IT Security Controls for Closed-Loop Referrals

Words: 2712 Pages: 5

Gap Analysis for Closed Loop Referrals

The need to have appropriate information sharing system when a patient is referred from one clinician to another, or one health facility to the other has been on the rise. There has been a general concern among medical practitioners that the current systems do not allow for adequate sharing of patients’ information during the hand-offs. For this reason, there has been need to close the loop and allow for a comprehensive sharing of information between the clinicians as a way of understand the conditions of the patient better.

Closed-Loop Referrals have become popular as a way of ensuring that health practitioners share patients’ information as appropriate. According to Kelly and Shah (2009), closing the loop, “Implies that clinical information flows easily during a medical referral- the referring clinician is able to let the recipient clinician know the pertinent information about the patient being referred, and the recipient can let the referring clinician know the opinions and recommendations that result from the referral.” This two-way communication design allows the clinicians understand how a patient’s case can be addressed in the most effective manner. Technology has played a pivotal role in making this possible.

It is important to note that despite the progress that has been made in closing the gap during referrals, security gaps have emerged, jeopardizing the positive gains that have been made in this field. These security issues have affected communication in various ways, and to varying degrees. There are cases where these loops have had serious negative consequences to information within given systems. In other cases, the gap has exposed patients’ information to third parties, which is against policies in this sector. It is important to understand these security gaps in order to be able to address them appropriately.

One of the leading security issues in this system is unauthorized users. When this system is developed to enable clinicians share vital information during patient referrals, there are cases where unauthorized users get access to the system. These unauthorized users may be other hospital workers who are not authorized to use this system. This means that they can pass inappropriate message to other users, which may be misleading. To address this issue, users should have their accounts protected by strong passwords to deter unauthorized persons from using them.

Another security issue is the possible eavesdropping by third parties, especially when handling classified customer information. There are cases where third parties get ways through which they can eavesdrop on some important information on patients and share such information with other parties in bad faith (State Health Information Exchange Program, 2012). This security gap may pose serious integrity issue for the health care facility and the practitioners involved. The gap can be controlled by having a secure point of service stations that cannot be accessed easily by third parties.

The issue of corrupt data has also affected the initiative to use telecommunication technologies to close the loop during referrals. Corrupt data refers to any piece of information about a patient that is not accurate as authored by the referring clinician or the receiving practitioner. Corruption of data can occur because of a number of reasons. One of the ways through which data can get corrupt is by deliberate action of unscrupulous individuals who get access to the system and feed wrong information.

Another reason that could bring about corruption of data is a situation where the system has bugs that affect data once it fed into it. Irrespective of the reasons that cause this corruption, corrupt data has serious negative impact on the actions of the health practitioners who are receiving the patient. This is because the data they shall receive may be complete opposite of the true status of the patient. This means that they will start treatment using irrelevant information. As Cress (2012) observes, it better to start treatment with no information at all than to do so with distorted information.

To address this issue, database administrator and operating system administrator should develop strong firewall that will protect data from any interference from external sources. Each of the users of this system must also observe security measures by protecting their accounts with passwords and ensuring that third parties do not have access to their user accounts.

The issue of accountability may also raise security concern, especially when there are a huge number of users sharing the same system. The ultimate aim of this system is to bring together as many health practitioners and healthcare facilities as possible in order to create an efficient way of sharing essential information during the process of referrals. However, the problem comes when the number of users is too high that it becomes impossible to account for information circulating in the system.

Lack of accountability in this sector may result into massive consequences, especially when it becomes impossible to trace specific individuals who could have posted a given information. Lack of accountability also encourages unprofessionalism among the practitioners. They know that they may not be held accountable for their information because they cannot be traced after sharing such erroneous data. To overcome this security gap, the system should have specific users at all times who will be fully responsible for any information coming from their use accounts. Such users will be responsible for ensuring that their accounts remain protected from any form of intrusion. This may involve ensuring that their offices and workstations are not accessible to unauthorized users.

According to Starfield (2008), another security issue that may arise when this system is used to close the loop during referrals is the fact that there will be too many accounts. Each of the users would need their own accounts and this may overstretch the capacity of the system. It is true that the ultimate aim of this strategy is to bring together as many health practitioners as possible within a given region so that they can easily share relevant information about patients during referrals. However, this number should be regulated to enhance security and accountability. There should be a specific number of users per given region to make the system easily manageable. The table below identifies these security gaps.

	Gap #1	Gap #2	Gap #3	Gap #4	Gap #5
Issue Name	Unauthorized users	Eavesdropping on communication	Corruption of data	Lack of accountability	Too many accounts
Confidentiality	Risk: lack of privacy for the users	Risk: Getting classified information only meant for the practitioner handling the patient	Risk: Distorting user’s data and changing it to mean something different from the original message	Risk: Limited commitment to protecting patient’s confidentiality	Risk: Complexity of determining authentic users as there is a possibility of sending information to wrong recipients
Integrity	Risk: possibility of unauthorized users accessing classified information	Risk: possibility of third party knowing sensitive information that is not meant for them	Risk: possibility of a practitioner using wrong data when treating patients	Risk: possibility of some practitioners being reckless in their actions knowing that they will not be held accountable	Risk: high possibility of unauthorized users accessing the system due to high number of accounts (Patti, 2009)
Availability	The system should be designed in a way that it can fend off unauthorized users.	Availability of loopholes for third parties to access information (Patti, (2009)	The system should be made available only at the points where users are determined to be legitimate.	The system should be redesigned to enable sharing information with only accountable users	The system should be centralized per department to avoid numerous accounts within a small locality.
People	Creation of awareness among users as a way of making them appreciates the need to ensure that unauthorized users do not have access to their accounts.	Training users on how to detect and eliminate any form of eavesdropping, especially when talking about classified customer data (Cress, 2012)
Processes	User understanding of the procedures to be used when handling the system
Technologies	Use of multi-factor authentication to fight unauthorized users

Table 1: Security Issues Identified for Gap Analysis for Closed Loop Referrals.

Security Requirements

This Security Requirements section describes key requirements of security rules and requirements in accordance with the HIPAA. The security rule and requirements include information on people covered and the information that is protected. Security requirements also indicate the safeguards that must be in place to place protection of sensitive electronic health information (Department of Health and Human Services, 2009). As an overview, Security Requirements section describes the Security Rule of each provision other than detailed description. Specifically, it is the requirement that the needed security measures must be observed in order to protect the Electronic Protected Health Information (Department of Health and Human Services, 2009).

Confidentiality requirement

The Security Rule requires that all protected health information to be handled with the highest level of confidentiality. According to Department of Health and Human Services (2009), “confidentiality” means that any information deemed to be e-PHI should not be accessible to unauthorized persons or institution. The requirement of the confidentiality security rule is to support prohibitions of the privacy rule against improper disclosures of Protected Health Information (Department of Health and Human Services, 2009).

Integrity and Availability Requirement

The Security rule requires that the integrity of any information deemed Electronic Protected Health Information should be upheld. According to the Security Rule, “integrity” of the information means that e-PHI must not be tampered with, altered or destroyed in any unauthorized way (State Health Information Exchange Program, 2012). Additionally, the “Availability” requirement means that e-PHI should be accessible and usable whenever needed by authorized parties.

Transactions and Code Set Standards

The rule state requires that privacy should be observed as per the standards of the HIPAA Privacy rule. According to the Department of Health and Human Services (2009), the rule on the Transactions and Code Set standards was developed to establish a federal requirement that will protect individually identifiable health information (Wilson, 2006). This is because of the fact that patient information is normally created during the patient cross-examination, then processed and stored by healthcare institutions. Most of the information that is gathered at such interactions is in electronic formats and not as paper records or oral communications. In this case, transaction standards include all electronic transactions considered to be protected under the HIPAA (Department of Health and Human Services, 2009). Therefore, it also includes the transaction between a physician and a health insurer.

HIPAA unique identifiers rule

Entities that are covered by the HIPAA are required to identify covered healthcare providers in transactions identified as standard (American Medical Association, 2013). This requirement covers organizations such as health providers handling protected electronic transactions, large health plans, covered small health plans and healthcare clearinghouses. They should comply with this rule by using the National Provider Identifier (NPI). Fully covered entities and small health plans must use the NPI from May 2008 while all covered entities using Electronic Protected Health Information must use a new single NPI from May 2006. The requirement however does not replace the DEA number or any other personal identification details of a provider (Wafa, 2010).

Privacy Rule

The HIPAA Privacy Rule regulates disclosure and the use of Protected Health Information (PHI) that is held by organizations regarded as “covered entities.” These entities include health care clearinghouses and hospitals. The HIPAA privacy rule also extends to cover independent contractors of the affected entities. According to the requirement, these entities must not disclose Protected Health Information to any unauthorized individual unless when required to do so by law.

Security Rule

The rule on Security Standards requires that from April 2003, all covered entities and small plans must put security safeguards that comply with administrative, technical and physical protection of Electronic Protected Health Information (Department of Health and Human Services, 2009). The Security Rule generally complements the rule on Privacy as it pertains to Protected Health Information such as paper and electronic data.

The requirement lays out security standards for various covered entities to enable them evaluate their own security situation. The requirement also helps such organizations to determine how to implement the specified specifications (American Medical Association, 2013). Among the standards and specifications include administrative policies and procedures, contingency plans, technical measures, internal audits policies and evaluation of potential security violations (Department of Health and Human Services, 2009).

Compliance and Enforcement Rule

The enforcement requirement was issued in regard to HIPAA enforcement from March 2006. According to Wilson (2006), the Rule demands implementation of all security and control measures under the HIPAA. Any violation to HIPAA rules attracts penalties after the established investigation and hearing are satisfied (Department of Health and Human Services, 2009).

Breach Notification Rule

This requirement protects Electronic Protected Health Information against any anticipated or impermissible use or disclosure. The rule protects any protected health information from all anticipated leakages that fit the definition of “significant harm.” Such leakage could be caused by breach of security measures or anticipated unauthorized access (Wilson, 2006). In 2013, the rule was updated to include more scrutiny of covered entities to determine the extent of any reported breaches that had been unreported (Department of Health and Human Services, 2009). Through the rule, organizations should proof that potential harm had occurred that could potentially expose protected health information.

Applicable government regulations

The government has set various regulations and standards that govern how the above requirements should be met and implemented. The state requires all covered entities to adopt all issued policies and procedures. In addition, the government demands compliance of covered entities with the requirements of the Security Rule. Therefore, a covered entity must maintain written policies and security procedures in addition to written records in relation to the required actions. This should be complied with as long as the entity handles protected health information. A covered entity is also required by the government to review and update its documentation on regular basis. This is in response to organizational and environmental changes protected health information.

Recommended Security Controls

Req. No.	Control ID	Control Name	Description	Priority	Est. Cost
1	AC-1	Previous logon (access) notification	Confidentiality requirement. Protected health information should be handled with the highest level of confidentiality. The confidentiality requirement is enhanced by notification of access to such information.	P0	Priority 1
	AC-2	Previous logon (access) notification	Integrity and Availability Requirement. Integrity of Electronic Protected Health Information to be upheld with no unauthorized access or alteration to information. Using previous login notifications, the authorized people will identify any unauthorized access to the Electronic Protected Health Information if any.	P1	Priority 1
3	AC-3	Concurrent Session Control	Transactions and Code Set Standards. To protect individually identifiable health information that is considered protected. Control of concurrent access to Electronic Protected Health Information will limit the access to authorized people only and notify users of any piggy backing.	P2	Priority 1
4	AC-3	Concurrent Session Control	Unique Identifiers Rule. The concurrent session control will facilitate the observance of the unique identifiers rule by giving notifications of the breach of uniqueness of an access session. To ensure only authorized access to protected electronic transactions in covered entities as identified by the HIPAA standard, this control is Priority 1important.	P1	Priority 1
5	AC-2	Previous logon (access) notification	Privacy Rule: To protect access to rooms with identifiable health information that is protected. Privacy rule will be facilitated by the indication of the previous logon information by assuring the user of the previous privacy.	P1	Priority 1
6	AC-1	Access Enforcement	Security Rule: security of the protected information will be facilitated by access enforcement control by allowing only authorized access. To enforce security safeguards that comply with administrative, technical and physical protection of e-PHI	P1	Priority 1
7	AC-3	Access Enforcement	Compliance and Enforcement Rule: Access measures to implement security and control measures under the HIPAA and prevent violation to HIPAA rules. If access enforcement is well complied with, the protection of the sensitive health information will be possible through the observation of this requirement.	P1	Priority 1
8	AC-3	Concurrent Session Control	Breach Notification Rule: To protect e-PHI against anticipated and impermissible access or disclosure. Also to report any breach to the overall control measures and information leakage.	P1	Priority 1

Table 2. Recommended Security Controls from NIST 800-53 used to Satisfy HIPAA Requirements.

References

American Medical Association. (2013). Understanding the HIPAA standard transactions: The HIPAA Transactions and Code Set rule. Web.

Cress, C. (2012). Handbook of geriatric care management. Sudbury: Jones & Bartlett Learning.

Department of Health and Human Services. (2009). Summary of the HIPAA security rule. Web.

Kelly, K. M., & Shah, S. M. (2009). Emergency neurology: Principles and practice. Cambridge: Cambridge University Press.

Patti, R. J. (2009). The handbook of social welfare management. Thousand Oaks: Sage Publications. 225 (4), 33–6.

Starfield, B. (2008). Primary care: Balancing health needs, services, and technology. New York: Oxford University Press.

State Health Information Exchange Program. (2012). Getting to impact: Harnessing health information technology to support improved care coordination. Washington, DC: The Office of the National Coordinator for Health Information Technology.

Wafa, T. (2010). How the Lack of Prescriptive Technical Granularity in HIPAA Has Compromised Patient Privacy. Northern Illinois University Law Review, Volume 30, Number 3.

Wilson, J (2006). “Health Insurance Portability and Accountability Act Privacy rule causes ongoing concerns among clinicians and researchers”. Ann Intern Med, 145 (4), 313–6.