaningful Use Objectives and Potential Impact on Patient Safety
Objective: Use computerized provider order entry (CPOE) for medication, laboratory, and radiology orders directly entered by any licensed healthcare professional who can enter orders into the medical record per state, local, and professional guidelines
Objective: Use clinical decision support to improve performance on high-priority health conditions
Meaningful Use Objectives and Potential Impact on Patient Safety
Objective: Automatically track medications from order to administration using assistive technologies in conjunction with an electronic medication administration record (eMAR)
Objective: Generate and transmit discharge prescriptions electronically (eRx)
Non-Governmental Organizations and Patient Safety
National Patient Safety Foundation (NPSF) Goals:
Identifying and creating a core body of knowledge
Identifying pathways to apply the knowledge
Developing and enhancing the culture of receptivity to patient safety
Raising public awareness and fostering communication around patient safety
National Academy of Medicine (was the Institute of Medicine or IOM)
Institute of Medicine (IOM) Recommendations
Congress should create a Center for Patient Safety within the Agency for Healthcare Research and Quality
A nationwide reporting system for medical errors should be established
Volunteer reporting should be encouraged
Congress should create legislation to protect internal peer review of medical errors
Performance standards and expectations by healthcare organizations should include patient safety
FDA should focus more attention on drug safety
Healthcare organizations and providers should make patient safety a priority goal
Healthcare organizations should implement known medication safety policies
IOM Report – 2003
Patient safety must be linked to medical quality
A new healthcare system must be developed that will prevent medical errors in the first place
New methods must be developed to acquire, study and share error prevention among physicians, particularly at the point of care
The IOM recommended specific data standards so patient safety-related information can be recorded, shared and analyzed
IOM Report – 2011
Report focused exclusively on health IT and patient safety and quality
Publish an “action and surveillance plan”
Push health IT vendors to support the free exchange of information about health IT experiences and issues
Public and private sectors should make comparative user experiences public
Health IT Safety Council should assess and monitor safe use of health IT
Specify quality and risk management processes health IT vendors must adopt
Establish an independent federal entity to investigate patient safety deaths, serious injuries, or potentially unsafe conditions associated with health IT
Support cross-disciplinary research toward the use of health IT as part of a learning system
Non-Governmental Organizations and Patient Safety
The National Quality Forum
The Joint Commission:
Published the 2018 National Patient Safety Goals
They also published an alert about the potential for HIT to create new patient safety issues
LeapFrog Group
HealthGrades
Institute for Safe Medication Practice (IMSP)
HealthGrades 2017 Patient Safety
Excellence Awards
Award recognizes hospitals with the lowest occurrences of 14 preventable patient safety events, placing the hospitals in the top 10% in the nation for patient safety
This organization reviews the data from inpatient Medicare and Medicaid cases each year and rates hospitals, in terms of patient safety
They estimate that the top ranking hospitals represent, on average, a 43% lower risk of a patient safety adverse event compared to the lowest ranking hospitals
Quality Care Finder
www.hospitalcompare.hhs.gov
Allows consumers to review quality metrics e.g. morbidity and mortality making decisions
Technologies with Potential to Decrease Medication Errors
Computerized provider order entry (CPOE) Benefits:
Improved handwriting identification
Reduced time to arrive in the pharmacy
Fewer errors related to similar drug names
Easier to integrate with other IT systems
Easier to link to drug-drug interactions
More likely to identify the prescriber
Available for immediate analysis
Can link to clinical decision support to recommend drugs of choice
Jury still out on actual reduction of serious ADEs
Technologies with Potential to Decrease Medication Errors
Health Information Exchange (HIE):
Improve patient safety by better communication between disparate healthcare participants
Automated Dispensing Cabinets (ADCs): like ATM machines for medications on a ward
Home Electronic Medication Management System: home dispensing, particularly for the elderly or non-compliant patient
Pharmacy Dispensing Robots: bottles are filled automatically
Electronic Medication Administration Record (eMAR): electronic record of medications that is integrated with the EHR and pharmacy
Intravenous (IV) Infusion Pumps: regulate IV drug dosing accurately
Bar Coding Medication Administration: the patient, drug and nurse all have a barcoded identity
These must all match for the drug to be given without any alerts
Bar codes are inexpensive but the software and other components are expensive
Some healthcare systems have shown a significant reduction in medication administrative errors, but many of these were minor and would not have resulted in serious harm
Technologies with Potential to Decrease Medication Errors
Technologies with Potential to Decrease Medication Errors
Medication Reconciliation
When patients transition from hospital-to-hospital, from physician-to physician or from floor-to-floor, medication errors are more likely to occur
Joint Commission mandated hospitals must reconcile a list of patient medications on admission, transfer and discharge
Task may be facilitated with EHR but still confusion may exist if there are multiple physicians, multiple pharmacies, poor compliance or dementia
Barriers to Improving
Patient Safety through Technology
Organizational: health systems leadership must develop a strong “culture of safety”
Financial: Cost for multiple sophisticated HIT systems is considerable
Error reporting: is voluntary and inadequate and usually “after the fact”
Unintended Consequences
Technology may reduce medical errors but create new ones:
Medical alarm fatigue
Infusion Pump errors
Distractions related to mobile devices
Electronic health records: data can be missing and/or incorrect, there can be typographical entry errors, and older information is sometimes copied and pasted into the current record
Patient safety continues to be an ongoing problem with too many medical errors reported yearly
Multiple organizations are reporting patient safety data transparently to hopefully support change
There is a great expectation that HIT will improve patient quality which in turn will decrease medical errors
There is some evidence that clinical decision support reduces errors, but studies overall are mixed
Leadership must establish a “culture of safety” to effectively achieve improvement in patient safety
Conclusions
Chapter 10: Health Information Privacy and Security
John Rasmussen MBA
Learning Objectives
After reviewing the presentation, viewers should be able to:
Explain the importance of confidentiality, integrity, and availability
Describe the regulatory environment and how it drives information privacy and security programs within the health care industry
Recognize the importance of data security and privacy as related to public perception, particularly regarding data breach and loss
Identify different types of threat actors and their motivations
Identify different types of controls used and how they are used to protect information
Describe emerging risks and how they impact the health care sector
Confidentiality refers to the prevention of data loss, and is the category most easily identified with HIPAA privacy and security within healthcare environments. Usernames, passwords, and encryption are common measures implemented to ensure confidentiality
Three Pillars of Data Security
Availability refers to system and network accessibility, and often focuses on power loss or network connectivity outages. Loss of availability may be attributed to natural or accidental disasters such as tornados, earthquakes, hurricanes or fire, but also refer to man-made scenarios, such as a Denial of Service (DoS) attack or a malicious infection which compromises a network and prevents system use. To counteract such issues, backup generators, continuity of operations planning and peripheral network security equipment are used to maintain availability
Three Pillars of Data Security
Integrity describes the trustworthiness and permanence of data, an assurance that the lab results or personal medical history of a patient is not modifiable by unauthorized entities or corrupted by a poorly designed process. Database best practices, data loss solutions, and data backup and archival tools are implemented to prevent data manipulation, corruption, or loss; thereby maintaining the integrity of patient data
Three Pillars of Data Security
Data must be classified to determine its risk
Healthcare organizations must develop a set of controls to protect confidentiality, integrity and availability of data
One layer of defense is not likely to be adequate
Healthcare organizations will need technical, administrative and physical safeguards
Defense in Depth for Healthcare
Administrative Safeguards
Administrative Safeguards
Security management processes to reduce risks and vulnerabilities
Security personnel responsible for developing and implementing security policies
Information access management-minimum access to perform duties
Workforce training and management
Background checks, drug screens, etc. for new employees
Evaluation of security policies and procedures
Physical Safeguards
Limit physical access to facilities
Workstation and device security policies and procedures covering transfer, removal, disposal, and re-use of electronic media
Badge with photo
Physical Safeguards
Technical Safeguards
Access control that restricts access to authorized personnel
Audit controls for hardware, software, and transactions
Integrity controls to ensure data is not altered or destroyed
Transmission security to protect against unauthorized access to data transmitted on networks and via email
Unique usernames and passwords, encrypted software, anti-virus software, secure email, firewalls, etc.
Technical Safeguards
Healthcare Regulatory Environment
Health Insurance Portability & Accountability Act (HIPAA – 1996)
Laid ground work for privacy and security measures in healthcare . Initial intent was to cover patients who switched physicians or insurers (portability)
Next important Act was the American Recovery and Reinvestment Act (ARRA – 2209) & HITECH Act that imposed new requirements for breach notification and stiffer penalties
Health Plans: Health insurers, HMOs, Company health plans, Government programs such as Medicare and Medicaid
Health Care Providers who conduct business electronically: Most doctors, Clinics, Hospitals, Psychologists, Chiropractors, Nursing homes, Pharmacies, Dentists
Health care clearinghouses
Covered Entities or Those Who Must Follow HIPAA Privacy Rule
Request and receive a copy of their health records
Request an amendment to their health record
Receive a notice that discusses how health information may be used and shared, the Notice of Privacy Practices
Request a restriction on the use and disclosure of their health information
Receive a copy of their “accounting of disclosures”
Restrict disclosure of the health information to an insurer if the encounter is paid for out of pocket
File a complaint with a provider, health insurer, and/or the U.S. Government if patient rights are being denied or health information is not being protected.
Covered Entities: Patient Rights
Life insurers
Employers
Workers compensation carriers
Many schools and school districts
Many state agencies like child protective service agencies
Many law enforcement agencies
Many municipal offices
Organizations That Do Not Need To Follow HIPAA Privacy Rule
Individually identifiable health information:
Information created by a covered entity
And “relates to the past, present, or future physical or mental health or condition of an individual”
Or identifies the individual or there is a reasonable basis to believe that the individual can be identified from the information.
Protected Health Information (PHI)
HIPAA
Protections apply to all personal health information (PHI), whether in hard copy records, electronic personal health information (ePHI) stored on computing systems, or even verbal discussions between medical professionals
Covered entities must put safeguards in place to ensure data is not compromised, and that it is only used for the intended purpose
The HIPAA rules are not designed to and should not impede the treatment of patients
Privacy Rule Mandates Removal of 18 Identifiers
Names
All geographic subdivisions smaller than a state
All elements of dates (except year)
Telephone numbers
Facsimile numbers
Electronic mail addresses
Social security numbers
Medical record numbers
Health plan beneficiary numbers
Account numbers
Certificate/license numbers
Vehicle identifiers and serial numbers, including license plate numbers
Device identifiers and serial numbers
Web universal resource locators (URLs)
Internet protocol (IP) address numbers
Biometric identifiers, including fingerprints and voiceprints
Full-face photographic images and any comparable images
Any other unique identifying number, characteristic, or code
Permitted Uses and Disclosures of Patient Data
To the individual
For treatment, payment or health care operations
Uses and disclosures with opportunity to agree or object
Facility directories
For notification and other purposes
Incidental use and disclosure
Public interest and benefit activities
Required by law
Public health activities
Victims of abuse, neglect or domestic violence
Health oversight activities
Judicial and administrative proceedings
Law enforcement purposes
Decedents
Cadaveric organ, eye, or tissue donation
Research
Serious threat to health or safety
Essential government functions
Workers’ compensation
BAs are related to the covered entity (CE), such as an EHR vendor or a transcription service
They must have a BA agreement with the CE
This forces the BA to comply with all security requirements
The BA can be penalized for violating HIPAA requirements
Business Associate (BA)
Unauthorized acquisition, access or use. Exceptions:
Data is encrypted. This is considered a safe harbor; or
“Any unintentional acquisition, access, or use of protected health information by a workforce member or person acting under the authority of a covered entity or a business associate, if such acquisition, access, or use was made in good faith and within the scope of authority and does not result in further use or disclosure”; or
“Any inadvertent disclosure by a person who is authorized to access protected health information at a covered entity or business associate to another person authorized to access protected health information at the same covered entity or business associate, or organized health care arrangement in which the covered entity participates, and the information received as a result of such disclosure is not further used or disclosed”; or
“A disclosure of protected health information where a covered entity or business associate has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information.”
Breach Requirements under HIPAA
If a breach is determined, the covered entity must notify the individual(s) impacted by the breach. They must inform them within 60 days of when the breach is identified. The notification must include:
A description of what happened
A description of the type of PHI that was breached
Steps the individual can take to protect themselves
What the covered entity is doing to investigate the breach and mitigate harm
Contact information for the individual to contact the covered entity 23
If a breach exceeds 500 individuals, the covered entity must notify the media and must report the breach to the Office for Civil Rights (OCR).
Regardless of the number of individuals impacted by a breach, all breaches must be reported to the OCR annually
Breach Notification
Administrative Requirements for the Privacy Rule
Develop and implement written privacy policies and procedures
Designate a privacy official
Workforce training and management
Mitigation strategy for privacy breaches
Data safeguards – administrative, technical, and physical
Designate a complaint official and procedure to file complaints
Establish retaliation and waiver policies and restrictions
Documentation and record retention – six years
Fully-insured group health plan exception
Policy regarding information security practices is often set by chief information officers (CIOs), chief technology officers (CTOs), information technology (IT) directors or similar; often with input from chief medical informatics officers (CMIOs), HIPAA compliance officers, or the like
Depending on resources, the information technology teams may consist of network, system administration, security and data personnel, or could be the very same technical staff relied upon for all office or clinic IT needs
Organizational Roles
Insiders
Hackivists
Organized crime
Nation states
Threat Actors
Social Engineering: most common
Phishing: via email or text messaging
Shoulder surfing: attacker looks over the shoulder
Tailgating: attacker uses someone else’s ID
Free software: USB drive is found and plugged into a computer, introducing a virus
Types of Attacks
Denial of Service (DOS): website is flooded with traffic, shutting it down
Brute Force: random credential are rapidly thrown at website hoping to gain access
Doxing: gathers info about a victim and publishes that to harass or embarrass the individual.
Types of Attacks
Security Breaches and Attacks
Identity theft on the rise
Physical Theft
Stolen laptops, computers, storage devices and servers
The HHS website lists all of the reported data breaches affecting over 500 users. The site lists the covered entity, the number of breach victims, the type of breach and the location of data (laptop, server, paper, etc.)
Breaches: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
The next slides will list some of the recognized countermeasures employed by healthcare organizations
Threat Countermeasures
Authentication and
Identity Management
Accomplished with photo identification, biometrics, smart card technologies, tokens, and the old standard; user name and password
Basic Authentication may vary depending on sensitivity of data, the capabilities of the systems, resource constraints – both technical and monetary, and the frequency of access
Methods discussed here rely on what is known as two or multi-factor authentication: something one knows, something one has, or something that one is
Basic authentication:
Username and password combination still employed by a majority of users today, combining two things that a user knows
Another option is utilizing a grid card, smart card, USB token, one time password (OTP) token, or OTP service in combination with something a user knows, such as a passphrase or PIN
Authentication and
Identity Management
Authentication and
Identity Management
Single Sign On (SSO)
One set of credentials to easily access many of the resources one uses every day securely; example is Google
Smart Cards: Used in Healthcare in many countries
Vital information with a self-contained processor and memory
Low cost, ease of use, portability and durability, and ability to support multiple applications
Capable of encrypted patient information, biometric signatures and personal identification (PIN)
Drawbacks: lack of standardization and positive identification
Smart Cards in Healthcare
Authentication and
Identity Management
Biometric Authentication
When combined with passphrases or the tokens, cards, and OTP solutions discussed previously, a two or multi-factor authentication solution can be employed
Physical user identifiers: fingerprint, retinal scan, voice imprint
32
Theft Countermeasures
Render data unusable to thieves
Encryption standards such as FIPS 140-2
Hardware and software encryption techniques
See encrypted USB device to the right
Theft Countermeasures
Security of healthcare data is critical for future success of HIT
ARRA/HITECH supplement the administrative, physical and technical safeguards implemented by HIPAA
Security measures will continue to improve but so will the efforts of hackers and criminals who seek access to healthcare record data and identity theft
Conclusions