IT Asst 2

BYSTANDER

Chapter5HCAD610.pptx

Home >Information Systems homework help >IT Asst 2

Chapter 5 Health Information Technology Infrastructure, Standards, and Security

Health Administration Press

Learning Objectives

Define and use in context technical terms related to information technology architecture and infrastructure.

Distinguish between the hardware and software components of an information system and provide illustrative examples.

Discuss basic telecommunication concepts.

Describe data storage options, discussing considerations, advantages, and concerns associated with each option.

Discuss data transaction types subject to electronic data interchange regulations.

Identify data standards organizations with influence in the healthcare industry.

Discuss provisions of the HIPAA Privacy and Security Rules.

Health Administration Press

HIT Infrastructure

All components of an enterprise’s information technology resources, including not only physical elements such as hardware and other equipment, networks, and data centers, but also software, operational and governance policies, and contractual relationships with vendors and partners.

Health Administration Press

Healthcare Managers

Need conceptual understanding of system components, network structures, standards and regulations, security risks, and trending issues in HIT.

Basic level of knowledge is essential to effective participation in HIT budget development, negotiating system contracts, ensuring regulatory compliance, and assessing enterprise risk associated with information system policies and practices.

Health Administration Press

First-Generation Computer Technology

The Electronic Numerical Integrator and Calculator (ENIAC)

First computer in the US, completed in 1946 at the University of Pennsylvania

Launched the first generation of computer hardware—devices that used vacuum tubes

Basic model of input – processing – output (IPO)

Health Administration Press

Second and Third Generations

Transistors and integrated circuitry

Decreased computer size

Increased processing capacity and speed

Improved the user interface

Made technology more affordable

Health Administration Press

Fourth-Generation Technology

Current technology is well advanced into the fourth generation, which employs microprocessor technology.

A user can hold in one hand a device with more computing power than first-generation computers that required a large controlled-environment room.

Networking capability and emergence of Internet and World Wide Web brought connectivity into business and healthcare and personal activities.

Health Administration Press

Fifth Generation Is Evolving

Parallel processing and artificial intelligence are hallmarks.

Law of accelerating returns suggests that learning from one innovation informs future innovations for faster development, generating an exponential rate of return with regard to human-created technology.

Health Administration Press

Computing System Components

Input devices

Processing unit(s)

Output devices

Primary storage and secondary storage

Communications devices

Health Administration Press

Communication Devices

Create connections that enable the computer to interact with other computers or devices, either within or outside the organization

Give rise to the concepts of networking and telecommunications

Health Administration Press

Computer Hardware

Physical components and devices configured into an information system, comprises input and output devices, processing units, and storage media

Devices range from very small to very large

Personal computing may use a tablet or smart telephone (or a smart watch), and even these small devices can capture, process, and output data, and connect wirelessly to the Internet or other devices.

HCOs have complex arrays of devices, including diagnostic machines, that serve hundreds of users simultaneously, with myriad functions.

Health Administration Press

Computer Software

A detailed set of instructions that enables a computer to perform a function is known as a program, and programs are collectively referred to as software.

Healthcare managers need to understand basic software concepts to participate in selecting, implementing, and testing software to maximize the value of their HIT investments.

Purpose and functionality of clinical, business, and communication application software; an awareness of the distinction between integrated and interfaced systems; a recognition of the role of system management software; and a general comprehension about programming languages and language translators.

Health Administration Press

Data Storage

Size ranges from small, independent devices (thumb or USB drive) to large data warehouses (arrays of servers).

Each device type has unique security issues.

Health Administration Press

Input – Capturing the Data

The power of an information system can be realized only when data and programs have been entered for processing and information is generated for the user.

Peripheral devices facilitate entering data in a variety of formats, including keyboard or touch-screen entry, optical scanning, and voice input.

Health Administration Press

Input Devices

Choice of device determined by application design, user skills and preferences, accuracy and speed requirements, and security.

Consider both efficiency and accuracy criteria.

Speed should not be gained at the expense of data quality, patient safety, and information confidentiality.

Health Administration Press

Input Devices (cont.)

Many current information systems are designed to facilitate data capture at the point of care, such as the patient’s bedside or in other diagnostic or treatment areas.

Data may be captured concurrently with patient examination and treatment (point of care), through voice recorders, medical scribes, or digitally enhanced diagnostic devices.

Data may be entered using computer workstations in or near the patient’s room or by using a portable or handheld device that connects the user to the electronic health record system.

Health Administration Press

Processing: Converting Data to Information

Hardware requires detailed instructions to perform computing tasks.

A detailed set of computer instructions is known as a program, and programs are collectively referred to as software.

Applications may be either general-purpose or function-specific, and include:

Operating systems

Utilities

Programming languages

Software development tools

Language translators

Health Administration Press

Operating System

Interface between the human user and the computer

Microsoft Windows

Apple iOS

Linux

Incorporates a graphical user interface (GUI) that uses icons (graphical symbols on the monitor screen) to represent available operating system commands.

User clicks on a given icon with the computer’s mouse or other pointing device to invoke the desired command.

Health Administration Press

Utilities

General processing, computational functions, system maintenance functions

Virus scanning

Encryption

Health Administration Press

Application Software

Accomplishes the computing tasks; may be general-purpose or application-specific; often purchased as a “suite” of integrated menu-driven module programs

General-purpose examples

Text processors

Desktop-publishing software

Spreadsheet software

Statistical packages

Database-management software

Presentation graphics software

Web browsers

Health Administration Press

Application-Specific Software

A computer program designed to solve a single, somewhat specifically defined problem

A good example is a payroll program developed to:

accumulate labor hours

compute deductions

write payroll checks

post summaries to the general ledger

complete forms required by federal and state governments.

Numerous vendors offer an array of application-specific software aimed at the healthcare industry.

Health Administration Press

All Software…

Consists of a detailed set of instructions describing the specific steps the computer is to perform

Instructions are communicated to the central processing unit (CPU) in a structured programming language

Evolved over time from binary code (0, 1) to instructions resembling spoken language; each generation improved the computer-human interface.

Examples of programming languages include BASIC, COBOL, and Java, all of which have rules and context frameworks.

Evolutionary goal is to achieve natural language input; communicating as with another human.

Health Administration Press

Software Considerations

In-house developed software can be tailored specifically to the organization’s needs; changes generally are easier to make.

Purchased (or leased) software is generally less expensive, requires less time to get running, and requires fewer in-house computer personnel. Changes must be negotiated with the vendor.

Modifying an existing package attempts to integrate the advantages of both alternatives.

Health Administration Press

Software Caveats

The quality of available software is variable, and in some cases software purchased at significant expense fails to meet expectations.

All software must be appropriately licensed, and used only as specified by the license.

Operating systems and application software are constantly being revised. Upgrades to major systems come with a cost that may exceed the value of the change, if the current version meets user needs.

Challenges are created by needed interfaces that link disparate software packages and system components. Upgrading one module of an interfaced system may require extensive modification of the interfaced modules.

Health Administration Press

Processing

For stand-alone computers, processing occurs in the CPU.

Evolution has produced processors that are smaller and faster, handle more volume, and cost less.

Distributed processing connects multiple processors to increase speed and computing power even further, through hardwired or wireless networks.

Local area network (LAN) – connects computers and peripheral devices to share software and output devices, usually within a building or entity.

Wide area network (WAN) – connects a geographically large region with multiple telecommunication networks.

Health Administration Press

Internet – The Big WAN

Worldwide public WAN, connecting numerous LANs

Distributed computing systems’ components cross multiple networks, and resources and information are shared among an infinite number of users through communication linkages.

The relative ease with which data move across the internet and its widespread acceptability are undeniable.

However, the inherent open access that supports this convenience is not without risk, as data security is a significant challenge.

Health Administration Press

Output: Making Information Available

The actual work performed by the computer system is of little value until it is produced (output) in a usable format accessible to the user, such as in print, digitally for future processing, or in audio or spoken form.

The goal of the industry is to make data entry and retrieval as simple as possible.

Health Administration Press

Output Formats

Visual displays

Printed documents

Audio (including voice)

Health Administration Press

Video Display Device

Oldest and most widely used form of displaying output.

Typically called a monitor for stand-alone output devices, or screens for handheld devices.

Have evolved from small monochrome screens into large, or small, high-resolution liquid crystal displays (LCDs).

Screens can be enabled for touch, thus also serving for input.

Can display images at resolutions high enough to support clinical diagnosis and treatment.

Health Administration Press

Printers

Early impact devices were similar to typewriters.

Color laser printers are capable of reproducing artwork and detailed diagnostic images.

Key printer characteristics to consider in purchase decisions include memory, resolution, and print speed.

3-D printers can create medical products, such as assistive devices or models used for diagnosis.

Photocopiers also function as printers and scanners.

Health Administration Press

Audio Output

Current technology provides digitization of sound with good quality.

Digital text can be converted to understandable speech by voice synthesis.

Clinicians can listen to body sounds, such as breathing or heartbeat, from distant locations using a telephone or other audio-transmitting device, allowing expert consultation without patient travel or monitoring of homebound patients with chronic conditions.

Health Administration Press

Storage: Archiving for Active Use or Mandated Retention

Decision factors for storage media selection include:

Volume

Physical security

Disaster recovery

Expansion planning

Health Administration Press

Primary and Secondary Storage

Originally, primary storage meant data stored on computer’s internal drive for CPU access.

Primary storage definition has evolved to mean repositories used for transactional data frequently accessed for business and clinical purposes.

Secondary storage definition has evolved from storage on external media to repositories with an archival orientation, accessed infrequently or not at all.

Distinction between primary and secondary is use, not location.

Health Administration Press

Record Retention and Data Governance

State and federal mandates for retaining business and clinical records

HCOs should have record retention and destruction plans.

The goal for data utility, efficiency, and cost-effectiveness is to capture data once and store it in a single location, and to have the data from that location available as needed by any application or user.

Key issues with regard to data storage include data classification, media used, location, cost, and security.

The real value of the repository—and thus the pivotal decision factor—lies in the accessibility and utility of the data housed inside.

Health Administration Press

Storage Options

The actual storage required for captured and archived data in a healthcare enterprise is massive, and the associated costs are a significant component of the total HIT cost equation.

How much storage required for a given application is dependent on the type and volume of data captured, access and retrieval requirements, and retention requirements.

Health Administration Press

Storage Considerations

Data format—text or non-text?

Retention requirements

Accessibility needs, i.e., quick and regular, vs. random

Cache or active memory requirements, i.e., image viewing

Health Administration Press

Storage Location Options

On-premise hardware-based storage – data are housed on hard disks in arrays of network servers.

Off-premise storage – remote data center owned and managed by the enterprise, or a hosted solution outsourced to a vendor.

Cloud storage – off-premise, distributed storage model; data are stored on the internet, generally through a contractual fee-for-service arrangement with an external vendor.

Private – vendor solution dedicated to a single enterprise; better security.

Public – open to any subscriber; costs may be scaled by volume of use.

Health Administration Press

Storage Expansion Planning

The volume of data produced by healthcare enterprises will only increase.

Data integrity and privacy and security regulations for archived health information will not lessen.

Technology capabilities will continue to evolve, the types of data that can be captured will expand, and the storage media employed will change.

All of these changes will occur rapidly and successively.

Health Administration Press

Need for Data Governance

The inevitable and constant acquisition and production of data in healthcare enterprises necessitates managing data purging and destruction as well as ensuring adequate storage capacity for archived data.

As storage costs for many options have lessened, some managers have found it easier to expand storage capacity than to design and manage a data governance plan.

A robust approach to information governance is needed, and should encompass organizational policies, business and clinical procedures, technology and infrastructure, and a well-defined accountability framework.

Health Administration Press

Why Purge?

Unimpeded growth will subsume more of an enterprise’s IT budget than can be reasonably allocated to managing data that has no value to patient care or to business operations.

HCOs need to make deliberate distinctions between data that have ongoing utility or must be retained for regulatory compliance, and data that are retained as a result of insufficient data governance.

Selective archiving and destruction of data should be based on legal and regulatory guidelines to ensure defensible disposal.

Health Administration Press

Data Governance Plan

A well-documented data governance plan is important to ensure that data are maintained in accordance with business and clinical needs, securely protected to maintain patient privacy and meet regulatory requirements, and properly destroyed at the terminal point of their life cycle.

Health Administration Press

Disaster Planning and Data Recovery

HCOs are accountable for protecting all medical and patient identification data maintained and used in the facility.

HCOs also must maintain a secure but accessible copy of these data in an off-site location in case information resources are damaged or destroyed by disaster.

This obligation, required by the HIPAA Security Rule’s Administrative Safeguards, increases the secondary storage requirements imposed by the clinical and administrative operational needs of the enterprise.

Health Administration Press

Communication: Network Connectivity and Interoperability

Integrated system – All modules required to satisfy the organization’s computing needs are purchased from a single vendor. Modules are designed to work with one another so that data transfer among modules proceeds smoothly.

Interfaced system – Required modules may be purchased from separate vendors, usually those thought to be the leader in a particular application area. Connections among modules is achieved via an interface, which acts as a bridge between the two modules, and translates the data format into one that the receiving module can handle.

Health Administration Press

Interoperability

Current healthcare environment requires not only connectivity among components of the internal enterprise information system, but exchange of information between computers across industry networks.

Data transfer among various networks and systems, electronic data interchange (EDI), requires data stored in standard formats, or translated between sender and receiver, and agreed-on communication protocols to ensure data integrity after the transfer.

Health Administration Press

EDI Standards Under HIPAA

Claims and encounter information

Payment and remittance advice

Claims status

Eligibility

Enrollment and disenrollment

Referrals and authorizations

Coordination of benefits

Premium payment

Health Administration Press

Full Interoperability Is Difficult to Achieve

Early information systems were designed to be fully proprietary, ensuring more market share for vendors.

There remains a lack of agreed-on standards that would ensure a uniform exchange and processing of clinical and financial information between providers.

Not all barriers to full interoperability are technical: The US Department of Health and Human Services (HHS) drafted the Trusted Exchange Framework and Common Agreement to support national network-to-network information exchange.

Health Administration Press

Data Standards Organizations and Regulation

EDI is more efficient and reliable if the data were created in accordance with a standard that makes data formats and definitions compatible.

Collaborative efforts of consortia and interest groups have made progress in setting standards, but legislation and government regulations have been necessary to maintain forward momentum.

Several federal regulatory agencies enforce HIT legislation and influence best practices (see exhibit 5.2).

Health Administration Press

Privacy, Physical Security, and Cybersecurity

Data breaches—generally, any unauthorized access to information—are a significant threat for healthcare enterprises, posing both reputational and financial risks.

The HIPAA Breach Notification Rule, enacted under the HITECH Act of 2009, requires that breaches resulting in exposure of 500 or more individual records must be reported by the HCO to HHS’s Office for Civil Rights (OCR).

In 2018, the OCR received notice of 351 data breaches involving exposure of more than 13 million health records.

Health Administration Press

Breaches Are Costly

A survey across 17 industries identified 477 companies that experienced a data breach in the previous year (2017). The average cost of a data breach was $3.86 million, approximately $148 per record stolen.

Financial penalties increase the cost to the breached HCO.

High-profile media releases about individual security incidents damage reputations.

These factors compel healthcare executives to consider information security a high priority in strategic planning and resource allocation.

Health Administration Press

Privacy

An individual’s right to general privacy is protected by the Fourth Amendment to the US Constitution.

Individuals’ right to privacy of their health information is protected by HIPAA and the modifications to HIPAA made via the HITECH Act and later amendments.

These laws are the most significant and comprehensive legal protections that exist for health information generally, and electronic health information specifically.

Health Administration Press

HIPAA Privacy Rule

Enforceable for all entities since 2004, binding on any healthcare provider, health plan, or covered entity that transmits health information electronically.

The Privacy Rule ensures protection of individual health records through national standards and governs disclosure and use of the information.

The OCR, which oversees HIPAA enforcement, holds healthcare organizations accountable for protecting PHI under penalty of financial fines and loss of access to federally funded insurance programs, such as Medicare and Medicaid.

Health Administration Press

HIPAA Security Rule

The Security Rule supports the Privacy Rule by defining technical and nontechnical standards for archiving or electronic transfer of PHI.

The intent of these rules is to allow entities some flexibility in designing policies and procedures to create, store, receive, and transmit PHI electronically, but to safeguard against inadvertent disclosure or unauthorized access to PHI in storage or during transfer.

The rule requires that organizations address security issues with administrative, physical, and technical safeguards; with policies and procedures; and by management of contractual business relationships.

Health Administration Press

Physical Security

Security means to protect information resources—personnel, hardware, communication devices, and so on—from harm, theft, destruction, or other compromise of the integrity of data or infrastructure.

Protecting the system’s physical security requires a portfolio of approaches: management policies (such as specifying an individual’s system access rights), hardwired security features (such as a firewall), and physical measures such as requiring a code or passkey to enter an off-site server facility.

Ensuring the physical security of information systems is essential to comply with regulatory and legal requirements as well as access control.

Health Administration Press

Security Is Challenging

The sheer volume of computing devices distributed across the enterprise, portable storage options, mobile device access, number of authorized users, and many other variables converge to make physical security a complex challenge at best.

Well-defined policies, consistent monitoring, and policy enforcement remain pivotal success tactics.

The chief information security officer (CISO) is responsible for developing and enforcing policies and practices to anticipate and mitigate risks to the security of the information system—the physical components, the information in the system, strategic relationships—as well as ensuring compliance with security regulations germane to the enterprise.

Health Administration Press

HIPAA Security Mandate Elements

Security management processes

Assigned responsibility for security

Management of information access

Security awareness and training

Security incident procedures

Contingency plans

Evaluation

Business associate contacts and other arrangements

Health Administration Press

Cybersecurity

Protection of internet-connected information systems

Threats are dynamic, as computer viruses and other forms of cyberattacks mutate and evolve to avoid destruction from security approaches deployed by organizations.

ALL connected elements of the system are vulnerable to cyberattack.

End-point devices can put an enterprise information system at risk without any deliberate intent on the part of the user.

Cyberhygiene, adherence to good security practices for internet-connected components, can help protect devices from outside attack.

Health Administration Press

Cyberhygiene Approaches

Maintain documentation of current system components and connections

Ensure backup of critical data to secure but accessible storage, ideally off-line

Designate storage options by data type (e.g., sensitive, clinical, research, business) to ensure coverage by appropriate security protocols

Maintain current versions of antivirus and antimalware software

Maintain current updates of software to ensure currency of security elements

Enforce policy for regular strong password changes

Limit access and user rights to system components on need-to-know basis

Health Administration Press

Cybercrime and Ransomware

Ransomware, a malicious software, encrypts a computer or computing system to deny access or control by the owner until a ransom is paid.

The virus often attacks the system through a phishing email, a bogus email message that seeks to gain user information to access desired systems such as financial or healthcare data repositories, or infected websites.

Health Administration Press

Ransomware Attacks in Healthcare

One insurer found healthcare to be the field most targeted for ransomware attacks, accounting for 47 percent of its 2018 data breach claims.

Both number of attacks and ransom amount demands have increased, as high as $2.8 million.

Issues in the malware itself or unskilled hackers may result in fatal corruption of compromised data or an inability to decrypt data despite payment of the ransom.

Health Administration Press

Internet of Things

The entirety of devices and objects with unique identifiers that transmit data over the internet without an intermediary person or device.

Based on machine-to-machine communication principles, the IoT is a network of smart devices, including medical devices, numbering in the billions.

Prediction: cybercriminals will increasingly focus their ransomware efforts on smart devices connected to the IoT.

Health Administration Press

HIT Legislation and Regulations

Law

Health Insurance Portability and Accountability Act (HIPAA) of 1996 (P.L. 104-191)

Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009

Food and Drug Administration Safety and Innovation Act (FDASIA) of 2012 (Section 618)

Intent

Improve portability and continuity of health insurance coverage; combat waste, fraud, and abuse; regulate privacy and security

Promote HIT, including EHRs and health information exchange

Set risk-based regulatory framework for HIT, including mobile applications

Health Administration Press

HIT Legislation and Regulations (cont.)

Law

Patient Protection and Affordable Care Act (ACA) of 2010 (P.L. 111-148)

Medicare Access and CHIP Reauthorization Act (MACRA) of 2015

21st Century Cures Act 2018 (P.L. 114-255)

Intent

Simplify administrative processes; establish operating rules for transactions; provide unique identifiers for health plans; standards for electronic funds transfer and claims attachments

Change physician payment models; provide funding for technical assistance

Clarify HIPAA Privacy Rule; advance interoperability; promote medical product development

Health Administration Press

Takeaways

A robust HIT infrastructure, which comprises all components of an enterprise’s IT resources—physical elements, software, policies, and contractual relationships—is complex, dynamic, and essential to HCO survival.

The healthcare environment is a complex configuration of opportunities to provide high-quality patient care with available technologies, coupled with extensive risks inherent to using those same technologies.

Leaders, managers, and HIT professionals will be challenged to design, maintain, and protect the HCO information resources in a volatile environment—one that is constantly changing as a result of technology advancement, regulatory expansion, and constrained business models.

Health Administration Press