Information security strategy in telemedicine and e-health systems : a case study of England’s shared electronic health record system

Mohammad, Yara Mahmoud

January 2010

Shared electronic health record (EHR) systems constitute an important Telemedicine and e-Health application. Successful implementation of shared health records calls for a satisfactory level of security. This is invariably achieved through applying and enforcing strict, and often quite complicated, rules and procedures in the access process. For this reason, information security strategy for EHR systems is needed to be in place. This research reviewed the definition of different terms that related to electronically stored and shared health records and delineated related information security terms leading to a definition of an information security strategy. This research also made a contribution to understanding information security strategy as a significant need in EHR systems. A major case study of the National Programme for IT (NPfIT) in England is used to be the container of other two sub-case studies in two different Acute Trusts. Different research methods used: participant observation and networking, semi-structured interviews, and documentary analysis. This research aimed to provide a comprehensive understanding to the information security strategy of England’s EHR system by presenting its different information security issues such as consent mechanisms, access control, sharing level, and related legal and regulatory documents. Six factors that influence the building of an information security strategy in EHR systems, were identified in this research, political, social, financial, technical, clinical and legal. Those factors are considered to be driving the strategy directly or indirectly. EHR systems are technical-clinical systems, but having other factors (than technical and clinical) that drive this technical-clinical system is a big concern. This research makes a significant contribution by identifying these factors, and in addition, this research shows not only how these factors can influence building the information security strategy, but also how they can influence each other. The study of the mutual influence among the six factors led to the argument that the most powerful factor is the political factor, as it directly or indirectly influences the remaining five factors. Finally, this research proposes guidelines for building an information security strategy in EHR systems. These guidelines are presented and discussed in the form of a framework. This framework was designed after literature analysis and after completing the whole research journey. It provides a tool to help putting the strategy in line by minimising the influence of various factors that may steer the strategy to undesirable directions.

020

Avaliação do grau de conformidade às normas e recomendações em gestão da segurança da informação digital em hospitais / Assessment of the level of conformity of hospitals to electronic information security standards and recommendations

Gottberg, Heitor Neves [UNIFESP]

28 July 2010

Made available in DSpace on 2015-07-22T20:49:35Z (GMT). No. of bitstreams: 0 Previous issue date: 2010-07-28 / CONTEXTO: A confidencialidade, integridade e disponibilidade das informações de pacientes são demandas intrínsecas aos serviços hospitalares e, atualmente, a informatização vem crescendo no dia a dia operacional destas instituições. OBJETIVO: O objetivo desta pesquisa é realizar uma avaliação exploratória sobre o grau de conformidade de um grupo de hospitais aos requisitos de gestão da segurança da informação digital a partir de normas e recomendações da literatura quando do uso dos sistemas de registro eletrônico de saúde (S-RES). MÉTODOS: A partir do estudo de normas internacionais e da resolução 1821/07 do CFM, desenvolvemos um ―padrão ouro‖ da gestão da segurança da informação e dos Sistemas de Registro Eletrônico em Saúde, elaborando um questionário disponibilizado via Internet onde cada hospital pode conseguir um grau estimado de conformidade com este padrão e identificar quais áreas estão mais (ou menos) próximas do nível desejável. RESULTADOS: A partir das respostas obtidas com um grupo de hospitais, obtivemos um grau de conformidade médio em processos de gestão de segurança da informação de 37% (em uma escala de 0% a 100%) e de 38% na conformidade dos S-RES. CONCLUSÃO: Concluímos demonstrando que o tema da segurança da informação é incipiente nas preocupações e investimentos hospitalares e que, apesar de existir material específico, os gestores ainda não implementaram as soluções que atendam às características específicas do setor de saúde. / CONTEXT: Confidentiality, integrity and availability of patient information are intrinsic to hospital services and nowadays computerization is growing in day to day operations of these institutions. OBJECTIVE: This work intends to assess the level of conformity to the standards and literature recommendations in Information Security of an exploratory group of hospitals using Electronic Health Records Systems (EHR-S). METHODS: From the study of international standards and of resolution 1821/07 of the Federal Council of Medicine (CFM), we have developed a ―gold standard‖ of information security management and electronic health record systems, elaborated a questionnaire and released it via the Internet where each hospital can achieve an ―estimated‖ degree of compliance with this standard and identify which areas are more (or less) compliant to this desirable level. RESULTS: From the replies obtained with a group of hospitals, we have seen an average a degree of compliance of 37% in information security management processes (on a scale from 0% to 100%) and 38% in compliance of EHR-S. CONCLUSION: We finalize showing that the issue of information security management (ISM) is incipient on concerns and investments of hospitals, and that even though specific knowledge and material is available, managers have not yet implemented solutions that meet the specific characteristics and information security demands of the healthcare industry. / TEDE / BV UNIFESP: Teses e dissertações

Gestão da informação

Informática em saúde

Segurança da informação de saúde

Gestão hospitalar

Sistema de informação

Health informatics

Health information security

Information management

Hospital management

Information systems