With the rapid proliferation of hundreds of health information websites, e-health publications and commencement of use of electronic health records, we in India, are now in an era of information dissemination. This is actually leading to information overload!! The end user – the health care consumer, formerly known as a patient, is now deluged with too much information. Public access to specialist information, the cornerstone of accountability, is only a mouse click away. It is estimated that 75% of Internet users surf the Net for medical information at some point in time and almost all feel that they get the information they are looking for. How many of them know that most of the information on the net has not been peer reviewed, authenticated and is not always reliable? Information Assurance (IA) in healthcare therefore becomes crucial. IA involves ensuring authenticity, credibility and reliability of the information, which the end user has access to. For the purpose of this discussion, information assurance will also include maintaining the sanctity of a patient’s individual health information, considered strictly confidential and sacrosanct. Most stakeholders are still oblivious of the concept of IA. Malpractice and litigation not yet being a major problem, awareness of privacy and security issues in health information is also not high.
IA refers to the practice of managing information, protecting confidentiality and ensuring integrity and availability of data. IA also ensures that delivery systems deliver the necessary information only to authorised personnel. These goals are relevant whether the data are in storage, processing, or transit, and whether threatened by malice or accident. Information Assurance means much more than assuring Information Security. IA emphasizes strategic risk management over tools and tactics. It includes corporate governance issues such as audits, business continuity, compliance, disaster recovery and privacy. IA draws from multiple fields, including Fraud Examination, Forensic Science, Management Science, Systems Engineering, Security Engineering and Criminology. Assurance is a measure of confidence, with security features, practices, procedures and architecture of an Information System, that accurately mediates and enforces the security policy using assured software. Assured Software is software that has been designed, developed, analysed and tested using processes, tools and techniques that establish a level of confidence, in its trustworthiness, appropriate for its intended use. IA therefore is essentially the process of ensuring that the right people get the right information at the right time. IA in the health care industry is a very recent phenomenon, even globally.
What constitutes “Health Information”? Who should be authorised to update this? How often should this be updated? Who will be the ombudsman overseeing this? To whom should this information be directed? What should be the mechanism for updating? Where should this be done? For whom? Is one justified in resorting to simplification at the cost of scientific accuracy. These are just some of the many, many questions that need to be answered. The average user is not sophisticated enough to critically analyse the loads of different information now easily available and give appropriate weightage to them.
How do we assure that the medical information necessary for a patient to aid him or her in the decision making process is factually correct and more important, is relevant to the specific situation?
When providing information to a patient about a proposed surgical procedure, is it necessary to mention the rarest of the rare complications as well? The Supreme Courts of India and USA among others have opined that while obtaining consent from a patient, the physician can use his/her judgement in deciding what information need not be stressed. Even with a medical background this is often difficult. Experience and wisdom cannot always be broken down and fitted into a decision making tree.
The onset of the 21st century has witnessed a steady increase in the number of stakeholders responsible for an individual’s healthcare. They include medical students, interns, technicians, nurses, staff of the medical records department, hospital administrative staff, hospital pharmacy, immediate family, colleagues, employers, interested third parties including insurance companies and credit card companies and often in the case of VIP’s – even the press. Do all these various groups of people need to have access to the health information of an individual? Should this be on a need-to-know basis? A few decades ago knowledge about the health of an individual was strictly confined to a paper medical record which was available only to the family physician. Today, more often than not, it is a team of specialists who are collectively involved in the management of a single patient.
One’s personal health information can theoretically be hacked. In the Indian setting, the concept of EMR is just emerging. Creating awareness, sensitising stakeholders and training the end user about IA in health care should be the first step in implementing Information Assurance. Ensuring suitable policy framing and enforcement of legal measures will automatically follow. However, social, ethical and legal solutions are unlikely to keep up with technology.
The legal aspects of privacy of health information, the rules and limits on who can have access to an individual’s health information have to be culture sensitive and relevant to the needs and local milieu.
Information today is not confined to paper records or electronic records. Sensitive information about a patient can be computed, stored and transmitted using various devices that may or may not interconnect with a network.
Security measures implemented should be based on local milieu, facilities available and degree of security required. Creating awareness, studying cost containment and feasibility of implementation issues, and sensitizing and training the end user about privacy and security issues should be the first step. This should be followed by suitable policy framing and enforcement of legal measures. These are as important as using the technology itself. It was Confucius who once remarked that, ‘A journey of a thousand miles begins with the first step’. The time is now ripe for India to take the first steps in implementing Information Assurance in healthcare.