Analysis Report Four - Health Privacy and Data Profiling
Author
Arune Johnson
Executive Summary
Electronic Health Records, EHRs, have changed healthcare by helping improve communication, access to patient information, and clinical decision-making. Although the systems can help improve patient care, they create privacy and security risks. This analysis report will look at a patient from the MIMIC-III database to show the extensive amount of information that is stored within the EHRs. Recent privacy and security issues that have happened- the BetterHelp privacy case and the Change Healthcare cyberattack, show how poor data governance and a lack of safe security can cause leaks in patient information. Finally, this analysis report will recommend ways that cybersecurity could be strengthened, improving training and adhering to HIPAA compliance, while keeping up with clinical workflows and EHR benefits.
Introduction
The adoption of EHRs within the healthcare field became widespread after the Health Information Technology for Economic and Clinical Act (HITECH) was passed. This encouraged healthcare organizations to replace their paper records with digital systems. EHRs can improve patient care by increasing the access to clinical information about the patient, reducing medication errors, and supporting clinical decision-making. Physicians relying on EHR systems that have been certified have reported experiencing higher levels of patient care improvements than those that use non-certified or less advanced systems [@king2014clinical]. Although the benefits to clinical caregivers that EHRs provide, healthcare organizations have now become targets of cybercriminals because of the large amount of sensitive information that is stored within these systems [@edemekong2024hipaa]. As healthcare organizations continue to expand their digital health technologies, protecting patient privacy has become a priority alongside improving patient and clinical care [@edemekong2024hipaa].
The Healthcare Context
Today, most healthcare organizations rely on electronic health care records to communicate and coordinate with hospitals, clinics, labs, pharmacies, and insurance agencies. These systems improve the efficiency and communication regarding the patient outcomes; they also include a large amount of sensitive and protected health information about the patient. This has made healthcare organizations one of the largest industries for cyber attack threats [@king2014clinical].The BetterHelp privacy investigation showed how sensitive health information can be shared across a variety of different platforms, and far from what the information was intended for. The Federal Trade Commission stated that BetterHelp shared and disclosed patients’ mental health information to advertising companies and partners despite promising that users’ information was private and secure. The investigation came to a settlement where BetterHelp could not share any patients’ health information for any advertising purposes and had to pay compensation to any user whose information was shared [@haggin2023betterhelp]. Healthcare cybersecurity does not just affect telehealth, as seen in the 2024 attack against Change Healthcare. This was a ransomware attack that affected hospitals, pharmacies, and multiple healthcare providers across the United States. This breach exposed insurance information, social security numbers, financial information, diagnoses, and other sensitive patient information. This attack was reported to have affected one-third of the U.S population. This attack was a wake-up call for healthcare organizations and the importance of keeping patient information safe, because this single cyberattack disrupted patient care across the country and compromised millions of confidential medical records [@ruddle2024change].HIPAA is the legal framework for protecting all protected health information, PHI. HIPAA requires all healthcare organizations to implement administrative, technical, and physical safeguards to protect the information. HIPAA also requires healthcare organizations to have ongoing employee training, regular risk assessments, access controls, and breach notification procedures, so that any unauthorized breaches of patient health information [@edemekong2024hipaa].The examples of BetterHelp and Change Healthcare information leaks show how EHRs have to have established cybersecurity protection, strong governance, and staff education so that patient information security is the priority.
Data Visualizations
patient_options <-dbGetQuery(mydb, "SELECT a.subject_id, a.hadm_id, a.admittime, a.dischtime, a.deathtime, a.diagnosis, a.admission_type, a.insurance, a.marital_status, p.gender, p.dobFROM admissions aJOIN patients pON a.subject_id = p.subject_idWHERE a.deathtime IS NOT NULLORDER BY RANDOM()LIMIT 10;")patient_options
subject_id hadm_id admittime dischtime
1 42346 180391 2160-12-16 13:47:00 2160-12-21 15:30:00
2 10059 122098 2150-08-22 17:33:00 2150-08-29 18:20:00
3 41976 155297 2201-11-16 23:00:00 2201-11-19 16:30:00
4 40595 116518 2144-10-15 10:46:00 2144-10-24 09:00:00
5 42199 178513 2117-03-21 12:55:00 2117-03-31 12:10:00
6 10124 170883 2192-04-16 20:57:00 2192-05-15 19:28:00
7 43827 149950 2176-07-14 13:24:00 2176-07-18 15:00:00
8 44228 103379 2170-12-15 03:14:00 2170-12-24 18:00:00
9 10033 157235 2132-12-05 02:46:00 2132-12-08 15:15:00
10 40124 146893 2130-08-12 05:49:00 2130-08-18 15:30:00
deathtime diagnosis admission_type
1 PNEUMONIA EMERGENCY
2 2150-08-29 18:20:00 LOWER GI BLEED EMERGENCY
3 SEPSIS; UTI EMERGENCY
4 TRACHEAL ESOPHAGEAL FISTULA EMERGENCY
5 CHEST PAIN EMERGENCY
6 2192-05-15 19:28:00 CONGESTIVE HEART FAILURE EMERGENCY
7 MI CHF EMERGENCY
8 CHOLANGITIS EMERGENCY
9 RENAL FAILIURE-SYNCOPE-HYPERKALEMIA EMERGENCY
10 PNEUMONIA EMERGENCY
insurance marital_status gender dob
1 Medicare SINGLE F 2072-12-03 00:00:00
2 Medicare MARRIED M 2081-01-03 00:00:00
3 Medicare MARRIED M 2136-07-28 00:00:00
4 Medicare MARRIED F 2068-03-04 00:00:00
5 Medicare MARRIED F 2044-06-27 00:00:00
6 Medicare WIDOWED F 2108-12-20 00:00:00
7 Medicare SINGLE F 1876-07-14 00:00:00
8 Private SINGLE F 2112-10-22 00:00:00
9 Medicare MARRIED F 2051-04-21 00:00:00
10 Medicare SINGLE F 2063-07-05 00:00:00
Patient Demographic Profile
The patient that I selected is a female who was admitted to the emergency department with the diagnosis of sepsis. She was privately insured and married when she was admitted. The majority of her identifying information has been removed; the EHR still shows demographic and clinical information. This shows how EHRs can improve patient care and, at the same time adds responsibility to the healthcare organization to protect the patients’ privacy [@edemekong2024hipaa].
gender dob admission_type insurance marital_status diagnosis
1 F 2112-01-20 00:00:00 EMERGENCY Private MARRIED SEPSIS
admittime deathtime
1 2184-08-04 05:44:00
ICU Timeline
This ICU timeline shows the patient’s progress through the intensive care unit during her admission. The EHR shows the admission and discharge times; this helps the clinical staff to see the patient’s admission journey and coordinate treatment accordingly. [@king2014clinical] highlights how important it is to have time-stamped documentation accurately time stamped documnetation in improving the patient’s continuity of care.
The diagnosis records show the journey of the patient’s hospitalization. The patient was later diagnosed not just with sepsis but also with cardiovascular and chronic conditions: cardiogenic shock, congestive heart failure, atrial fibrillation, coronary artery disease, hypertension, and obesity. The EHR is able to track all of these diagnoses and create a comprehensive clinical profile that is able to be shared across all departments throughout the patinets treatmnet, thsi helps with decision-making and managing the sensitivity of her information [@king2014clinical].
diagnoses <-dbGetQuery(mydb,"SELECT d.long_titleFROM diagnoses_icd diJOIN d_icd_diagnoses dON di.icd9_code = d.icd9_codeWHERE di.hadm_id = 182879;")diagnoses %>%count(long_title) %>%ggplot(aes(x =reorder(long_title, n), y = n)) +geom_col() +coord_flip() +labs(title ="Diagnoses Recorded During the Terminal Admission",x ="Diagnosis",y ="Count" ) +theme_minimal()
Medications During the Terminal Admission
The medication records show the depth of the patient’s information that is stored within the EHR systems. The patient was prescribed multiple medications during the admission to manage her diagnoses. Being able to record every medication reduces medication errors across all departments, and her supporting care, which is able to show the importance of protecting the prescription histories from unauthorized access [@king2014clinical].
medications <-dbGetQuery(mydb,"SELECT drug, COUNT(*) AS total_ordersFROM prescriptionsWHERE hadm_id = 182879GROUP BY drugORDER BY total_orders DESCLIMIT 10;")medications %>%ggplot(aes(x =reorder(drug, total_orders), y = total_orders)) +geom_col() +coord_flip() +labs(title ="Most Frequently Prescribed Medications",x ="Medication",y ="Number of Orders" ) +theme_minimal()
Recommendations for Industry
Healthcare organizations should continue to expand their use of electronic health records and use more complex systems that strengthen privacy and security.
Some of the ways that this can be done:
Providing annual cybersecurity and HIPAA training for all the staff in the healthcare organization to reduce human errors [@edemekong2024hipaa].
Implementing multifactor authentication, stronger access controls, and security audits that are performed regularly [@edemekong2024hipaa].
Have a system for incident response and disaster recovery plans that ensure patient care is continued in case of cyber attacks [@rundle2024change].
Have trasparency with patunets about how and where their health informaion is being stored, collected and used [@haggin2023betterhelp].
Invest in certified electronic health record systems that help improve patient care while maintaining privacy protections for all the data [@king2014clinical].
References
@article{king2014clinical,
title={Clinical Benefits of Electronic Health Record Use: National Findings},
author={King, Jennifer and Patel, Vaishali and Jamoom, Eric W. and Furukawa, Michael F.},
journal={Health Services Research},
volume={49},
number={1},
pages={392–404},
year={2014},
doi={10.1111/1475-6773.12135}
}
@article{edemekong2024hipaa,
title={Health Insurance Portability and Accountability Act (HIPAA) Compliance},
author={Edemekong, Peter F. and Annamaraju, Pavan and Afzal, Muriam and Haydel, Micelle J.},
journal={StatPearls},
year={2024},
publisher={StatPearls Publishing}
}
@misc{haggin2023betterhelp,
author={Haggin, Patience},
title={BetterHelp Barred Under Proposed Settlement from Supplying Health Data for Ads},
year={2023},
howpublished={Wall Street Journal},
note={Published March 26, 2023}
}
@misc{rundle2024change,
author={Rundle, James and Stupp, Catherine},
title={Change Healthcare Begins Notifying Providers Following Cyberattack},
year={2024},
howpublished={Wall Street Journal},
note={Published June 20, 2024}
}