How can hospitals better protect the privacy of electronic medical records? Perspectives from staff members of health information management departments

A scoping review of the drivers and barriers influencing healthcare professionals' behavioral intentions to comply with electronic health record data privacy policy

Objective: Electronic Health Records (EHRs) are now an integral part of health systems in middle and high-income countries despite recognized deficits in the digital competencies of Healthcare Professionals (HCPs). Therefore, we undertook a scoping review of factors influencing compliance with EHR data privacy policies. Methods: Seven databases revealed 27 relevant studies, covering a range of countries, professional groups, and research methods. The diverse nature of these factors meant that 18 separate theoretical frameworks representing technology-acceptance to behavioral psychology were used to interpret these. Results: The predominant factors influencing compliance with EHR data privacy policies included confidence and competence to comply, perceived ease of use, facilitatory environmental factors, perceived usefulness, fear that non-compliance would be detected and/or punished and the expectations of others. Conclusion: Human factors such as attitudes, social pressure, confidence, and perceived usefulness are as important as technical factors and must be addressed to improve compliance.

Information Security Behavior in Health Information Systems: A Review of Research Trends and Antecedent Factors

This study aims to review the literature on antecedent factors of information security related to the protection of health information systems (HISs) in the healthcare organization. We classify those factors into organizational and individual aspects. We followed the Preferred Reporting Items for Systematic Reviews and Meta-Analyses (PRISMA) framework. Academic articles were sourced from five online databases (Scopus, PubMed, IEEE, ScienceDirect, and SAGE) using keywords related to information security, behavior, and healthcare facilities. The search yielded 35 studies, in which the three most frequent individual factors were self-efficacy, perceived severity, and attitudes, while the three most frequent organizational factors were management support, cues to action, and organizational culture. Individual factors for patients and medical students are still understudied, as are the organizational factors of academic healthcare facilities. More individual factors have been found to significantly influence security behavior. Previous studies have been dominated by the security compliance behavior of clinical and non-clinical hospital staff. These research gaps highlight the theoretical implications of this study. This study provides insight for managers of healthcare facilities and governments to consider individual factors in establishing information security policies and programs for improving security behavior.

Theoretical Approach and Scale Construction of Patient Privacy Protection Behavior of Doctors in Public Medical Institutions in China: Pilot Development Study

BACKGROUND

Considering the high incidence of medical privacy disclosure, it is of vital importance to study doctors' privacy protection behavior and its influencing factors.

OBJECTIVE

We aim to develop a scale for doctors' protection of patients' privacy in Chinese public medical institutions, following construction of a theoretical model framework through grounded theory, and subsequently to validate the scale to measure this protection behavior.

METHODS

Combined with the theoretical paradigm of protection motivation theory (PMT) and semistructured interview data, the grounded theory research method, followed by the Delphi expert and group discussion methods, a theoretical framework and initial scale for doctors in Chinese public medical institutions to protect patients' privacy was formed. The adjusted scale was collected online using a WeChat electronic survey measured using a 5-point Likert scale. Exploratory and confirmatory factor analysis (EFA and CFA) and tests to analyze reliability and validity were performed on the sample data. SPSS 19.0 and Amos 26.0 statistical analysis software were used for EFA and CFA of the sample data, respectively.

RESULTS

According to the internal logic of PMT, we developed a novel theoretical framework of a "storyline," which was a process from being unaware of patients' privacy to having privacy protection behavior, that affected doctors' cognitive intermediary and changed the development of doctors' awareness, finally affecting actual privacy protection behavior in Chinese public medical institutions. Ultimately, we created a scale to measure 18 variables in the theoretical model, comprising 63 measurement items, with a total of 208 doctors participating in the scaling survey, who were predominantly educated to the master's degree level (n=151, 72.6%). The department distribution was relatively balanced. Prior to EFA, the Kaiser-Meyer-Olkin (KMO) value was 0.702, indicating that the study was suitable for factor analysis. The minimum value of Cronbach α for each study variable was .754, which met the internal consistency requirements of the scale. The standard factor loading value of each potential measurement item in CFA had scores greater than 0.5, which signified that all the items in the scale could effectively converge to the corresponding potential variables.

CONCLUSIONS

The theoretical framework and scale to assess doctors' patient protection behavior in public medical institutions in China fills a significant gap in the literature and can be used to further the current knowledge of physicians' thought processes and adoption decisions.

Information Security Awareness and Behaviors of Health Care Professionals at Public Health Care Facilities

OBJECTIVES

This study investigated information security behaviors of professionals working in the public health sector to guide policymakers toward focusing their investments in infrastructure and training on the most vulnerable segments. We sought to answer the following questions: (1) Are certain professional demographics more vulnerable to cybersecurity threats? (2) Do professionals in different institution types (i.e., hospitals vs. primary care clinics) exhibit different cybersecurity behaviors? (3) Can Internet usage behaviors by professionals be indicative of their cybersecurity awareness and the risk they introduce?

METHODS

A cross-sectional, anonymous, paper-based survey was distributed among professionals working in public health care organizations in Kuwait. Data were collected about each professional's role, experience, work environment, cybersecurity practices, and understanding to calculate a cybersecurity score which indicates their level of compliance to good cybersecurity practices. We also asked about respondents' internet usage and used K-means cluster analysis to segment respondents into three groups based on their internet activities at work. Ordinary least squares regression assessed the association between the collected independent variables in question on the overall cybersecurity behavior.

RESULTS

A total of 453/700 (64%) were responded to the survey. The results indicated that professionals with more work experience demonstrated higher compliance with good cybersecurity practices. Interestingly, nurses demonstrate higher cybersecurity aptitude relative to physicians. Professionals that were less inclined to use the internet for personal use during their work demonstrated higher cybersecurity aptitude.

CONCLUSION

Our findings provide some guidance regarding how to target health care professional training to mitigate cybersecurity risks. There is a need for ensuring that physicians receive adequate cybersecurity training, despite the opportunity costs and other issues competing for their attention. Additionally, classifying professionals based on their internet browsing patterns may identify individuals vulnerable to cybersecurity incidents better than more discrete indicators such as age or gender.

Influence of Human Factors on Cyber Security within Healthcare Organisations: A Systematic Review

Background: Cybersecurity is increasingly becoming a prominent concern among healthcare providers in adopting digital technologies for improving the quality of care delivered to patients. The recent reports on cyber attacks, such as ransomware and WannaCry, have brought to life the destructive nature of such attacks upon healthcare. In complement to cyberattacks, which have been targeted against the vulnerabilities of information technology (IT) infrastructures, a new form of cyber attack aims to exploit human vulnerabilities; such attacks are categorised as social engineering attacks. Following an increase in the frequency and ingenuity of attacks launched against hospitals and clinical environments with the intention of causing service disruption, there is a strong need to study the level of awareness programmes and training activities offered to the staff by healthcare organisations. Objective: The objective of this systematic review is to identify commonly encountered factors that cybersecurity postures of a healthcare organisation, resulting from the ignorance of cyber threat to healthcare. The systematic review aims to consolidate the current literature being reported upon human behaviour resulting in security gaps that mitigate the cyber defence strategy adopted by healthcare organisations. Additionally, the paper also reviews the organisational risk assessment methodology implemented and the policies being adopted to strengthen cybersecurity. Methods: The topic of cybersecurity within healthcare and the clinical environment has attracted the interest of several researchers, resulting in a broad range of literature. The inclusion criteria for the articles in the review stem from the scope of the five research questions identified. To this end, we conducted seven search queries across three repositories, namely (i) PubMed^®/MED-LINE; (ii) Cumulative Index to Nursing and Allied Health Literature (CINAHL); and (iii) Web of Science (WoS), using key words related to cybersecurity awareness, training, organisation risk assessment methodologies, policies and recommendations adopted as counter measures within health care. These were restricted to around the last 12 years. Results: A total of 70 articles were selected to be included in the review, which addresses the complexity of cybersecurity measures adopted within the healthcare and clinical environments. The articles included in the review highlight the evolving nature of cybersecurity threats stemming from exploiting IT infrastructures to more advanced attacks launched with the intent of exploiting human vulnerability. A steady increase in the literature on the threat of phishing attacks evidences the growing threat of social engineering attacks. As a countermeasure, through the review, we identified articles that provide methodologies resulting from case studies to promote cybersecurity awareness among stakeholders. The articles included highlight the need to adopt cyber hygiene practices among healthcare professionals while accessing social media platforms, which forms an ideal test bed for the attackers to gain insight into the life of healthcare professionals. Additionally, the review also includes articles that present strategies adopted by healthcare organisations in countering the impact of social engineering attacks. The evaluation of the cybersecurity risk assessment of an organisation is another key area of study reported in the literature that recommends the organisation of European and international standards in countering social engineering attacks. Lastly, the review includes articles reporting on national case studies with an overview of the economic and societal impact of service disruptions encountered due to cyberattacks. Discussion: One of the limitations of the review is the subjective ranking of the authors associated to the relevance of literature to each of the research questions identified. We also acknowledge the limited amount of literature that focuses on human factors of cybersecurity in health care in general; therefore, the search queries were formulated using well-established cybersecurity related topics categorised according to the threats, risk assessment and organisational strategies reported in the literature.

Perception of privacy issues and awareness in health-care knowledge management systems: empirical study in Indian health-care context

Purpose

Focusing on the Indian context, with the increase in the amount of data and its analysis in health-care knowledge management (KM), the privacy concerns rise which results in loss of trust of an individual in e-health-care systems. Privacy issues in health care, specific to India, are caused by prevalent complacency, culture, politics, budget limitations, large population and infrastructures. Because of these factors, data security requires a backseat that allows easy access to confidential information. Furthermore, the prevalent culture affects health-care disclosure in India. In many cultures, disclosing sensitive personal health-care data is considered ill mannered. This leads to discrepancies in the recorded health-care data and a decrease in the level of treatment meted out. The results and statistics of treatments given do not match the records because of inaccurate data reporting. With the significant rise in the analysis and use of technology in health-care KM systems, it is important to understand the perception of KM in terms of its use and awareness about data sharing in the KM system. The purpose of the paper is to measure the perception of privacy issues in the context of Indian healthcare management systems.

Design/methodology/approach

To measure the perception of the use of the KM system, a set of 20 questions was circulated with a sample size of 337 which includes health-care researchers, doctors, practitioners and patients. The questions focused upon the use, share the sensitive health data in the KM platform. All the demographic information such as age, sex, religion, occupation is recorded. The privacy of the individual is maintained while circulating the questionnaire. The usage of health KM system and its privacy is measured through means and t-test.

Findings

The results of the t-test were found positive. This research study finds that the privacy factor is important among the Indians to share the information with the KM repository. It is also found that medical practitioners or data custodians are not much serious about sensitive data is being stored for analysis. From the statistical perception of usage of KM and its privacy, new architecture and privacy guidelines were suggested which can be considered in future research.

Research limitations/implications

From the literature review, the questionnaire has developed which can help policymakers and hospital administrators collect information about KM processes in health-care organizations, and this can result in higher performance of health organizations. The privacy factor can also be included in typical health KM architecture ensure that while knowledge acquisition process, privacy of individual or organization can be maintained.

Social implications

KM enhances the value of corporations and business industries through knowledge production, distribution and provides reliable access to the knowledge resources. KM in health care can comprise a confluence of formal methodologies and techniques to facilitate the creation, identification, acquisition, development, preservation, dissemination and finally the utilization of the various facets of a health-care enterprise’s knowledge assets. According to IBM Global executive report in the year 2012, the entire health-care system has changed from diseases-centric to patient-centric. India is emerging in terms of revenue and employment in the health-care field. The advances of information and communication technology help the health-care sector streamline for data structure and access and health analytics.

Originality/value

In India, the KM is frequently used in health-care industries majorly by health-care practitioners and professionals. As health-care data and knowledge are considered to be sensitive, the privacy of an individual while using the data cannot be compromised. The proposed empirical work will provide a solution in determining the main barriers of implementing privacy policies that need to be solved first and to ensure effective implementation of KM in the health care of India.

Medical Sports Data Privacy Protection Method Based on Legal Risk Control

With the continuous development of computer and network technology, the amount of information storage in medical information system is more and more large, which is prone to the problem of privacy information leakage, resulting in irreparable harm. In order to solve the problem of privacy leakage in the medical environment, a new privacy rating method is proposed according to the actual situation of the medical environment. The big data technology is used to effectively mine, analyze, integrate, and reuse medical data, and a new improved model is proposed. At the same time, the medical information system applying the improved model is designed according to the complex actual needs. The purpose of this paper is to correctly understand the positive role of medical sports big data (BD) research in the medical field and standardize the behavior of medical staff. On the one hand, it can improve the safety awareness of patients and enhance the standardization of medical treatment environment. This paper will analyze the meaning and research status of medical data from the perspective of legal risk control, focus on the status quo and existing problems of medical sports data privacy protection, and put forward positive countermeasures and some practical solutions. The results show that the medical sports information data has certain regularity and particularity, ease to spread, and mining. Hospitals and medical staff should make the areas and items restricted by law clear, standardize their own behaviors, constantly sum up experience, and actively improve and modify relevant measures.

An investigation of the status and maturity of hospitals' health information governance in Victoria, Australia

BACKGROUND

Health information governance (IG) in Australian hospitals was hitherto unexplored.

OBJECTIVES

To determine hospitals' health IG status and maturity in Victoria, Australia, identify drivers and barriers affecting IG adoption, examine electronic health data breach response plan usage and assess employees' electronic data breach awareness.

METHOD

Mixed-methods descriptive study utilising an online survey of directors - clinical/health information services and chief health information managers (HIMs) in Victorian hospitals, ≥50 beds.

RESULTS

Response rate: 42.9% (n = 36). Fifty percent (n = 17) of respondent-hospitals had an IG program. IG equally supported decision-making and risk identification and prevention. The greatest potential organisational damages from system disruption or failure were information loss (66.7%) and clinical risks (63.9%). HIMs in 15 (55.6%) hospitals had knowledge to monitor and detect electronic data breaches. Staff in 19 (70.4%) hospitals knew who to inform about a suspected breach. Most hospitals had mature health information-related IG practices, most (88.9%, n = 24) provided IG-related education, 77.8% (n = 21) regularly reviewed data breach response plans. The strongest IG drivers were privacy-security compliance and changes to data capture or documentation practices (82.8%, n = 24); the greatest barriers were implementation complexity (57.1%, n = 16) and cost (55.6%, n = 15).

CONCLUSION

These baseline Australian data show 50% of respondent-hospitals had no formal health IG program. Privacy-security compliance, and audits, needed improvement; however, most hospitals had well-developed medical record/health information IG-relevant schedules, policies and practices. HIMs, the professionals most engaged in IG, required upskilling in electronic data breach detection.

Evaluating people's concern about their health information privacy based on power-responsibility equilibrium model: A case of Taiwan

To address the issue of rising expenditure of healthcare service and to fulfill the skyrocketing demand for quality healthcare, the electronic medical records (EMR) exchange has become a vital and indispensable solution for healthcare facilities in terms of being able to share medical information among healthcare providers. Hence, EMR exchange was expected to improve the quality of healthcare and reduce the cost of repetitive medical check-ups and unnecessary treatments. However, recent reports affirming EMR data leaks and compromises have ignited major worldwide privacy concerns over the security of the EMR systems. How to effectively diminish patients' concern for EMR privacy has thus become an important issue that healthcare institution managers/stakeholders have to address urgently. This study leverages the power-responsibility equilibrium perspective to investigate the antecedents and consequences of concerns for the EMR exchange. A survey using 391 responses collected from medical centers, regional and district hospitals in Taiwan was used to conduct this study. The results show that government regulations have a positive effect on hospital privacy policies. Furthermore, both government regulations and hospital privacy policy are negatively associated with concern for EMR information privacy. Additional reports gathered from this study also showed that concern for EMR information privacy could result in patients' protective responses including refusal to provide personal health information (PHI), removal of PHI, negative word of mouth, complaining directly to the hospital, or complaining indirectly to third-party organizations. These findings demonstrate the need for healthcare facilities to formulate robust privacy policies in order to alleviate patients' concern for EMR information privacy based on governmental regulations. This regulation is top-priority as the incapability of reducing patients' concern for EMR information privacy may lead to the collapse of the campaign for the full-adoption of EMR or possibly jeopardize the promotion and application of EMR among healthcare facilities.

Assessment of Doctors' Knowledge and Attitudes Towards Confidentiality in Hospital Care

The physician's duty of confidentiality is based on the observance of the patient's privacy and intimacy and on the importance of respecting both of these rights, thus creating a relationship of confidence and collaboration between doctor and patient. The main objective of this work consists of analyzing the aspects that are related to the confidentiality of patients' data with respect to the training, conduct and opinions of doctors from different Clinical Management Units of a third-level hospital via a questionnaire. The present study aimed to define the problem and determine whether the opinions of these professionals correspond to those observed in a previous work conducted at the same center. Of the 200 questionnaires that were collected, 62.5% were from consultants and the rest were from residents (37.5%) with an average of 14.4 ± 12.5 years in professional practice. The respondents noted habitual situations in which confidentiality was breached in the reference hospital (74%). The section on their attitudes and behaviors towards situations related to confidentiality showed a slightly lower average score than that of their medical knowledge; significant differences in these scores were observed between the consultants and residents as well as between the extreme age groups (≤ 30 vs. ≥ 51 years) and years of professional practice, thus more inadequate attitudes were consistently noted in younger doctors who had fewer years of experience. Finally, the respondents answered that the training of doctors in the aspects of healthcare law and ethics was the most important measure that the hospital could adopt regarding confidentiality practices.

Health Information Management: Implications of Artificial Intelligence on Healthcare Data and Information Management

Objective: This paper explores the implications of artificial intelligence (AI) on the management of healthcare data and information and how AI technologies will affect the responsibilities and work of health information management (HIM) professionals. Methods: A literature review was conducted of both peer-reviewed literature and published opinions on current and future use of AI technology to collect, store, and use healthcare data. The authors also sought insights from key HIM leaders via semi-structured interviews conducted both on the phone and by email.

Results: The following HIM practices are impacted by AI technologies: 1) Automated medical coding and capturing AI-based information; 2) Healthcare data management and data governance; 3) Fbtient privacy and confidentiality; and 4) HIM workforce training and education.

Discussion: HIM professionals must focus on improving the quality of coded data that is being used to develop AI applications. HIM professional’s ability to identify data patterns will be an important skill as automation advances, though additional skills in data analysis tools and techniques are needed. In addition, HIM professionals should consider how current patient privacy practices apply to AI application, development, and use.

Conclusions: AI technology will continue to evolve as will the role of HIM professionals who are in a unique position to take on emerging roles with their depth of knowledge on the sources and origins of healthcare data. The challenge for HIM professionals is to identify leading practices for the management of healthcare data and information in an AI-enabled world.

Continuance compliance of privacy policy of electronic medical records: the roles of both motivation and habit

Background

Hospitals have increasingly realized that wholesale adoption of electronic medical records (EMR) may introduce differential tangible/intangible benefits to them, including improved quality-of-care, reduced medical errors, reduced costs, and allowable instant access to relevant patient information by healthcare professionals without the limitations of time/space. However, an increased reliance on EMR has also led to a corresponding increase in the negative impact exerted via EMR breaches possibly leading to unexpected damage for both hospitals and patients. This study investigated the possible antecedents that will influence hospital employees’ continuance compliance with privacy policy of Electronic Medical Records (EMR). This is done from both motivational and habitual perspectives; specifically, we investigated the mediating role of habit between motivation and continuance compliance intention with EMR privacy policy.

Methods

Data was collected from a large Taiwanese medical center by means of survey methodology. A total of 312 responses comprised of various groups of healthcare professionals was collected and analyzed via structural equation modeling.

Results

The results demonstrated that self-efficacy, perceived usefulness, and facilitating conditions may significantly predict hospital employees’ compliance habit formation, whereas habit may significantly predict hospital employees’ intention to continuance adherence to EMR privacy policy. Further, habit partially mediates the relationships between self-efficacy, perceived usefulness, facilitating conditions and continuance adherence intention.

Conclusions

Based on our findings, the study suggests that healthcare facilities should take measures to promote their employees’ habitualization with continuous efforts to protect EMR privacy parameters. Plausible strategies include improving employees’ levels of self-efficacy, publicizing the effectiveness of on-going privacy policy, and creating a positive habit-conducive environment leading to continued compliance behaviors.