As the digital world expands to encompass many areas of our day-to-day lives, so do apprehensions over the safety and privacy of personal information.

However, these apprehensions aren’t limited to Yahoo! email or Walmart breaches —misgivings about security and privacy vulnerabilities are infiltrating the healthcare community as well. For instance, a detailed meta-analysis of 25 studies which explored the use of Electronic Healthcare Records (EHRs) and related Health Information Technology (HIT) by healthcare practitioners, found that privacy and safety concerns were second only to cost.

Despite these concerns, EHRs are highly beneficial, and encourage a more seamless exchange of information across a digital healthcare infrastructure. In short, EHRs will not be disappearing anytime soon, so how do we alleviate these concerns?

It is increasingly understood that the software vendor community plays a key role in addressing and improving information privacy and safety, as EHR application software is a potential cause of vulnerabilities. As such, it is important for vendors to develop innovative processes for managing application risks and vulnerabilities. In addition, organizations and vendors must work together to address vulnerabilities at all levels.

Laying the Groundwork for Managing Safety and Privacy Risks

Over the past five years, new key privacy requirements and challenges have emerged rapidly. Prominent amongst them includes fine-grained consent policies, the capacity to transfer personal health information to the cloud and increasing consumer requests for control of their health record data. As digital processes become increasingly complex and the potential for software defects to have unexpected impacts are amplified, there is a need to further strengthen privacy capabilities.

First and foremost, the healthcare community must increase their understanding of potential threats, and address them proactively. This can be done by identifying software and solution defects, tracking them to root cause and remediating appropriately.

Healthcare organizations must develop their own rigorous processes for detecting, confirming and addressing possible safety-related defects in their solutions. These processes should also be adapted to address privacy vulnerabilities, and both should be measured against guidelines developed by healthcare industry authorities, such as the Canada’s Health Informatics Association (COACH) e-Safety Guidelines.

Self-assessment of internal processes is another effective method to strengthen data privacy and safety capabilities. For example, at Orion Health internal assessments determined that the company was once at a level 3 based on COACH’s e-Safety Guidelines. To move from level 3 “structured” to level 4 “managed and measured” Orion Health developed a classification model from the ground up which successfully detected and addressed safety and privacy issues in advance of live use by clinicians and patients. This is just one example of how organizations can further protect information privacy and safety by undergoing cycles of internal evaluation and improvement of existing models.

The Future of Risk Management 

As we head into a future with a high volume of information being exchanged, managing privacy and safety concerns will be critical for success. Healthcare decision makers and practitioners can achieve this by sharing their challenges encountered in safety and privacy. Software vendors can also benefit the community by sharing their best practices and experience addressing unique safety and privacy concerns at the software level.

Striking the right balance between privacy and safety also requires the sensitive handling of both priorities and in-depth discussions with clinical governance teams and patients. Understanding the nature and categories of potential safety and privacy issues that arise from integrated environments can improve the quality of healthcare solutions, and make such solutions more deserving of trust by clinicians.

COACH has been leading e-Safety for the last few years in Canada with the development of the COACH Guidelines, the launching of a national e-Safety Summit, and the strong efforts of jurisdictional working groups led by many COACH members. Vendors and the Information Technology Association of Canada (ITAC) have been involved as partners from the beginning in trialing the guidelines, and indeed, play a strong role in ensuring the continued evolution of leading practice in this area.

COACH will continue the e-Safety drive by sponsoring an open, volunteer community of action aimed at increasing our in-depth understanding of managing safety risks by working with key experts and stakeholders across Canada later in 2017. Stay tuned!

The original articles can be be found in the February 2017 issue of Healthcare Information Management and Communications Canada magazine.