CIVIL WAR: Protecting Health Information Security

For this week, we were tasked list down questions where answers should be able to identify risks to securing electronic health information. The scenario is that we are part of a group practice that has decided to implement an electronic solution for clinical documentation. However, we came across many horror stories regarding health information security that have led to failed clinical information system implementations. How would you prevent this from happening to your group practice?

To facilitate my discussion, I prepared a short comic strip to lay down the facts and bring to your consciousness the risks in electronic health information. (No copyright infringement intended for the photos and are used for educational purposes only).

Slide1Slide2Slide3Slide4Slide5

Slide6Slide7Slide8Slide9Slide10Slide11Slide12Slide13Slide14Slide15Slide16Slide17

Slide18

Slide19Slide20Slide21Slide22Slide23

Slide24Slide25Slide26

In the scenario above, a breached in the information system happened when an outsider tried to access the system, delete, tamper, and corrupt all the health data stored in the system.

Many factors led to the breach such as blatant disregard for the security of the physical server, weak user authentication, security of the health information, lack of encryption, among others.

This could have been prevented or minimized should the¬†‘Avengers’¬†considered and discussed first and foremost the safety and security of the health information system. Here some of the questions that they should have considered answering when they developed the system.

  1. WHO: Who has access to the information? Who can edit and view the codes?
  2. When: When can they access the information?
  3. How: How can they access it? Would it be cloud based, local area network? Exclusive to a identified computer or network?
  4. Where: Where will the main server be stored? Is it safe?
  5. What: What encryption mechanism will be used? What is the back-up mechanism

By answering these questions, although loopholes may still persist, it is somehow reduced.

Advertisements

THE WALL: Implementation of Electronic Medical Record

For this week we’ve been tasked to highlight three barriers to EHR implementation that we believe to be the most important ones that might adversely affect your implementation.¬†

To “creatively” discuss my points, I’m going to use some pop reference from the recently concluded season of Game of Thrones.

A brief background of myself before proceeding, I am Roy Dahildahil, a BS Public Health graduate from UP Visayas. For the past two years I’ve been working in National Telehealth Center (NTHC) and traveled to different Rural Health Units and Hospitals in different municipalities in the Philippines. NTHC is the institution that pioneered Community Health Information System (CHITS) that has been implemented to 160+ RHUs all over the Philippines. And thus, in addition to the articles provided to us, majority of my points are based on the stories and concerns I received while doing the field work.

  1. Change in workflow; cause of delays. Waiting

The initial implementation of the EMR is faced with a lot of challenges and adjustments to the Physicians. Especially those who are not tech savvy, or not into computers. Although, generation of reports, and some point and click functions of the EMR makes the job faster, when the Physician is not very adept to computer i.e. slow typing skills, visually challenged, not friends with their mouse or track pad, the usual encounter with the patient could actually be more time consuming because of EMR. Some of the Physicians I met in the field are more accustomed to writing and actually prefers to write. Challenge now happens when they are now forced to use the keyboard instead of pen. Their writing speed is not always proportional to their typing speed. Thus longer queues in the clinic.

In addition, since EMR are housed usually in a computer (others in a tablet), technology sometimes fails them. Lag, errors, loading, and other technical difficulties are often encountered why they are at point of care. This error, regardless how faultless techs are, are unavoidable.

2. Implementation CostsFinancial

In every municipality I’ve been to and physicians I talked to, I’ve always been asked about the cost of the project. I only thought about the “cost of buying project”, thus I always think it’s free. But then, as I went to other municipalities and witnessed how the RHU squeeze their budget to purchase additional computers, routers, keyboards, laptops, etc. in order to implement the project; I realized there is more (cost) than just buying the project. Human resource, facilities, equipment, and maintenance costs should be considered. In one of the RHUs I’ve been to, because of this additional costs the physician opted not to adopt the system because it is not the priority of their budget. If the plan is to implement EMR all over the Philippines, the government should plan how to lessen and eliminate the costs of implementing the EMR.

3. Not all Physicians are tech savvy

Training and expertise

Somehow related to number 1, struggle of some physician to fully implement the EMR is the fact that they have to learn how to use the computer . This is I think the very minimum requirement. However, most implementers assumes that physicians have background or efficient in using their computers. Only a few or none actually go back and train the basics of using a simple computer. Understanding how to use the EMR in itself is challenging, how much more to doctors who don’t even understand how to use the computers. As DOH program manager, or implementer, before conducting the training I should conduct training needs analysis and ensure that all of the physician being trained to implement EMR knows and has the basic skill set in using a computer or gadget (depends on platform)

4. Leadership and political will

leadership 2

Lastly, big factor for the nurses and midwives I’ve been to in implementing the EMR is the leadership of the doctor. When the doctor himself doesn’t use or reinforces his staff to use the technology, the technology always fails. In the same way with the physicians, should EMR be strongly implemented, a higher governing body must be strong and firm enough (on the premise that 1-3 are addressed) to reinforce his constituents to use the technology. For sure, at certain time it will be part of their system and will get use to using. It still boils down in institutionalizing the implementation of the EMR. A big step that could be achieved with strong political will of the leader governing them.

 

 

Credits to the owner of the Game of Thrones memes. 

Journal Digest: Understanding Factors Influencing the Adoption of mHealth in Elderly

For the requirement of this course, we were tasked to digest an academic journal relating to the adoption or use of an any telehealth system. ¬†I chose this article from the 2017 International Journal of Medical Informatics published by Rakibul Hoque ¬†and Golam Sorwar, “Understanding factors influencing the adoption of mHealth by the elderly: An Extension of the UTAUT model”.

You can access the abstract of the article here.

Unified Theory of Adaption and Utilization of Technology (UTAUT) was first described by Venkatesh et al in 2002 to explain user intentions to use a technology and subsequent use of the technology [1]. UTAUT suggest that there are four main constructs that determines user’s intent to use, and use behavior: Performance Expectancy (PE), Effort Expectancy, (EE) Social Influence (SI), and Facilitating Conditions (FC). PE, EE, SI are direct determinants of behavioral Intention(BI) where BI determines Use Behavior, while facilitating condition is a direct determinant of Use Behavior (Figure 1) [1].

4-Figure1-1

Further, there are four factors that moderates the determinants of the four constructs: Gender, Age, Experience, Voluntariness of Use.

In the paper of Hoque and Sorwar, they explored further the applicability of the model to the elderly population, and hypothesized two new factors that might affect behavior intent: Technology Anxiety and Resistance to Change.

They were testing the following hypothesis.

H1. PE has positive impact on the elderly’s intention to use mHealth
H2. EE has a positive impact on the elderly’s intention to use mHealth.
H3. SI has a positive impact on the elderly’s intention to use mHealth.
H4. FC has a positive impact on the elderly’s inention to use mhealth.
H5. FC has a positive impact on the elderly’s actual use of mHealth.
H6. BI has positive impact on the actual use of mHealth.
H7. (New) TA has negative impact on the elderly’s intention to use mHealth.
H8. (New) RC has a negative impact on the elderly’s intention to use mHealth.

The eight (8) hypothesis can be summarize by the figure below.

Summary.png

The study found out that performance expectancy, effort expectancy, social influence, technology anxiety, and resistance to change had significant impact on the user’s behavioral intention to adopt mHealth services. The facilitating condition, however, showed no significant relation to behavioral intention to adopt mhealth Services.¬†

This study is significant in the Philippine setting as the mobile penetration rate of the country as of 2016 is at 87%[3]. Also, hospitals in Geographically Isolated Areas and other Rural Health Units are now gearing towards improvisation of health systems by implementing telehealth services such as electronic medical records, telemedicine, etc. This initiatives are supported by private institutions, NGOs, and government offices (DOH, DOST, PhilHealth etc.). some projects are even lead by these government offices themselves. However, although the the intentions of implementing these initiatives are good, there are very few studies conducted in the Philippines on how these technologies be easily adopted by the end users, and thus sustainable also. Adding to the fact, that majority of the implementers of these technologies, especially in Rural Health Units, are tenured individuals and therefore (most but not all) belong to an older age bracket. This recent study emphasizes special consideration to the elderly and adds new factors to test and consider to improve behavioral intent, and use behavior.

References:

1. V. Venkatesh, M.G. Morris, G.B. Davis, F.D. Davis, User acceptance ofinformation technology: toward a unified view, MIS Q. 27 (3) (2003).

2. R. Hoque, G. Sorwar, Understanding factors influencing the adoption of mHealth by the elderly: An extension of the UTAUT model

3. http://wearesocial.com/uk/special-reports/digital-in-2016

1991 DECENTRALIZATION: Implications in the Routine Health Information System

Decentralization (n) political reform designed to promote local autonomy, decentralization entails changes in authority and financial responsibility for health services. Hence, decentralization can have a large impact on health service performance.

DSC_0666

In 1991, Decentralization (RA 7160) was first introduced in the Philippine health sector. Local Government Units (Rural Health Units) were granted autonomy and responsibility for their own health services, and provincial governments were given responsibility for secondary hospital care.

Section 16. General Welfare. РEvery local government unit shall exercise the powers expressly granted, those necessarily implied therefrom, as well as powers necessary, appropriate, or incidental for its efficient and effective governance, and those which are essential to the promotion of the general welfare. Within their respective territorial jurisdictions, local government units shall ensure and support, among other things, the preservation and enrichment of culture, promote health and safety, enhance the right of the people to a balanced ecology, encourage and support the development of appropriate and self-reliant scientific and technological capabilities, improve public morals, enhance economic prosperity and social justice, promote full employment among their residents, maintain peace and order, and preserve the comfort and convenience of their inhabitants.

RA 7160 is an example of devolution, a type of decentralization that transfers authority and responsibility from the central level of the Government to lower-level autonomous units of government. This move by the government, in my opinion, imposed great challenges that affected or could affect the Routine Health Information System (RHIS) in the Philippines. Highlighted in this blog are the three areas that affected RHIS because of a decentralized governance.

DSC_0278.JPG

1. Provision of resources both human and infrastructure

Discussed during our first meeting in MI 239 class, Municipal Health Offices (MHO) are under the local government units (LGU) and that policies and projects in a way depended on the support of the LGU. Many of the sites I’ve visited as part of my job in the National Telehealth Center had difficulty maintaining or implementing their health information system because of the lack of support from their local LGU. The hiring of regular-positioned nurses and staff for HIS, and the procurement of needed infrastructures and computer units to ensure the implementation of HIS is often disapproved by the mayors of the respective LGUs.¬†With the lack of human resource to ensure the operation of an RHU hampers also the quality of data collected by the MHO.

With governance reverted back to the Department of Health (DOH), the MHO can (in an ideal setting) request budget from the DOH for the required man-power and infrastructure needs of it’s RHU, conversely, the DOH can allocate a standard minimum manpower and infrastructure needs for the RHU without having to undergo approval from the LGUs. In this way, the quality of data collection across all MHOs in the Philippines can be ensured.

2. Implementation of RHIS i.e. Electronic Medical Record

A far-fetch effect of 1991 Decentralization, but an example of a decentralized governance structure in health care is the current implementation and roll-out of Electronic Medical Record (EMR). There is an existing and persisting confusion in the ground on what EMR to use (CHITS, iClinicSys, WAH) by the MHOs. Feedback from the MHOs on the ground said that they are being obliged by their regional DOH and PhilHealth to use iClinicSys, a directive being denied by the Knowledge Management and Information Technology Service (KMITS) head Ms. Crispinita Valdez. Regardless if true or not, there should be a centralized directive from the DOH, as the highest governing body for health, clarifying what EMRs should be used by the MHOs.

3. Flow of Data

When we discussed the flow of data during in the current set-up of the Philippine health system, I find it problematic that there is no centralized body (preferably the DOH) that manages or controls the flow of data. And the status quo that in the MHO there are other entities (private and project based entities) that require additional data collection method (or sometimes almost the same but has to be done their way) that burdens the MHO. What I think would be ideal is for DOH to have a control on what data to gather by the MHO to anticipate workload, and decide whether to allow or disallow external entities to gather other data that are not prescribed. I envision that there will be a centralized body (preferably the DOH) that will monitor the flow of data to avoid waste of effort and possible redundancy of data collection.

In order to address this challenge, as researchers and future MS Health Informatics graduate, and with limited resource and influence, research should be conducted to establish problem of the present status quo. As discussed during one of our meetings, an assessment of the data flow of health data in the Philippines to provide a context of the problem would be a good start to push for policy recommendations that are backed up with concrete data and research. With its 16 years of implementation, a vast amount of data is available for research in order to come up with a policy recommendation to improve the governance and shift back to a centralized (DOH) health governance.

Second is to empower the KMITS and give a specific directive to address the problematic data flow and the confusion in the choice of EMR.

The third is to invest in Information Communication Technology infrastructure to help improve the quality of data being conducted at the grassroots level: timely, accurate, legible, complete and secured.

Re-opening the discourse on the topic of de-centralization should come very timely considering the thrust of the current administration for a federal government. Aside from legislation consistent monitoring of outputs and health outcomesРresearch will make this initiative sustainable. A good study design of pre- post or case control is strong enough to prove or improve the effectivity of this initiative in terms of quality of data gathered in an RHIS.

The value of having a quality data for public health is out of the question. I believe that these are far-fetched ideas and might be difficult to achieve anytime soon, but I believe that these are doable and applicable given the circumstance.

I would do my best, after I graduate from this degree, to contribute to this change I am firmly proposing.

Diary ng Student

hi-201-final-output

Hello there, I’m Roy Dahildahil, a graduate of BS Public Health in UP Visayas and a licensed Medical Technologist. I’m currently working at the National Telehealth Center as Research officer and taking my Master’s Degree in Health Informatics ¬†in UP Manila College of Medicine.

For this course, we were asked to write a blog every week to answer the driving questions related to the topic for the week. In Bloom’s taxonomy, creation is a part of the “Higher Order Thinking Skills”. It goes beyond simply learning the facts and concepts, but understanding and applying critical thinking skill in order to create new knowledge, that in essence is documented through our blogs.

Our blogs and write-ups also serve as our digital artifacts for future students or researchers interested in learning about Health Informatics.

After sixteen (16) consecutive weeks of reading journals, and writing blogs, HI 201 exposed me to everything that I should and shouldn’t be expecting in this course I’m taking.

View my journey in this course hereūüôā

20160804_110816

Meet my classmates! (CW) Jappy, AG, Ryan, Eve, Roy (Me)


Listed below are the links to access each of the blog posts for this course, feel free to navigate the site and please do comment on each topic!

  1.  Week 1: Health Informatics and Global Health.
    • What is the relevance of informatics to global health20160818_122558
  2.  Week2: Health Informatics and the Philippine Health System
    “How can we advance the field of health informatics in the Philippines?20160825_111359.jpg

3. Week 3: Health Information Systems in Developing Countries
“How can health information systems be sustainable in developing countries?”

4. Week 4: Governance and Management in Health Informatics
Why are governance and management important in health informatics?

5. Week 5: Establishing the Philippine Health Information Exchange
How can patients access their data from different healthcare providers as they transfer care?

6. Week 6: Enterprise Architecture in Healthcare
In a multistakeholder, multicomponent health information system, how can you ensure that all the players are doing their part?

7. Week 7: Electronic Health Records: Issues and Challenges
What are the issues and challenges in implementing electronic health records in primary care?

20161006_121855

8. Week8: Personal Health Records
What features are considered critical or most useful by users of Personal Health Records?

9. Week 9: Standards and Interoperability
How can healthcare institutions adopt standards to ensure interoperability?

10. Week 10: Clinical Decision Support
How can Clinical Decision Support Systems (CDSS) improve the quality of healthcare?

20161128_114007

11. Week 11: Knowledge Management and Information Retrieval
How can knowledge management improve access to healthcare research?

12. Week 12: Privacy, Confidentiality, Security and Trust
What policies are in place to protect the Filipino patient’s privacy and confidentiality of health information?

13. Week 13: Legal and Regulatory Issues in eHealth
Is the Data Privacy Act adequate to protect confidential health information?

14. Week 14: Telehealth
How can telehealth support healthcare delivery in the Philippines?

15. Week 15: mHealth
How can mobile applications be useful in primary care?


PS. My personal blog will be temporarily (or for good) be used to document my learning in MS Health Informatics. All of my other blog posts are still on this site, you can access them through the navigation bar on the left part of this page. Enjoy! ūüôā

Telehealth and the Telehealth Bill

In June 2012, Congressman Joseph Emilio Abaya, LP filed a bill, labeled as “Telehealth Act of 2012”, that aims to¬†regulate telehealth in the Philippines and set standards for its safe and ethical practice.¬†In the Philippines, there is still a challenged in the lack of clear legal and social guidelines to guide telehealth practice, ensure patient safety and preserve patient information confidentiality [1].
Three years then, Biliran representative Rogelio J. Espina filed a similar bill during the House of Representatives Committee on Health Hearing last January 2015. A committee hearing attended by Dr. Portia Fernandez-Marcelo of the National Telehealth Center (NTHC), and Dir. Jaime Montoya of Department of Science and Technology¬† ‚Äď Philippine Council for Health Research and Development (DOST-PCHRD).¬†The proposed act, actually, is very similar to the Telehealth Act, as it also aims to come up with a regulation on the practice of Telehealth in the Philippines [1].
Telehealth, as defined in the bill by Espina, is interchangeably used with telemedicine, and is defined as a mode of delivering health care services and public health via information and communication technologies to the management of patient’s health care while the patient is at the originating site and health care provider is at a distant site. However, in a¬†stricter sense, telehealth is not the same as telemedicine. Telehealth is “the use of electronic information and telecommunications technologies to support long-distance clinical health care, patient and professional health-related education, public health and health administration” [2], while¬†telemedicine, as defined by the World Medical Association, is the practice of medicine over a distance, in which interventions, diagnostic, and treatment decisions and treatment decisions and recommendations are based on data, documents, and other information transmitted through telecommunications system. While telemedicine refers specifically to remote clinical services, telehealth¬†can refer to remote non-clinical services, such as provider training,¬† and continuing medical education, etc. [3]
The use of telehealth, in essence, the telemedicine, benefits the people especially in the geographically and isolated areas (GIDA) in the Philippines.It is beneficial considering the geographic characteristic of the Philippines, where access to health care, especially in GIDAs, are difficult. The National Telehealth Center, where I’m currently working, pioneered a telemedicine initiative known as the National Telehealth Services Program (NTSP). The vision of the project is to empower the Doctors in the rural areas by connecting them with the experts at the Philippine General Hospital. At a point of care, whenever the doctors in the referring unit have difficulty in diagnosing a certain case, or needs the second opinion, instead of referring the patient to a nearby health facility, the doctor will just email/ SMS the case with all the necessary details to the Referral Hospital through the NTSP platform. With this, time and cost spent by the patient will be reduced since he/she does not need to travel to the Referral Hospitals. Second, for similar cases the doctor may already be able to diagnose and manage these cases, thus empowering his/her skills as a doctor. Lastly, this would also be beneficial to public health as a whole. To site an example, the discovery of an outbreak of Tinea imbrecata in one of the regions in the Philippines was made possible through NTSP. One doctor in the RHU referred a skin disease through the NTSP. The case was triaged by the NTSP to the assigned dermatologist in PGH, where the dermatologist diagnosed it as Tinea imbrecata. A case study immediately came after considering it is a rare skin disease. The case was featured in the FrontRow of GMA news.¬†
tinea-imbricata
(Photo capped from FrontRow, GMA Network)
However, although the perceived benefits of the telehealth, rules and regulations need to be in place to ensure there are check and balances in the practice of telehealth, thus should be the purpose of the telehealth bill. However, although this is the only billed filled in congress, I believe that the bill is half-baked and needs more improvement. For the purpose of this paper, I will site two (or more) sections that for me needs to be revised and be expounded further.
Section 6. Implementing Agency – The Department of Health shall be the lead agency in implementing this act. For the purpose stated, the DOH shall:
     a) establish a National Telehealth Board;
     b) Coordinate with the Department of Science and Technology through its Information and Communications Technology Office (DOST-ICTO)
While telemedicine refers specifically to remote clinical services, telehealth can refer to remote non-clinical services, such as provider training, administrative meetings, and continuing medical education, in addition to clinical services.
Section 7. National Telehealth Board – To ensure the implementation of this Act and to serve as an executive body of the National Telehealth System, the National Telehealth Board shall be created and made an integral part of the Office of the Secretary of DOH.
The Board shall be composed of seven (7) members and shall be chaired by teh DOH Secretary, Members of the Board shall be as follows:
     1) The Secretary of DOST
     2) an Undersecretary of the Department of Interior and Local Government;
     3) a representative from the League of Provinces in the Philippines
     4) a representative from the League of Municipalities
     5) a representative of the Philippine Health Insurance Corporation
     6) a representative of the Associate of Municipal Health Offices;
     7) a representative from the Philippine Medical Association.
Section 6 needs to be revised considering we already have Department of Information and Communications Technology (DICT), DOH will have to coordinate with the DICT and in addition the National Privacy Commission to ensure implementation of the ICT projects. In this section also, it would have been better if the scope and roles of the DICT, and now the NPC will be clearly stipulated.
In section 7, DICT and NPC secretary should be included, Executive Director of the National Institutes of Health, Executive Director, Philippine Council for Health Research and Development (PCHRD), DOST, at the very least. All these offices I added aims to provide guidance on the correct implementation of the telehealth in the Philippines, while the members of the board already stated above is necessary to ensure sustainability of the telehealth.
Also, a separate Article should be allotted to define and set guidelines on the ethics, privacy, confidentiality and safety in telehealth practice. In this article, Section 11-14/16 would be included to elaborate the government’s measures to ensure the ethical and safe practice of telehealth. The last point, I would like to emphasize in this blog is the ambiguity of Section 9. Databases. The bill failed to define “Database”, and in the context of information system database can be interpreted as the complete data records of the interactions, including the names, details of the patients. The word database was used very loosely to signify (maybe) record of transactions using telehealth. That still has privacy and confidentiality issues if not clearly defined.
I believe that the telehealth bill still needs a lot of revisions to be done and consultations with the experts (i.e. Health Informatics graduates) to ensure that concerns and issues regarding telehealth are covered, and individuals rights are safeguarded.
Reference
1 National Telehealth Center retrieved from telehealth.ph
2 Kumekawa J. Telehealth and the Internet. Office for the Advancement of Telehealth, Health Resources and Services Administration, July 2000.http://telehealth.hrsa.gov/pubs/inter.htm.