Analysis Report Four - Health Privacy and Data Profiling

Author

James Moore

Executive Summary

In the analysis we will dive into the ever changing world of healthcare and the technology that is being implemented at rapid pace. Electronic health records or EHRs have taken the healthcare industry by storm and while the possess many benefit like improved access to patient information and communication, then also come with a lot of security and privacy risks that were not present before. The MIMIC III database will be used as an example to just how much information is actually stored in the EHRs and why the security and protection of them is at the utmost importance. Throughout reading and researching you will see how the federal government is leaving their footprint by establishing things like the HITECH Act in an effort to expedite the roll out of EHRs. In an effort to demonstrate the amount of information in these EHRs and how they are both helpful and harmful, i will use visuals documenting a patient from the MIMIC II database and her admission journey from ICU admission to terminal admission. With these visuals and research I will show you exactly why healthcare organizations must continue to strengthen cyber security whenever possible in order to keep patient care and data as optimal as possible.

Introduction

We have seen unprecedented growth of technology in the healthcare industry over the years. The transition hospitals have taken along with healthcare providers in general is going from paper records to electronic health records or EHR. While these have given us many benefits like increases in access to patient information they also have many downsides around patient privacy, how to protect it, and the strength of the cybersecurity systems within these organizations. The rise of cybersecurity incidents in the healthcare industry, including hospitals, has become a growing threat. According to a 2016 report by IBM and the Ponemon Institute, the healthcare industry has seen an increase in data breaches since 2010, making it one of the most targeted sectors by cyberattacks globally (Okafor et al. (2023)). In order for these organizations to be able co continuing relying on these technological advancements they need be able to balance using them with being able to protect the privacy of their patients.

Along with this comes the pressure from the Federal government. We have seen them throughout many of our readings this term get involved in the healthcare sector to try and influence the implementation of all this new technology. Things such as the Health Information Technology for Economic and Clinical Health Act of 2009 or HITECH were created in an effort to encourage organizations to adopt this technological movement by providing things such as financial incentives. This played a big part in the rapid implementation as it was found that hospitals eligible for the incentives from HITECH saw substantial increases in their use of EHR in comparison to organizations that were not incentive eligible (Adler-Milstein and Jha (2017)).

The Healthcare Context

In the world of healthcare today, we see organizations now relying on EHR more than ever before. They possess an ability to communicate records with hospitals and other healthcare organizations, but at the same time the large amount of sensitive data enclosed in them makes them very vulnerable to cyber attacks. The vulnerability that came with this was not truly recognized until the BetterHelp privacy investigation. May people just assume that their private information is protected under HIPAA, but with telehealth services and other mobile health applications we have seen that is not the case. The FTC in their investigation of BetterHelp said that they were sharing the private information of their users to third party adverting platforms even though they assured the patients using these services that their information would remain private. This investigation and the outcome of it changed how healthcare organizations use the data they get digitally and ensured the transparency of how it is used. The digital companies like BetterHelp from there on had to make sure they were being transparent about information and how it was stored, collected, and protected as the public trust was now very reliant on it following the investigation (Haggin (2023)).

Healthcare cybersecurity is not only affected by situations like what happened with BetterHelp, but in all health organizations in general. As use of technology continues to expand and healthcare organizations expand their digital prowess, their ability to provide top notch cybersecurity is at the forefront of objectives now. Making sure that the patient’s sensitive information is protected is essential. Additionally, being able to make sure the equipment cannot be disrupted is just as important in order to make sure that the patients are able to receive the necessary care they need without interruption. We have seen issues of this globally, In May, 2017, the WannaCry ransomware encrypted data and files on 230,000 computers in 150 countries, and impaired the functionality of the National Health Service (NHS) in England (Ghafur et al. (2019)). Recognizing these threats have caused healthcare organizations to implement things such as multifactor authentication and consistent upgrades to their systems, employee training on cybersecurity and attacks, and much more in an effort to combat this growing challenge faced in the world of healthcare.

We can see that one of the central challenges facing healthcare organizations nowadays is their struggle with technology and balancing it in a way that keeps their patient’s and their information safe. Electronic health records have come in and taken the healthcare industry by storm by giving clinicians improved access to information, but also it has made it harder to protect data, and makes it so more time needs to be taken from patient care in an effort to safeguard the large amounts of data that is now more accessible in cyberattacks than ever before. Along with that these healthcare breaches are also very costly. In 2018, a survey found that health breaches, compared with other types, were the most costly, surpassing sectors like business, banking, and government (Nowrozy et al. (2024)). Combine that with the sensitive information that gets exposed in these attacks we can see more and more why healthcare organizations are making more of an effort than ever before to increase cybersecurity.

Data Visualizations

patient_options <- dbGetQuery(mydb, "
SELECT
    a.subject_id,
    a.hadm_id,
    a.admittime,
    a.dischtime,
    a.deathtime,
    a.diagnosis,
    a.admission_type,
    a.insurance,
    a.marital_status,
    p.gender,
    p.dob
FROM admissions a
JOIN patients p
ON a.subject_id = p.subject_id
WHERE a.deathtime IS NOT NULL
ORDER BY RANDOM()
LIMIT 10;
")

patient_options
   subject_id hadm_id           admittime           dischtime
1       40124  146893 2130-08-12 05:49:00 2130-08-18 15:30:00
2       44154  174245 2178-05-14 20:29:00 2178-05-15 09:45:00
3       10083  134993 2192-11-20 04:34:00 2192-12-07 16:30:00
4       10044  124073 2152-10-02 16:24:00 2152-10-11 15:42:00
5       10132  197611 2123-08-23 20:00:00 2123-09-17 14:00:00
6       10089  190301 2132-08-05 18:48:00 2132-08-08 02:15:00
7       41976  180546 2201-05-12 10:49:00 2201-05-19 14:04:00
8       41976  145024 2202-05-01 22:00:00 2202-05-04 18:42:00
9       40595  116518 2144-10-15 10:46:00 2144-10-24 09:00:00
10      41976  155297 2201-11-16 23:00:00 2201-11-19 16:30:00
             deathtime                            diagnosis admission_type
1                                                 PNEUMONIA      EMERGENCY
2  2178-05-15 09:45:00                ALTERED MENTAL STATUS      EMERGENCY
3                                               HYPOTENSION      EMERGENCY
4                      METASTATIC MELANOMA;BRAIN METASTASIS      EMERGENCY
5                             NON SMALL CELL CANCER;HYPOXIA      EMERGENCY
6  2132-08-08 02:15:00                  BASAL GANGLIN BLEED      EMERGENCY
7                                                    SEPSIS      EMERGENCY
8                                      RESPIRATORY DISTRESS      EMERGENCY
9                               TRACHEAL ESOPHAGEAL FISTULA      EMERGENCY
10                                              SEPSIS; UTI      EMERGENCY
   insurance    marital_status gender                 dob
1   Medicare            SINGLE      F 2063-07-05 00:00:00
2   Medicare           MARRIED      M 1878-05-14 00:00:00
3   Medicare           MARRIED      F 2110-03-25 00:00:00
4   Medicare UNKNOWN (DEFAULT)      F 2071-02-11 00:00:00
5   Medicare           MARRIED      F 2058-04-23 00:00:00
6   Medicare                        M 2046-04-18 00:00:00
7   Medicare           MARRIED      M 2136-07-28 00:00:00
8   Medicare           MARRIED      M 2136-07-28 00:00:00
9   Medicare           MARRIED      F 2068-03-04 00:00:00
10  Medicare           MARRIED      M 2136-07-28 00:00:00

Patient Profile

As previously stated in prior analysis reports, sepsis is something that I have a very familiar relationship with in my family. So I decided to select a female patient who was admitted into the emergency department with a sepsis diagnosis. When admitted she was married and also had private insurance. The EHR shows us demographic information and clinical inforamtio, however a majority of the indetifying information for the patient was removed. This shows us first hand how EHRs both improve patient care, but also shows the holes in it that makes it extra important to take care of the information provided within them.

patient_demo <- dbGetQuery(mydb,"
SELECT
    p.gender,
    p.dob,
    a.admission_type,
    a.insurance,
    a.marital_status,
    a.diagnosis,
    a.admittime,
    a.deathtime
FROM admissions a
JOIN patients p
ON a.subject_id=p.subject_id
WHERE a.hadm_id=182879;
")

patient_demo
  gender                 dob admission_type insurance marital_status diagnosis
1      F 2112-01-20 00:00:00      EMERGENCY   Private        MARRIED    SEPSIS
            admittime deathtime
1 2184-08-04 05:44:00          

ICU Timeline

I then took the liberty of documenting the progress of the patient throughout her ICU admission. The EHR form the MIMIC III database that I used shows both the admission and discharge times which is very helpful as it allows for caretakers to coordinate treatment plans along with being able to identify from beginning to end the patients admission timeline. Being able to have specific times attached to specific things in a patient’s admission is very helpful in finding out how to continue with giving the best care possible while in the ICU and even after their time in the ICU.

icu <- dbGetQuery(mydb,"
SELECT
first_careunit,
last_careunit,
intime,
outtime
FROM icustays
WHERE hadm_id = 182879;
")

icu <- icu |>
  mutate(
    intime = as.POSIXct(intime),
    outtime = as.POSIXct(outtime)
  )

ggplot(icu)+
geom_segment(
aes(
x = intime,
xend = outtime,
y = first_careunit,
yend = first_careunit
),
linewidth = 3
)+
geom_point(aes(x = intime, y = first_careunit), size = 4)+
geom_point(aes(x = outtime, y = first_careunit), size = 4)+
labs(
title = "ICU Timeline During Terminal Admission",
x = "Date and Time",
y = "ICU Unit"
)+
theme_minimal()

Terminal Admission Diagnoses

Finally, I wanted to document the terminal admission and see what was different from the ICU admission. The main factor that we see is that this terminal admission is not just a sepsis case anymore. Chronic conditions have now arose along with many cardiovascular conditions. The patient is now dealing with obesity issues, congestive heart failure, coronary artery disease, cardiogenic shock, congestive heart failure, and atrial fibrillation, and hypertension. The EHR can track each of these and create a profile for the patient that is able to be shared throughout all the necessary departments that will be treating her. This will help figure out what treatments the patient will need along with decision making on which ones are the most vital to be taken care of first.

diagnoses <- dbGetQuery(mydb,"
SELECT
    d.long_title
FROM diagnoses_icd di
JOIN d_icd_diagnoses d
ON di.icd9_code = d.icd9_code
WHERE di.hadm_id = 182879;
")

diagnoses %>%
  count(long_title) %>%
  ggplot(aes(x = reorder(long_title, n), y = n)) +
  geom_col() +
  coord_flip() +
  labs(
    title = "Terminal Admission Diagnoses",
    x = "Diagnosis",
    y = "Count"
  ) +
  theme_minimal()

Recommendations for Industry

My first recommendation for the industry is to find a balance. Yes, this technology and EHRs are able to help out in many ways. However they need to recognize the potential challenges and problems that also come with them and be able to properly defend against them. Until they are able to find that balance that makes the as safe as possible, there will be more instances than not that we find the problems are going to outweigh the benefits.

Additionally, cybersecurity enhances and investments should be at the forefront of all healthcare organizations. In addition to that, they should be updated and tested as often as daily if possible. With how fast technology is growing and how much sensitive data is being brought in every day. the cybersecurity enhances should be following suit instead of just treating it as something that needs to only be done on occasion. By doing that these organizations are leaving themselves very susceptible to cyber attacks more often than not.

References

Adler-Milstein, Julia, and Ashish K Jha. 2017. “HITECH Act Drove Large Gains in Hospital Electronic Health Record Adoption.” Health Affairs 36 (8): 1416–22.
Ghafur, Saira, Emilia Grass, Nick R Jennings, and Ara Darzi. 2019. “The Challenges of Cybersecurity in Health Care: The UK National Health Service as a Case Study.” The Lancet Digital Health 1 (1): e10–12.
Haggin, Patience. 2023. “BetterHelp Barred Under Proposed Settlement from Supplying Health Data for Ads.” The Wall Street Journal.
Nowrozy, Raza, Khandakar Ahmed, ASM Kayes, Hua Wang, and Timothy R McIntosh. 2024. “Privacy Preservation of Electronic Health Records in the Modern Era: A Systematic Survey.” ACM Computing Surveys 56 (8): 1–37.
Okafor, Chiedozie Marius, Abosede Kolade, Tochukwu Onunka, Chibuike Daraojimba, Nsisong Louis Eyo-Udo, Okeoma Onunka, and Adedolapo Omotosho. 2023. “Mitigating Cybersecurity Risks in the US Healthcare Sector.” International Journal of Research and Scientific Innovation (IJRSI) 10 (9): 177–93.