Information Security Policies
It is one of the established principles in information system management that the information should be shared subject to confidentiality requirements. Therefore the healthcare organization involved in this discussion (hereinafter called the ‘hospital’) has established clear policies for providing access to the hospital information among its employees, physicians, interns, contractors, vendors and other agents dealing with the hospital, subject to the security of information.
This policy is evolved with intent to make available the required information, protection and preservation of all such information, in any form generated and owned by the hospital, including all administrative, clinical and academic information. The policy also covers the information in possession of the hospital irrespective of the source of information. The salient point of the policy is that the hospital staff who act as either information providers or information users should not access or modify the information without proper authorization, intentionally or unintentionally.
In order to protect the confidentiality, integrity and security of patient health data within the information infrastructure, the hospital applies a series of best practices to improve patient care and clinical workflow. The information system policies and procedures also have the ability to meet the compliance challenges with strength and confidence.
It is the patient’s right that his/her medical data should be kept as confidential as possible. This has necessitated applying all possible security measures. In order to maintain confidentiality, the hospital has developed a universal patient identifier. The Unique Patient Identification Number (UPIN) has been found to be essential in sharing the data and information from the EMR and the medical computer networks for the whole healthcare information system functioning in the hospital.
This is a 10digit identification number used for all patient related activities including registration, treatment, billing, and statistics. The use of UPIN in my opinion, although protected to some extent can be easily spread over to other domains making it inappropriate in areas like sensitive personal medical data. To be more secure the UPIN can be extended to have some additional personal information like the date of birth or the first two characters of father’s name.
Availability and Access Control
The assignment of access control is one of the main challenges to be tackled by the information systems manager of the healthcare organization. The hospital has evolved an access control policy based on the needs and requirements of the user for getting access to different medical information. For an effective control the electronic medical record (EMR) has been divided by the hospital into the following categories;
- unidentified information to be used for clinical studies,
- identified administrative and financial information to be used for diagnoses, treatment and hospital stay,
- identified information representing basic patient-related data to be used by the physicians for emergency purposes, (This information will have access only to limited personnel and
- identified patient information representing the current health status of patients (Mircheva).
Reliability of information is vital to improve the quality of healthcare services. According to a study, approximately 50% of serious medication errors have resulted from insufficient information (Bates & Gawande 2003). The hospital has adopted well established national quality measurement and reporting standards for collecting and disseminating information across the users. The hospital has also invested large sums of money in sophisticated information technology equipments and software for ensuring the reliability and quality of the data and information being handled at various functional levels.
Bates DW, Gawande AA. (2003) Improving safety with information technology N Engl J Med Vol. 348: pp 2526-34.
Iskra Mircheva. Aspects of healthcare computer networks security in the education of students of medicine and healthcare management. Web.