Digital PHI Security

From SIS Wiki
Revision as of 22:32, 11 December 2020 by Hb6956 (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Wellbeing Check: Managing Protected Health Information and Data Breaches in the Digital Age

Annotated by Aja Scarlato

Project Definition

This annotated bibliography explores the challenge of securely collecting, managing, and preserving protected health information against possible data breaches. Certain terms and their variations that were successful at returning topical literature include but are not limited to: “confidentiality;” “security;” “protected health information (PHI);” “guideline adherence;” “compliance;” “health information technology;” “privacy;” “Health Information Exchange;” “Health Insurance Portability and Accountability Act;” “electronic health records;” “data breach;” and “data integrity.” The databases ProQuest Research Library, PubMed, and MEDLINE (through EBSCOhost) were used to retrieve items for analysis and selection. The MeSH Terms found in the metadata of potential sources were gathered and utilized to aid in the search for additional resources. All items returned to a subject query on Protected Health Information Management Security where more than 10 citations were examined. The bibliography will discuss neither analog data collection practices, nor topics related to healthcare prior to the implementation of HIPAA. Resources that were published before August 21, 1996 are excluded as this was the date that HIPAA was first enacted. The substance of this bibliography speaks generally to the benefits of managing PHI through digital technology, but the bibliography also demonstrates how PHI weaknesses can lead to millions of data breaches every year.

Annotated Bibliography

Chernyshev, M., Zeadally, S., & Baig, Z. (2019). Healthcare data breaches: Implications for digital forensic readiness. Journal of Medical Systems, 43(1), 1-12. http://doi.org/10.1007/s10916-018-1123-2.

This paper focuses on types of data breaches that can occur in a healthcare setting, specifically those addressing privilege misuse. Privilege misuse, as described within the paper can occur because “users of EMR [Electronic Medical Records] systems often have the ability to access more health information than necessary based on their role and patient context, as evident by the number of breaches caused by misuse or unauthorized internal access,” (p.7). It outlines the multi-faceted vulnerability of health information privacy. The authors propose a form of digital architecture, called “audit logging architecture for EMR systems,” which would be used to facilitate the forensic investigation of PHI data breaches (p.7). This resource provides a helpful list of ways data may become compromised and explains why the proposed digital architecture would be beneficial in combatting data breaches ranging from cyber-attacks to “widespread human errors, misuse and physical actions such as loss and theft,” (p.6).

Collins, J. D., Sainato, V. A., & Khey, D. N. (2011). Organizational data breaches 2005-2010: Applying SCP to the healthcare and education sectors. International Journal of Cyber Criminology, 5(1), 794-810. https://sites.wp.odu.edu/cyse-200/wp-content/uploads/sites/14757/2019/05/collinsetal2011ijcc-module7.pdf

This study explores the various ways in which data breaches would be likely to occur within the healthcare and education sectors, and how to stop them. The article discusses the ways in which both sectors, individually, are vulnerable to attack so that organizations can learn to work proactively against data thieves. One of the major and more general issues discussed here is the lack of federal oversight, with the authors stating that “presently, at the national level there is no all-encompassing law that governs the security of citizens’ sensitive information,” (p.796). This publication deepens our understanding of managing PHI in the face of an increasing number of data breaches, by providing an extensive review of the kinds of organizational data breaches that occurred in the US between 2005 and 2010. The authors argue that “incorporating SCP [Situational Crime Prevention, a “practical application of routine activity theory (RAT) that reduces the frequency of likely criminal opportunities,” (p. 795)] practices into corporate security procedures can be advantageous in reducing the number of deliberate and accidental security breaches,” (p.796). It is concluded that having a centralized federal agency would be an ideal situation for combating a range of data breaches.

Dolezel, D., & McLeod, A. (2019). Managing security risk. The Health Care Manager, 38(4), 322–330. http://doi.org/10.1097/HCM.0000000000000282.

The authors warn of an alarming trend of data breaches going undetected and unreported for prolonged amounts of time. This is damaging for consumers. This article’s theme focuses on identifying “potential root causes associated with health care data breaches and to create a model of potential data breach factors to inform risk assessment and future predictive analysis,” (p.322). The authors have made this possible through developing a “research model to guide organizational risk assessment,” (p. 326). This study provides the reader with a risk assessment model which can be used by health care organizations to highlight risk factors within the organization and take immediate steps to prevent attacks.

Holloway, M., & Fensholt, E. (2013). HHS finalizes HIPAA privacy and data security rules, including stricter rules for breaches of unsecured PHI. Benefits Law Journal, 26(2), 95-102.

This article discusses and outlines the finalization of new rules for privacy and data security for HIPAA and the Health Information Technology for Economic and Clinical Health (HITECH). This article was selected for the bibliography due to its discussion—in part—of HITECH, which was instrumental in detecting and eliminating loopholes within HIPAA requirements. The detection and elimination of loopholes is necessary to prevent data breaches and strengthen the digital security of PHI. The article focuses on “changes to the contracting requirements that apply to a health plan’s service providers, known as ‘business associates,’ as well as changes to the model HIPAA privacy notice and the breach notification requirements,” (p. 95). At the time of its publication (2013), “The US Department of Health and Human Services (HHS) has issued final omnibus regulations that incorporate legislative changes to the Health Insurance Portability and Accountability Act (HIPAA) privacy and data security rules from the 2009 Health Information Technology for Economic and Clinical Health (HITECH) Act, as well as the Genetic Information Nondiscrimination Act of 2008 (GINA),” (p.95).

Hossain, Mahbub. M., & Hong, Alicia. Y. (2020). Trends and characteristics of protected health information breaches in the United States. Proceedings of the AMIA (American Medical Informatics Association) 2019 annual symposium, March 4, 2020, Bethesda, MD. https://www.ncbi.nlm.nih.gov/pmc/articles/PMC7153056/.

This study continues the topic of detecting institutional data security weaknesses by recognizing breach trends. The authors relied on privacy breach statistics from Office of Civil Rights at the U.S. Department of Health and Human Services (OCR) to conduct the study. The authors evaluate “the data breaches incidents in the U.S. between 2010 and 2018, identify the characteristics of breaches involving more than a million records, and compare the changes before and after wide adoption of EHR (Electronic Health Records) in 2015,” (p. 1081). Six reasons for data breaches are listed on p. 1086. This is a necessary source for health informatic researchers who wish to better detect institutional data security weaknesses so that data breaches may be prevented. There are helpful infographics included within the paper which provide a visual aid of data breach characteristics. These graphics are found on p. 1082-1085.

Kayaalp M. (2018). Patient privacy in the era of big data. Balkan Medical Journal, 35(1), 8–17. https://doi.org/10.4274/balkanmedj.2017.0966.

This paper is helpful because it describes another step in securing PHI which is “de-identification,” or the removal of “all unnecessary demographic, date and geographic information from genomic databases and minimizing essential demographic information,” (p.12). The paper discusses the two main de-identification methods and four types of data to be de-identified. The two main de-identification methods (Expert determination and Safe Harbor (p. 11)) and the four types of data (“tabular, image/video, signal, and text data,” (p.12)) are described in detail. The data types each require specific de-identification tools, which include “face and text recognition applications,” (p.12) such as DICOM (Digital Imaging and Communications in Medicine) for image sets, (p.12).

Khan, S. I., Hoque, L., & Sayed, A., Md. (2016). Digital health data: A comprehensive review of privacy and security risks and some recommendations. Computer Science Journal of Moldova, 24(71), 273-292. http://www.math.md/files/csjm/v24-n2/v24-n2-(pp273-292).pdf

This article provides a comprehensive discussion on digital security risks that threaten PHI. The authors argue that healthcare data servers are a common target for cybercriminals. “We have analyzed the data provided by U.S. Department of Health and Human Services and found that hackers are increasingly targeted healthcare servers which is very alarming to national level health information system development” (p.280). The authors outline why PHI is valuable to hackers, which provides insight into why these attacks are increasing in frequency. This article was selected because it provides a thorough explanation of what information cybercriminals find most valuable and lists some recommendations for steps data managers can take to be proactive against data breaches. There are several infographics placed throughout the paper.

Norris, M. (2014). Security risk analysis: How to protect patient records and remain HIPAA compliant. Medical Economics, 91(3), 56-8.

This article describes the need for performing regular security risk analyses to remain HIPAA compliant. It speaks directly to the reader in the second person, directly addressing healthcare providers who may have their own practice. There is discussion about MU (Meaningful Use—the use of certified EHR technology in a meaningful manner (Meaningful Use, 2020)) and the importance of ensuring that business associates and vendors remain HIPAA compliant as is mentioned in the paper cited here by Holloway and Fensholt (2013). It provides a clear example of how healthcare providers and their business associates must remain compliant to ensure that there are no entry points for hackers to access PHI. This directly coincides with the discussion mentioned earlier from the article by Dolezel and McLeod (2019)—that it is possible for data breaches to go undetected for prolonged periods of time. In this case, the breach occurred due to human error instead of an attack by hackers. The article includes an infographic which displays the “5 Security Components for Risk Management” (p.57).

Rezaeibagha, F., Khin Than Win, & Susilo, W. (2015). A systematic literature review on security and privacy of electronic health record systems: Technical perspectives. Health Information Management Journal, 44(3), 23–38.

This literature review discusses the administrative aspect of data management and the role it plays in data security. Compliance with a standard is mandatory throughout all aspects secure data management. Rezaeibagha et al. conclude that “well defined access control policies should be mandated in order to provide patient privacy by limiting the access rights to patient data with proper access control policy languages and standards” (p.30). This paper is thorough in its review and analysis of the data collected and provides direct and clear suggestions for HIPAA compliant technological specifications.

Seh, A. H., Zarour, M., Alenezi, M., Sarkar, A. K., Agrawal, A., Kumar, R., & Khan, R. A. (2020). Healthcare data breaches: Insights and implications. Healthcare, 8(2), (133-151).

This article focuses on digital forensic readiness and predicting future data breaches. The authors argue that the “healthcare industry has faced the highest number of breaches among all industries” (p.2). The paper states that “the discipline of digital forensics aims to extract court admissible evidence by using scientifically designed and validated methods applied to data on digital devices,” (p.6). The authors state that “email and network servers are the main locations from where confidential health data is breached,” (p.16). There are many infographics that depict security attacks, their frequency, and the damage they cause. A discussion on digital forensics follows the discussion on data breaches and their costs to the organizations. Throughout the article, the authors develop and propose “an architecture that incorporates an intelligent real-time artifact identification module which can be deployed alongside the EMS [Element Management System, which is a collector. “A collector is a software module that retrieves topology data from a data source,” (“About EMS Integration,” 2020)] and be integrated into cloud forensic logging service,” (p.11). This article proposes an architecture like the one mentioned in the paper by Chernyshev, Zeadally, & Baig (2019), which is the first resource listed in this bibliography.

Retrieved from "http://wiki.slis.wayne.edu/index.php?title=Digital_PHI_Security&oldid=2472"