Health Service Executive
(HSE)
EHR – Electronic Health Records
Contents
Introduction……………………………………………….3
Introduction to the organisation……………………………………3
EHR – Electronic Health Records……………………………………4
Review of current organisation/sector………………………………..4
Vision/ Goals of Organisation……………………………………..5
EHR – a pillar of eHealth Strategy…………………………………..5
Key components of the EHR………………………………………6
ICT within healthcare reform……………………………………..7
IT structure and approach to IT (estimate)………………………………7
SWOT Analysis………………………………………………9
Stakeholder Analysis…………………………………………..9
The key stakeholders are:……………………………………….9
The below key risks have been identified, with the risk to data security being the main one…10
Risk Review /mitigation / controls / effectiveness of controls ………………….12
References……………………………………………….18
Appendixes……………………………………………….20
a)E-Health org structure……………………………………….20
Introduction
Information Management Systems (IMS) offer many advantages and opportunities if they are set up properly and managed and controlled effectively and are supporting an organization’s work. The scope of the IMS is determined by the needs and expectations of the stakeholders.
As laid out in detail on their website http://www.ehealthireland.ie/, the HSE’s new e-health strategy includes the setup of an IMS of Electronic Health Records (EHR) nationwide i.e. for the whole of Ireland.
Availability of personal data, in this case patient health records, offers a lot of benefits but at the same time puts the security of this data at risk. The bigger the volume of data and the higher the number of people accessing the personal data of individual patients, the higher the risk to data security and the exposure to external threats. Increased benefits for patient healthcare, socio-economic benefits and new opportunities go hand in hand with increased risks and vulnerability of the system.
An IMS of that scale i.e. on the national level, creates a challenge for Information Management System Security (IMSS) and IT. It requires an architecture that champions data security and compliance with GDPR.
Such a system requires buy in from management, stakeholders and staff as well as expert solution architects and substantial, continuous government funding during the length of the project.
As the HSE is a public service organization, compromised data and data leaks will result at least in loss of faith in the EHR IMS amongst the public and potentially also in a loss of trust in any medical evaluations and treatment programs designed which are based on electronic patient records. In the worst case scenario compromised health records can result in loss of life.
Therefore, data security is the most important concern which if compromised will destroy the public’s trust in the HSE and its new e-Health strategy irreparably and will jeopardize the vital buy-in from management and stakeholders.
According to a research study commissioned by McAfee (Samani, 2016) patient records are a most wanted commodity in the dark web and the EHR IMS will need to prevent and address such external threats if it is to succeed in supporting the organization’s work.
This paper will discuss benefits, opportunities and the cost associated with EHR as well as the risks which will, if not controlled, cancel out any possible benefits and advantages. It is this aspect of looking into benefits and gains versus high risk to data security that makes the EHR so interesting from an IT perspective.
As the general public / patients are amongst the stakeholders the HSE’s eHealth initiative should be of concern and interest to everyone.
Introduction to the organisation
The HSE is responsible for providing all public health services in Ireland in hospitals as well as local communities throughout Ireland.
Goals of the HSE:
- Providing health services as well as social care services all over Ireland
- Deliver the best health services and medical care to everyone in the country
- Ensuring access for everyone in Ireland to save and quality care
In response to advances in technology and increased internet usage as well as demographic and other factors, changes in healthcare are required urgently to support the goals set by the HSE.
A new strategy for the healthcare sector is required to address these changes and also to meet the challenge set by the EU’s task force report “European Union eHealth Action Plan 2012-2020”(2012). The aim of this study and EU strategy is to provide access to high level healthcare for all European citizens.
Part of the organisation’s new strategy is eHealth, with the EHR (Electronic Health Record) initiative at its core. Patient records will be available online for all medical professionals in order to increase efficiency of the healthcare delivery systems as well as to drive economic growth and development by providing better care for the individual patient.
In the centre of the new healthcare delivery system is the patient and the patient will be empowered to pursue their health and wellbeing and the provision of the healthcare services.
EHR – Electronic Health Records
What is eHealth (Electronic Health)? It demands the integration of all the information and sources of information which are involved with the delivery of healthcare through technology Information Management Systems.
Amongst others, this includes patients and their health records as part of a digital supply chain which involves a high level of automation as well as the sharing of information.
Review of current organisation/sector
Organisation Structure
The HSE employs over 100,000 people, whose job it is to run all of the public health services on a national level in Ireland. As patients are at the centre of this organization, the HSE manages its services through a structure that is designed to support that. An overview of the principles, policies, procedures and guidelines can be found in the HSE Code of Governance.
It’s by these Policies and Guidelines that the HSE directs and controls its functions and oversees its business. This code is meant to guide the Directorate, leadership groups/teams and everybody else working with the HSE as well as the agencies funded by the HSE, in doing their duties to the greatest standards of responsibility, integrity and propriety.
Representatives from city and county councils are organized respectively in four Regional Health Forums. The below org chart (Figure 1) which can be found on the HSE website (https://www.hse.ie/eng/about/who/) gives a more detailed insight into the HSE structure.
Figure 1 – HSE org chart – https://www.hse.ie/eng/about/who/ – last accessed 23-12-2018
Vision/ Goals of Organisation
Strategy of Organization
- Introduction of a national EHR (Electronic Health Records) system / IMS (Information Management System)
This is part of the Integrated Services Framework (ISF) to bring standardization to the HSE’s specialised, application and information architectures. This is also part of the e-Health strategy for Ireland.The access to high quality, accurate and timely information is essential to efficient medical staff and patient relationships resulting in improved results.
- The EHR IMS will permit the electronic storage of medical records and evaluations utilising a special individual identifier on a nationwide level. The digital patient documents are shared securely with proper patient consent as outlined at the eHealth Strategic Programme (http://www.ehealthireland.ie/Strategic-Programmes/Electronic-Health-Record-EHR-/)
EHR – a pillar of eHealth Strategy
The production and sharing of crucial patient data lie at the center of the national EHR solution. This alternative will unite core operational options (with functions like ePrescribing and Case Management), in addition to the aggregation of information from such systems into a comprehensive nationwide document, which is available to health and healthcare professionals, service users and carers. The availability and accessibility of patient information across the various organizations with the remit of the HSE – this opportunity will be offered by the EHR system as one of the pillars of the eHealth strategy.
The programme is currently focused on the design of the overall implementation strategy and roadmap that:
- Combines pragmatic use of existing systems
- Meets Special needs like the Introduction of the Children’s Hospital Group as a ‘Electronic/digital hospital’ at 2019
- Supports HSE reform’s broader objectives
- Extends the capability offered across care settings and organisations in A phased strategy.
This design stage will require extensive consultation with clinical, administrative, managerial and technical stakeholders to make sure the layout is directed by the requirements of those groups with the required support to guarantee success in future installation. This is a complicated and large transformation programme, requiring a substantial investment within 10 – 15 decades.
Key components of the EHR
As outlined in the National Business Case (9), the below 4 key components constitute the National EHR for Ireland:
- National Shared Record
- Community Operational Systems
- Acute Operational Systems
- Integration Capability
Benefits of EHR
There are a number of potential benefits of a national EHR IMS. Amongst these are increased patient safety and high quality of care, lower risk of error in diagnostics and treatments as well more efficient administration and socio-economic benefits. This valuable knowledge database based on the collection of data facilitates advanced medical knowledge and so much better management of disease and healthcare planning.
Figure 2 – EHR benefitshttp://www.ehealthireland.ie/Strategic-Programmes/Electronic-Health-Record-EHR-/
Background
The HSE has experienced serious issues in the past with for example long waiting lists for medical care by patients and increased costs (, EHR-Vision-and-Direction)
According to a recent article in the Irish Times (https://www.irishtimes.com/news/ireland/irish-news/rcpi-calls-for-implementation-of-electronic-health-records-1.3504892), the Royal College of Physicians of Ireland (RCPI) has supported the call for the full implementation of electronic patient records, stating such a move would help to protect patient privacy. Data privacy has and still is an issue as patient records exist in paper format, are at times exposed to staff who have no need to access these.
Future delivery of health care
A new thing called “eHealth Ireland” will be created, originally in an administrative basis inside the System Reform Group (SRG) of the HSE. The Chief Information Officer (CIO) who will work closely with each one the major business organisations within the healthcare, so as to push the eHealth strategy and make sure that key IT systems have been implemented on time and to budget.
A new IT strategy for the health system as by state and government Health Information and Quality Authority (HIQA) a including financing, legal agencies like the Health Services Executive ICT Directorate and SRG, the Empowering, public awareness, stakeholder participation and construction the eHealth Ecosystem.
Figure 3 – national EHR system – http://www.ehealthireland.ie/Strategic-Programmes/Electronic-Health-Record-EHR-/
A national Electronic Health Record (EHR) has been identified by HSE while technology solutions are a key component, the national EHR programme represents a substantial transformation in the use National Directors and clinical leaders as a key component requirement for the future delivery of healthcare. There’ll be a main focus on the way clinicians and administrative personnel utilise this technology in a manner that closely aligns with and underpins the ambition for Integrated care and other national healthcare reform priorities.
Get Help With Your Essay
If you need assistance with writing your essay, our professional essay writing service is here to help!
ICT within healthcare reform
IT structure and approach to IT (estimate)
ICT is going to be an element in healthcare reform. Ireland is put within an ambitious journey at the reform of health care in recognition of their need to radically alter health provision to meet with the challenge of providing sustainable high excellent care for the whole population. Knowledge and information are a core strength of the health systems and the development and application of the advantage in an efficient manner is vital to improving performance throughout the system. The capacity to document and discuss crucial information on individuals’ and service users’ interaction across businesses and care settings is an integral part of eHealth and provides advantages for individuals, service users, carers, health and social care professionals and broader stakeholders from the healthcare. The programme intends to exploit the capacity of ICT to become consistent in our delivery of better, safer and more, personalised care.
IT resources
- IT Manager, Technical and Solution Architects, IT Project Manager, IT engineers
- 3rd party software development / implementation vendors (vetting in progress)
Facilities
- Hospitals, starting with the National Children’s Hospital
- Private practices
- Ambulances
Equipment
- PCs
- Smartphones
- Laptops
- Tablets
Budget
The HSE / EHR is dependent on government funding and budgets will be allocated as below over the next couple of years:
The Minister for Health has vowed to bring proposals to government in coming months about how to move this program forward and it’s planned that the first hospital setting to get an electronic health record (EHR) will be the New Children’s Hospital in Dublin.
The Government will spend $60 million on health IT at 2018, $70 million in 2019, $85 million in 2020, $87 million in 2021.
The Government Intends to spend $55 million on health Services Information and communications technology (ICT) in this year and next year The HSE recently filed a business case for a national EHR for Ireland, which can offer for a digital platform round the acute, community and primary care places, allowing the connectivity required to support models of integrated care, €412 million will be spent over six years.
PESTEL
Definition: A PESTEL, PEST or PESTLE analysis is a framework or tool used to analyze and monitor the macro-environmental factors that have an impact on an organization. The result of which is used to identify threats and weaknesses which is used in a SWOT analysis.
PESTEL Analysis |
|
||||
Political |
Economical |
Social |
Technological |
Environmental |
Legal |
Government funding EU |
Services from 3rd party vendors |
general public, medical staff, HSE admin staff |
ever changing technology |
external factors such as natural disaster |
GDPR* |
ROI |
IT expertise |
||||
system architecture |
|||||
digitalization, broadband |
*GDPR: “General Data Protection Regulation 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union and the European Economic Area. It also addresses the export of personal data outside the EU and EEA areas.” (https://www.dataprotection.ie/en)
SWOT Analysis
Definition: SWOT analysis is a strategic planning technique used to help an organization identify strengths, weaknesses, opportunities, and threats related to project planning.
SWOT |
|
||
Strenghts |
Weaknesses |
Opportunities |
Threats |
qualified and experienced healthcare admin staff & medical professionals (GPs etc.) |
dependency on government funding |
co-operation with other departments/organizations for better services |
rapidly changing technology |
nationwide network |
no such system exists yet |
new funding initiatives for improved IT infrastructure |
budget deficits |
extra ordinary IT infrastructure |
delays in implementing system fully |
efficient training and educational programs for staff & medical professionals |
un-necessary political intervention |
efficient & fast service e.g. access to patient health records |
delayed ROI |
initiatives for better management |
data security leaks |
improved treatment/ health of patients |
Dependency on 3rd party vendors |
economic opportunity through the use of technology enabled solutions |
data integrity issues |
Stakeholder Analysis
The key stakeholders are:
- Office of the Chief Information Officer (IT etc.)
- General public (patients)
- Medical Professionals (Hospitals, GPs, Ambulances etc.)
- Admin / Clerical
- Finance (CFO)
- Department of Health / Minister of Health
- eHealth Ireland Board
- PR / Head of PR & marketing
Risks
The below key risks have been identified, with the risk to data security being the main one.
Confidentiality
- Information security breach
Integrity
- Incorrect and /or missing data / data quality issue
Availability
- Project delays / system not ready when needed
- External & functional threats resulting in loss of data/ unavailability of data
- Insufficient architecture
- Loss / disruption of funding
- Lack of competence of 3rd party vendors
Risk / Effect review
Confidentiality
Cause: Information security breach
There is a high demand for medical records on the black market as they are more valuable than financial records. Electronic health records can sell for as much as €40, compared to just €1 for credit cards in the dark web. Medical records are more valuable because their theft is harder to detect and more difficult to resolve and medical history cannot be cancelled.
Effects:
Individual patient data is available to others – GDPR violation by the organization (legal) as well as identity theft (criminal); loss of reputation of organization as well as possibly loss of funding
Integrity – Data Quality Issue
- Cause: Human error due to unskilled resources/sabotage; lack of buy-in; due to external hacking
Effects:
- Results in potentially wrong medication/treatment of patients caused by compromised data Blackmail/ phishing attempts threatening data integrity
Availability – external threats
Effects:
• Loss of data; data not accessible when needed affects patient care / service provision
• System failure
• IT architecture issues i.e. IT not delivering expected outcome
• Technology not up to date; technical vulnerability
• Planning, delay of implementation i.e. system not available when needed = financial impact
• Loss or disruption of funding & ROI issues
Risk Review /mitigation / controls / effectiveness of controls
To ensure risks are reviewed, controlled and measured on a regular basis it is essential to create and maintain a risk register.
A risk register should state the risk, the controls in place and the measuring of the effectiveness of these controls.
Management support and buy-in are essential in managing risks and controls / improvements as lack of support filters down to other stakeholders and negatively affects the whole IMS implementation and maintenance process.
Please find the three main risks plus controls and how the effectiveness of these is measured below:
Confidentiality – Information security breach
Risk Mitigation: Set up a system of user access controls
Data security education of users
-
Set up system of controls
- Create access control policy
- Circulate access control policy amongst all users as compulsory reading
- Raise awareness regarding unauthorized access requests, e.g. Phishing emails
-
Measuring of effectiveness of controls
- Send fake phishing emails to see who clicks on the links
- Get all users to docu sign the access policy and certify awareness
- Visual inspection – check for exposed / written passwords
Implementation of user access control system
-
Set up system of controls
- Register IP addresses and associated passwords to check if a different IP address is used
- Password encryption – minimum of 2 passwords
- Requirement to change passwords once a week
- Privacy screens on laptops & monitors
- Limited network access on a per need basis which is password restricted
- Technology always up to date to prevent vulnerability i.e. unauthorized external access
- Sophisticated / best of anti-virus software / malware protection in use
-
Measuring of effectiveness of controls
- Run log file to check passwords used against IP addresses
- Visual inspection at facilities – check hardware in use for privacy screens
- Engage professional hacker to test vulnerability of system / network and performance of malware protection when simulating a zero day attack
- Send regular updates to users of the latest security threats and how to avoid them
Continuous improvement
Learn from any security breaches and constantly review and adjust controls
Integrity – Integrity Issue
Set up system of controls:
- Staff competency – training of users entering and managing data on system use
- Create quality and security objectives (management) and circulate tom raise awareness
- Ensure buy in of staff to provide high quality of data into the system
- Completeness of data / timeliness of data in system – funding to be secured
- Planning for contingencies timewise
- Management buy in
- Enough resources no overworked staff etc
- Raise awareness regarding unauthorized access requests, e.g. Phishing emails
- Raise awareness of blackmail to corrupt data
Measuring effectiveness:
- Send fake phishing emails to see who clicks on the links
- Quarterly financial reports (P&L)
- Status reports (weekly) to check if project implementation milestones are being met
- QA data entered to ensure quality & integrity of data
- Send regular updates to users of the latest security threats to data integrity and how to avoid them
Continuous improvement:
- Retrain users, run refresher sessions of training
- Update / improve training documentation
Availability – external threats
Set up system of controls:
• Monitor project milestones
• Manage & monitor financials
- Facility inspections / test – check for vulnerabilities to environmental threats such as flooding, defect facility equipment, fire hazards physical e.g. water damage
- Create emergency response plan & engage all necessary stakeholders to ensure awareness
- Ensure systems are fully functioning
- Manage Hardware functionality & to ensure latest OS appliance and performance
- Trigger regular OS updates to ensure latest security protection patches & upgrades are applied
- Implement sophisticated malware protection system
Effectiveness of resolution
- Run log files to identify users that haven’t installed latest updates
- Simulate an emergency and test emergency contingency plan effectiveness e.g. fire drill
- Test system functionality and run performance reports to be aware of any deviations that could indicate an upcoming malfunctioning
- Keep inventory of hardware and users assigned to as well as life time of hardware devices
- Install intrust detection systems
- Password policy in place
- Install VPN systems, encrypt Wi-Fi and general hospital traffic and use firewall technology where needed.
Continuous improvement
- Vary inspections
- Simulate different scenarios of emergency and try to increase response time
- Constantly compare malware protection options available to ensure you have the best one
All three categories have an impact on the overall success of the IMS EHR system. Effectiveness results in cost reduction, better health care and patient satisfaction as well as a sophisticated IT infrastructure and expert resources.
Summary
If risks are properly managed the EHR offers immense opportunities to digitalize and improve the Irish National healthcare system in a sustainable way. The scale of the project is a concern and a huge challenge for Solution Architects and IT but as well as HSE management and key stakeholders but even if challenges occurr improvement from the current decentralized system will be achieved.
References
2) https://www.hse.ie/eng/about/who/
3) Samani, Raj (2016) Health Warning Report, https://www.mcafee.com/enterprise/en-us/assets/reports/rp-health-warning.pdf
4) http://www.ehealthireland.ie/Strategic-Programmes/Electronic-Health-Record-EHR-/
5) http://www.ehealthireland.ie/Knowledge-Information-Plan/eHealth-Strategy-for-Ireland.pdf
6) Carroll, Aine and Corbridge, Richard (2015) National Health Record – Vision and Direction.
http://www.ehealthireland.ie/Library/Document-Library/EHR-Vision-and-Direction.pdf
8) https://www.imt.ie/news/e412-million-it-spend-due-by-2022-14-12-2016/
9) https://www.hse.ie/eng/services/publications/pp/ict/access-control-policy.pdf
10) https://www.dataprotection.ie/en
11) eHealth Action Plan 2012-2020: Innovative Healthcare for the 21st Century. European Commission 2012, Com (2012)
Carroll, Áine and Corbridge, Richard, (2016), National Electronic Health Record – Strategic Business Needs
1) Caselet-1-Risk-Identification_res_Eng_0415
2) Caselet-2-Risk-Assessment_res_Eng_0415
3) Caselet-3-Risk-Response-and-Mitigation_res_Eng_0415
4) Caselet-4-Risk-and-Control-Monitoring-and-Reporting_res_Eng_0415
Appendixes
a) E-Health org structure
Figure 4 – (Carroll & Corbridge 2015)
Cite This Work
To export a reference to this article please select a referencing style below: