Analysis Report Four - Health Privacy and Data Profiling
Author
James Moore
Executive Summary
In the analysis we will dive into the ever changing world of healthcare and the technology that is being implemented at rapid pace. Electronic health records or EHRs have taken the healthcare industry by storm and while the possess many benefit like improved access to patient information and communication, then also come with a lot of security and privacy risks that were not present before. The MIMIC III database will be used as an example to just how much information is actually stored in the EHRs and why the security and protection of them is at the utmost importance. Throughout reading and researching you will see how the federal government is leaving their footprint by establishing things like the HITECH Act in an effort to expedite the roll out of EHRs. In an effort to demonstrate the amount of information in these EHRs and how they are both helpful and harmful, i will use visuals documenting a patient from the MIMIC II database and her admission journey from ICU admission to terminal admission. With these visuals and research I will show you exactly why healthcare organizations must continue to strengthen cyber security whenever possible in order to keep patient care and data as optimal as possible.
Introduction
We have seen unprecedented growth of technology in the healthcare industry over the years. The transition hospitals have taken along with healthcare providers in general is going from paper records to electronic health records or EHR. While these have given us many benefits like increases in access to patient information they also have many downsides around patient privacy, how to protect it, and the strength of the cybersecurity systems within these organizations. The rise of cybersecurity incidents in the healthcare industry, including hospitals, has become a growing threat. According to a 2016 report by IBM and the Ponemon Institute, the healthcare industry has seen an increase in data breaches since 2010, making it one of the most targeted sectors by cyberattacks globally (Okafor et al. (2023)). In order for these organizations to be able co continuing relying on these technological advancements they need be able to balance using them with being able to protect the privacy of their patients.
Along with this comes the pressure from the Federal government. We have seen them throughout many of our readings this term get involved in the healthcare sector to try and influence the implementation of all this new technology. Things such as the Health Information Technology for Economic and Clinical Health Act of 2009 or HITECH were created in an effort to encourage organizations to adopt this technological movement by providing things such as financial incentives. This played a big part in the rapid implementation as it was found that hospitals eligible for the incentives from HITECH saw substantial increases in their use of EHR in comparison to organizations that were not incentive eligible (Adler-Milstein and Jha (2017)).
The Healthcare Context
In the world of healthcare today, we see organizations now relying on EHR more than ever before. They possess an ability to communicate records with hospitals and other healthcare organizations, but at the same time the large amount of sensitive data enclosed in them makes them very vulnerable to cyber attacks. The vulnerability that came with this was not truly recognized until the BetterHelp privacy investigation. May people just assume that their private information is protected under HIPAA, but with telehealth services and other mobile health applications we have seen that is not the case. The FTC in their investigation of BetterHelp said that they were sharing the private information of their users to third party adverting platforms even though they assured the patients using these services that their information would remain private. This investigation and the outcome of it changed how healthcare organizations use the data they get digitally and ensured the transparency of how it is used. The digital companies like BetterHelp from there on had to make sure they were being transparent about information and how it was stored, collected, and protected as the public trust was now very reliant on it following the investigation (Haggin (2023)).
Healthcare cybersecurity is not only affected by situations like what happened with BetterHelp, but in all health organizations in general. As use of technology continues to expand and healthcare organizations expand their digital prowess, their ability to provide top notch cybersecurity is at the forefront of objectives now. Making sure that the patient’s sensitive information is protected is essential. Additionally, being able to make sure the equipment cannot be disrupted is just as important in order to make sure that the patients are able to receive the necessary care they need without interruption. We have seen issues of this globally, In May, 2017, the WannaCry ransomware encrypted data and files on 230,000 computers in 150 countries, and impaired the functionality of the National Health Service (NHS) in England (Ghafur et al. (2019)). Recognizing these threats have caused healthcare organizations to implement things such as multifactor authentication and consistent upgrades to their systems, employee training on cybersecurity and attacks, and much more in an effort to combat this growing challenge faced in the world of healthcare.
We can see that one of the central challenges facing healthcare organizations nowadays is their struggle with technology and balancing it in a way that keeps their patient’s and their information safe. Electronic health records have come in and taken the healthcare industry by storm by giving clinicians improved access to information, but also it has made it harder to protect data, and makes it so more time needs to be taken from patient care in an effort to safeguard the large amounts of data that is now more accessible in cyberattacks than ever before. Along with that these healthcare breaches are also very costly. In 2018, a survey found that health breaches, compared with other types, were the most costly, surpassing sectors like business, banking, and government (Nowrozy et al. (2024)). Combine that with the sensitive information that gets exposed in these attacks we can see more and more why healthcare organizations are making more of an effort than ever before to increase cybersecurity.
Data Visualizations
patient_options <-dbGetQuery(mydb, "SELECT a.subject_id, a.hadm_id, a.admittime, a.dischtime, a.deathtime, a.diagnosis, a.admission_type, a.insurance, a.marital_status, p.gender, p.dobFROM admissions aJOIN patients pON a.subject_id = p.subject_idWHERE a.deathtime IS NOT NULLORDER BY RANDOM()LIMIT 10;")patient_options
subject_id hadm_id admittime dischtime
1 40124 146893 2130-08-12 05:49:00 2130-08-18 15:30:00
2 44154 174245 2178-05-14 20:29:00 2178-05-15 09:45:00
3 10083 134993 2192-11-20 04:34:00 2192-12-07 16:30:00
4 10044 124073 2152-10-02 16:24:00 2152-10-11 15:42:00
5 10132 197611 2123-08-23 20:00:00 2123-09-17 14:00:00
6 10089 190301 2132-08-05 18:48:00 2132-08-08 02:15:00
7 41976 180546 2201-05-12 10:49:00 2201-05-19 14:04:00
8 41976 145024 2202-05-01 22:00:00 2202-05-04 18:42:00
9 40595 116518 2144-10-15 10:46:00 2144-10-24 09:00:00
10 41976 155297 2201-11-16 23:00:00 2201-11-19 16:30:00
deathtime diagnosis admission_type
1 PNEUMONIA EMERGENCY
2 2178-05-15 09:45:00 ALTERED MENTAL STATUS EMERGENCY
3 HYPOTENSION EMERGENCY
4 METASTATIC MELANOMA;BRAIN METASTASIS EMERGENCY
5 NON SMALL CELL CANCER;HYPOXIA EMERGENCY
6 2132-08-08 02:15:00 BASAL GANGLIN BLEED EMERGENCY
7 SEPSIS EMERGENCY
8 RESPIRATORY DISTRESS EMERGENCY
9 TRACHEAL ESOPHAGEAL FISTULA EMERGENCY
10 SEPSIS; UTI EMERGENCY
insurance marital_status gender dob
1 Medicare SINGLE F 2063-07-05 00:00:00
2 Medicare MARRIED M 1878-05-14 00:00:00
3 Medicare MARRIED F 2110-03-25 00:00:00
4 Medicare UNKNOWN (DEFAULT) F 2071-02-11 00:00:00
5 Medicare MARRIED F 2058-04-23 00:00:00
6 Medicare M 2046-04-18 00:00:00
7 Medicare MARRIED M 2136-07-28 00:00:00
8 Medicare MARRIED M 2136-07-28 00:00:00
9 Medicare MARRIED F 2068-03-04 00:00:00
10 Medicare MARRIED M 2136-07-28 00:00:00
Patient Profile
As previously stated in prior analysis reports, sepsis is something that I have a very familiar relationship with in my family. So I decided to select a female patient who was admitted into the emergency department with a sepsis diagnosis. When admitted she was married and also had private insurance. The EHR shows us demographic information and clinical inforamtio, however a majority of the indetifying information for the patient was removed. This shows us first hand how EHRs both improve patient care, but also shows the holes in it that makes it extra important to take care of the information provided within them.
gender dob admission_type insurance marital_status diagnosis
1 F 2112-01-20 00:00:00 EMERGENCY Private MARRIED SEPSIS
admittime deathtime
1 2184-08-04 05:44:00
ICU Timeline
I then took the liberty of documenting the progress of the patient throughout her ICU admission. The EHR form the MIMIC III database that I used shows both the admission and discharge times which is very helpful as it allows for caretakers to coordinate treatment plans along with being able to identify from beginning to end the patients admission timeline. Being able to have specific times attached to specific things in a patient’s admission is very helpful in finding out how to continue with giving the best care possible while in the ICU and even after their time in the ICU.
Finally, I wanted to document the terminal admission and see what was different from the ICU admission. The main factor that we see is that this terminal admission is not just a sepsis case anymore. Chronic conditions have now arose along with many cardiovascular conditions. The patient is now dealing with obesity issues, congestive heart failure, coronary artery disease, cardiogenic shock, congestive heart failure, and atrial fibrillation, and hypertension. The EHR can track each of these and create a profile for the patient that is able to be shared throughout all the necessary departments that will be treating her. This will help figure out what treatments the patient will need along with decision making on which ones are the most vital to be taken care of first.
My first recommendation for the industry is to find a balance. Yes, this technology and EHRs are able to help out in many ways. However they need to recognize the potential challenges and problems that also come with them and be able to properly defend against them. Until they are able to find that balance that makes the as safe as possible, there will be more instances than not that we find the problems are going to outweigh the benefits.
Additionally, cybersecurity enhances and investments should be at the forefront of all healthcare organizations. In addition to that, they should be updated and tested as often as daily if possible. With how fast technology is growing and how much sensitive data is being brought in every day. the cybersecurity enhances should be following suit instead of just treating it as something that needs to only be done on occasion. By doing that these organizations are leaving themselves very susceptible to cyber attacks more often than not.
References
Adler-Milstein, Julia, and Ashish K Jha. 2017. “HITECH Act Drove Large Gains in Hospital Electronic Health Record Adoption.”Health Affairs 36 (8): 1416–22.
Ghafur, Saira, Emilia Grass, Nick R Jennings, and Ara Darzi. 2019. “The Challenges of Cybersecurity in Health Care: The UK National Health Service as a Case Study.”The Lancet Digital Health 1 (1): e10–12.
Haggin, Patience. 2023. “BetterHelp Barred Under Proposed Settlement from Supplying Health Data for Ads.”The Wall Street Journal.
Nowrozy, Raza, Khandakar Ahmed, ASM Kayes, Hua Wang, and Timothy R McIntosh. 2024. “Privacy Preservation of Electronic Health Records in the Modern Era: A Systematic Survey.”ACM Computing Surveys 56 (8): 1–37.
Okafor, Chiedozie Marius, Abosede Kolade, Tochukwu Onunka, Chibuike Daraojimba, Nsisong Louis Eyo-Udo, Okeoma Onunka, and Adedolapo Omotosho. 2023. “Mitigating Cybersecurity Risks in the US Healthcare Sector.”International Journal of Research and Scientific Innovation (IJRSI) 10 (9): 177–93.