Security Practices and Regulatory Compliance in the Healthcare Industry

This study examined the adoption of security practices, with the goal of identifying dominant configurations and their relationship to perceived compliance. We utilized survey data from 204 hospitals including adoption status of 17 security practices and perceived compliance levels on HITECH, HIPAA, Red Flags Rules, CMS, and State laws governing patient information security. Using cluster analysis and t-tests, we found that three clusters of security practices are significantly associated with different levels of perceived compliance. We demonstrated significant differences among non-technical practices rather than technical practices, and the highest levels of compliance are associated with hospitals that employed a balanced approach between technical and non-technical practices (or between one-time and cultural practices). Our results provide security practice benchmarks for healthcare administrators and can help policy makers in developing strategic and practical guidelines for practice adoption

A novel patient engagement platform using accessible text messages and calls (Epharmix): Feasibility study

BACKGROUND: Patient noncompliance with therapy, treatments, and appointments represents a significant barrier to improving health care delivery and reducing the cost of care. One method to improve therapeutic adherence is to improve feedback loops in getting clinically acute events and issues to the relevant clinical providers as necessary (ranging from detecting hypoglycemic events for patients with diabetes to notifying the provider when patients are out of medications). Patients often don\u27t know which information should prompt a call to their physician and proactive checks by the clinics themselves can be very resource intensive. We hypothesized that a two-way SMS system combined with a platform web service for providers would enable both high patient engagement but also the ability to detect relevant clinical alerts. OBJECTIVE: The objectives of this study are to develop a feasible two-way automated SMS/phone call + web service platform for patient-provider communication, and then study the feasibility and acceptability of the Epharmix platform. First, we report utilization rates over the course of the first 18 months of operation including total identified clinically significant events, and second, review results of patient user-satisfaction surveys for interventions for patients with diabetes, COPD, congestive heart failure, hypertension, surgical site infections, and breastfeeding difficulties. METHODS: To test this question, we developed a web service + SMS/phone infrastructure ( Epharmix ). Utilization results were measured based on the total number of text messages or calls sent and received, with percentage engagement defined as a patient responding to a text message at least once in a given week, including the number of clinically significant alerts generated. User satisfaction surveys were sent once per month over the 18 months to measure satisfaction with the system, frequency and degree of communication. Descriptive statistics were used to describe the above information. RESULTS: In total, 28,386 text messages and 24,017 calls were sent to 929 patients over 9 months. Patients responded to 80% to 90% of messages allowing the system to detect 1164 clinically significant events. Patients reported increased satisfaction and communication with their provider. Epharmix increased the number of patient-provider interactions to over 10 on average in any given month for patients with diabetes, COPD, congestive heart failure, hypertension, surgical site infections, and breastfeeding difficulties. CONCLUSIONS: Engaging high-risk patients remains a difficult process that may be improved through novel, digital health interventions. The Epharmix platform enables increased patient engagement with very low risk to improve clinical outcomes. We demonstrated that engagement among high-risk populations is possible when health care comes conveniently to where they are

Privacy and Security in Multi-User Health Kiosks

Enforcement of the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH) has gotten stricter and penalties have become more severe in response to a significant increase in computer-related information breaches in recent years. With health information said to be worth twice as much as other forms of information on the underground market, making preservation of privacy and security an integral part of health technology development, rather than an afterthought, not only mitigates risks but also helps to ensure HIPAA and HITECH compliance. This paper provides a guide, based on the Office for Civil Rights (OCR) audit protocol, for creating and maintaining an audit checklist for multi-user health kiosks. Implementation of selected audit elements for a multi-user health kiosk designed for use by community-residing older adults illustrates how the guide can be applied.

Safeguarding Against Data Breaches

Reports of data breaches have seen an increase in the past decade and compared to other businesses; these breaches are estimated to be the most expensive in healthcare and affect millions of patients. One may ask what is a data breach, what causes it, and how can it be prevented? Particularly vulnerable to breaches is Protected Health Information (PHI) collected by the healthcare provider. This information is any part of the patient’s medical record or payment history. Regularly, healthcare organizations utilize business associates and covered entities to deliver patient care. During this process, PHI is produced. This study addresses the obligations that business associates and covered entities have toward protecting patient information, the leading cause of breaches: hacking, medical identity theft, and unauthorized access to records, and what measures we will use to protect against such infringements

European hospitals' transition toward fully electronic-based systems: do information technology security and privacy practices follow?

Background: Traditionally, health information has been mainly kept in paper-based records. This has deeply changed throughout approximately the last three decades with the widespread use of multiple health information technologies. The digitization of health care systems contributes to improving health care delivery. However, it also exposes health records to security and privacy breaches inherently related to information technology (IT). Thus, health care organizations willing to leverage IT for improved health care delivery need to put in place IT security and privacy measures consistent with their use of IT resources. Objective: In this study, 2 main objectives are pursued: (1) to assess the state of the implementation of IT security and privacy practices in European hospitals and (2) to assess to what extent these hospitals enhance their IT security and privacy practices as they move from paper-based systems toward fully electronic-based systems. Methods: Drawing on data from the European Commission electronic health survey, we performed a cluster analysis based on IT security and privacy practices implemented in 1723 European hospitals. We also developed an IT security index, a compounded measure of implemented IT security and privacy practices, and compared it with the hospitals' level in their transition from a paper-based system toward a fully electronic-based system. Results: A total of 3 clearly distinct patterns of health IT-related security and privacy practices were unveiled. These patterns, as well as the IT security index, indicate that most of the sampled hospitals (70.2%) failed to implement basic security and privacy measures consistent with their digitization level. Conclusions: Even though, on average, the most electronically advanced hospitals display a higher IT security index than hospitals where the paper system still dominates, surprisingly, it appears that the enhancement of IT security and privacy practices as the health information digitization advances in European hospitals is neither systematic nor strong enough regarding the IT-security requirements. This study will contribute to raising awareness among hospitals' managers as to the importance of enhancing their IT security and privacy measures so that they can keep up with the security threats inherently related to the digitization of health care organizations. © 2019 Journal of Medical Internet Research. All rights reserved

Hacking a bridge:An exploratory study of compliance-based information security management in banking organization

This work is approached through the lens of compliant security by drawing on the concepts of neutralization theory, a prominent postulation in the criminology domain and the 'big five' personality construct. This research is conducted based on a case study of ISO/IEC27001 Standard certified banks, to empirically evaluate the link between cybersecurity protocols violation and how employees rationalise security behaviour. We propose that compliance-based security has the propensity for a heightened sense of false security and vulnerability perception; by showing that systemic security violation in compliance-based security models can be explained by the level of linkages from the personality construct and the neutralization theory. Building on the survey responses from banking organization employees and the application of partial least square structural equation modelling (PLS-SME) analysis to test the hypotheses and validate survey samples, we draw a strong inference to support the importance of individual security scenario effect as a vital complementary element of compliance-based security. Based on our initial findings, conceptual principles and practical guidelines for reducing insider threats and improving employees' compliance is presented. We then suggest how information security protocol violations can be addressed in that context

An ontology-based compliance audit framework for medical data sharing across Europe

Complying with privacy in multi-jurisdictional health domains is important as well as challenging. The compliance management process will not be efficient unless it manages to show evidences of explicit verification of legal requirements. In order to achieve this goal, privacy compliance should be addressed through “a privacy by design” approach. This paper presents an approach to privacy protection verification by means of a novel audit framework. It aims to allow privacy auditors to look at past events of data processing effectuated by healthcare organisation and verify compliance to legal privacy requirements. The adapted approach used semantic modelling and a semantic reasoning layer that could be placed on top of hospital databases. These models allow the integration of fine-grained context information about the sharing of patient data and provide an explicit capturing of applicable privacy obligation. This is particularly helpful for insuring a seamless data access logging and an effective compliance checking during audit trials

Information System Security Commitment: A Study of External Influences on Senior Management

This dissertation investigated how senior management is motivated to commit to information system security (ISS). Research shows senior management participation is critical to successful ISS, but has not explained how senior managers are motivated to participate in ISS. Information systems research shows pressures external to the organization have greater influence on senior managers than internal pressures. However, research has not fully examined how external pressures motivate senior management participation in ISS. This study addressed that gap by examining how external pressures motivate senior management participation in ISS through the lens of neo-institutional theory. The research design was survey research. Data collection was through an online survey, and PLS was used for data analysis. Sample size was 167 from a study population of small- and medium-sized organizations in a mix of industries in the south-central United States. Results supported three of six hypotheses. Mimetic mechanisms were found to influence senior management belief in ISS, and senior management belief in ISS was found to increase senior management participation in ISS. Greater senior management participation in ISS led to greater ISS assimilation in organizations. Three hypotheses were not supported. Correlation was not found between normative influences and senior management belief, normative influences and senior management participation, and coercive influences and senior management participation. Limitations with the study included a high occurrence of weak effect sizes on relationships within the model and heterogeneity based on industry, organization size, and regulatory requirements in the sample. This study contributes to ISS research by providing a theoretical model to explain how external influences contribute to senior management belief and participation in ISS, and ultimately ISS assimilation in organizations. Empirical evidence supports the mediating role by senior management between external influences and ISS assimilation. The findings also suggest some limitations that may exist with survey research in this area. This study benefits practitioners in three ways. First, it reinforces the argument that senior management support is critical to ISS success. Second, it extends understanding of senior management\u27s role with ISS by explaining how IS and ISS management might nurture senior management belief and participation in ISS through industry groups and business partnerships. Third, the results inform government regulators and industry groups how they can supplement regulatory pressures with educational and awareness campaigns targeted at senior management to improve senior management commitment to ISS