Issues with availability

Availability of information relates to the information being accessible when needed.

Healthcare staff needs to access a patient’s record to provide their care. Furthermore, patients require access to their records to check on their details. This availability of personal information is regulated through security mechanisms in the technology, procedures, policy, responsibilities and ownership of the information.

A much-discussed topic to ensure information availability in healthcare is electronic patient records (EPR). EPRs allow for easy accessibility and use. Healthcare staff no longer has to search for their or their colleague’s file or clipboard with notes. The patient record is available real-time, independent of the physical location of the nurse, physician or patient. The Internet makes it possible to connect databases to each other, so that a doctor in one organisation can view a patient’s record from another hospital.

In theory, the organisation and security of electronic records should be easier and better to control than paper records. In reality, security breaches of personal data are in the daily news, feeding the anxiety and questioning the advantages of electronic records to paper based records. The way that records are now accessed, processed, copied, stored and sent to other organisations, is not always understandable for users and patients.

Monitoring devices, online services and electronic communication between facilities all possibly have locally stored patient data and leave data vulnerable for unauthorised access or interception during transmission. With so many stakeholders involved in the care, it is important that health records are complete and readily accessible, while at the same time access needs to be limited and controlled.

In the late 1990s, it was estimated that on average 17 people had legitimate access to a patient’s record in managed care, including each member on a patient’s treatment team, insurance administrators, utilization reviewers and clerks (Munson, 1996 in Rock &

Congress, 1999). Nowadays, the number of staff with the possibility to access medical records has grown exponentially. Illustrative is the case of Richard Hammond, a well-known television personality in the UK. He was admitted to the hospital in 2006 after suffering a serious head injury during filming for his television show. It was calculated that around 300 medical staff accessed his medical records via the internal computer system in the 24 hours following his crash rather than the 20 or so, which would be

expected for a patient in intensive care (King, 2008). Another estimation is that 100,000 non-medical staff in NHS trusts could have access to confidential patient records (Asley, 2010). This accessibility has serious consequences for the patient’s trust in healthcare.

There appears to be a close relationship between availability and confidentiality. Many researchers in different countries found that patients are optimistic about the benefits that electronic records can provide to the healthcare system, but there is fear of the potential for confidentiality violations (Smit, McAllister, & Slonim, 2005). Some examples are:

- A survey by the Kaiser Foundation found that while 72% of respondents believed the electronic records were more efficient, nearly half also felt that paper records were more secure (Conn, 2007).

- In New Zealand researchers found that 73.3% of the participants in a survey were highly concerned about the security and privacy of their health records (Chhanabhai

& Holt, 2007), but they see the advantages that electronic records can bring.

- A nationwide project in the U.S. on electronic health information exchange reports that many of the states raised the issue of trust as critical, specifically in the way it affects the potential adoption and viability of electronic health information exchange. Consumer concerns tended to focus on privacy risks from the implementation of new technologies and the potential for unauthorized disclosures of sensitive information to payers and employers (Dimitropoulos, 2007).

- Participants in a research study in Canada were asked about their attitudes toward privacy and health research and trust in different institutions to keep information confidential. Trust was highest for data institutes, university researchers, hospitals, and disease foundations (78% to 80%). Personal controls such as consent and the ability to audit who has accessed one's information – were among the most commonly cited approaches that improved people's confidence in the responsible use of their information for research. Third-party controls – e.g. research ethics boards, privacy officers, privacy commissioners, and panels of affected individuals – were nominated less often. The researchers noted as well, regardless of consent regime, the high level of concern that was voiced over what happens to one's personal information once it isreleased to researchers (Willison et al., 2007).

Researchers found that patients are keen to have access to their records and to share accountability for the contents (Delbanco et al., 2012; Leveille et al., 2012; Ralston et

al., 2007; Walker et al., 2011), but in many countries this is not facilitated. For instance in the UK, patients could be charged up to £50 to gain access to their record (NHS, 2013) and they need to apply through the courts if they want to have information erased.

In current society, characterised by individualism, self-determination and patient empowerment, this situation is becoming frustrating. The Department of Health aims to build partnerships between health and care professionals and patients that share decision-making. The owners of the data are the service users and patients and they should be able to access the relevant information about their condition and health, and to access their personal records online (Department of Health, 2012).

Ownership of health and care data is related to information policy. The data is created by an interaction between a health or care provider and a patient or user. There is some legal ground to recognize a co-ownership of the data that is the result of this interaction.

The data would not exist without the patient, and would not exist without the involvement of the professional. Should other parties, such as insurance companies, get involved, then they too have a reasonable claim to ownership of that portion of the information that is generated by their involvement (Haislmaier, 2006). Information policy should provide the framework to decide on (shared) ownership rights and norms.

Without such a framework, the information technology sector will continue to spend money on technological artefacts to maintain security, without really knowing why and where to implement these.

While most healthcare facilities today use at least some computer technology to manage patient records, the reality is that healthcare is in transition and paper records are still prevalent at many locations. The U.S. Department of Health and Human Services Administration (HRSA) (2011) sums up some the availability and access issues with paper records. They are issues such as: gaining access to record storage areas; finding records left on counters, exam rooms or copy machines; receiving misdirected fax copies; and other similar events. Inappropriate access can be accidental or intentional.

Since access to paper records implies physical access, securing against inappropriate access is accomplished by segregating records into separate locked storage areas;

restricting physical access to storage areas; recording sign in and sign out procedures;

and maintaining records handling training and other similar procedures.

A second aspect related to availability of information is the performance and availability of the underlying ICT infrastructure. If this infrastructure becomes unavailable or does not work properly, the information is not accessible. This

infrastructure, including the information systems and databases, need to be controlled and maintained to stay available.

The resilience of the infrastructure to disasters and the continuity of care when information systems become unavailable is key to healthcare. Fires, floods or other environmental disasters that damage physical locations can result in the complete loss of both paper and electronic medical records. Electronic records can degrade catastrophically -- tapes break, a bearing breaks on a piece of hardware, optical media is scratched. Such failures can happen at any time without warning. Depending on the type of storage and the amount of damage, it may be impossible to recover the affected data.

Healthcare infrastructure needs to be available all the time. It is considered as a critical infrastructure: an essential asset that needs to be available for the functioning of society.

Critical infrastructures are vulnerable because they are highly dependent on networked information systems. On top of that they are interdependent: should one infrastructure (such as the electricity network) fail because of an accident, a natural event, or an intentional act, it could bring down other infrastructures as well. Healthcare has a dual relationship with other critical infrastructures. If healthcare infrastructure fails, it could lead to the loss of medical knowledge, the inability to control outbreaks of diseases, and loss of life. The other way around, in the case of a national disaster, one of the challenges is to prevent the extension of the surrounding chaos into the medical facility.

At the same time, the use of technology in an unstable and unpredictable environment, such as after a disaster, creates specific requirements for health networks and hardware.

For instance, Levy et al. (2010) describe how after the earthquake in Haiti, a field hospital managed to operate an electronic hospital administration system as well as a complete electronic medical record. This was achieved by using a dual-network infrastructure, both wireless and wired; using laptop computers with battery power;

interconnected generators and the use of application software that was specifically designed to enable continuity of work during communication loss with the main server.

Critical infrastructures seem to be under constant cyber attack all over the world (Baker et al., 2010). The attacks that are occurring include massive denial of service attacks, stealthy efforts to penetrate networks undetected, and malware infections. The aims of the attacks vary from shutting down services or operations to theft of services and data or extortion attempts. They are also vulnerable for non-intentional information security risks, as illustrated by the destruction of a water-driven electrical generator at Russia's

Sayano-Shushenskaya dam in 2009 that was caused by a computer operator remotely starting the generator while one of the dam's turbines was being serviced.

Information security literature explores the security of critical infrastructures such as communication, water and electricity supplies (Ericsson, 2010; Farrell et al., 2004;

Sterbenz et al., 2010), but healthcare resilience appears to be less often researched and applied. The 2007 World Health Organisation global assessment found that less than 50% of national health sectors had a specified budget for emergency preparedness and response (World Health Organization, 2008).

The American Medical Informatics Association’s health policy conference supports the vision that system failures and other undesirable outcomes are in the nature of healthcare systems and unavoidable. They state that the “threats could affect the stability of the overall healthcare system” (p.461) and “disruptions in care and security challenges […] could result in the loss of public trust, a loss that may extend beyond the government to healthcare institutions and even providers” (p. 462) (McGowan et al., 2012). The conference members suggest specific actions to maintain the healthcare infrastructure and to prepare for contingency. These actions include the identification of the risks in new technology; the sharing of information about system performance;

policies to promote interoperability to support system resilience and emergency response and new approaches to predict system failures.

A final risk is the risk of technology becoming obsolete. Retrieval and use of paper records is not affected by technological changes. Even where paper records are stored on film or micro-fiche, the expected technology life cycle is sufficiently long to avoid obsolescence concerns. Electronic records depend upon computing technologies that have notoriously short lifecycles. This means that during the life of an average medical record, the computing technologies will have undergone multiple generational changes.

With each technology generation, previous technologies lose market value and manufacturers cease production. This means that the technology upon which the EHR system depends will become unsustainable as replacement parts become unavailable and operating systems and database platforms lose vendor support.

A third requirement for modern healthcare is the availability of medical knowledge through patient information portals and social media. The accessibility of knowledge about conditions might help to improve self-care and patient empowerment.

Unavailability of information can have direct consequences for the quality of healthcare in a society.

The Internet has given patients more availability to medical knowledge, which is causing a change in the relationship between doctors and patients. Cullen already identified this trend in 1998 (Cullen, 1998). Patients are nowadays empowered by access to their medical records and access to medical knowledge in general and as a consequence, are able to discuss their treatment options without accepting that “the doctor knows best”. Mair (2011) states that the traditional paternalistic approach of doctors does not fit in today’s society anymore, but society is still struggling with issues such as ownership and censorship of patient records.

Medical information is becoming available for a wider public through social media.

Patients use forums to discuss and share problems, and offer their own reviews and opinions. The use of social media in healthcare is generally seen as the tool to empower patients and to improve quality of care through better communication (Hawn, 2009). A systematic review of 98 original research studies on social media in healthcare found that although there are many benefits, some limitations exist as well. One of the limitations is the need to:

address regulatory and security issues to broach a way forward for best-practice that allows the benefits of social media to be utilized yet still protects patients’

privacy and to therefore improve use of these media in routine clinical care. This is a public policy issue and is already being contested in the United States (Moorhead et al., 2013 p. 10).

Batchelor et al. (2012) researched legal frameworks governing the use of social media by people with dementia. In our aging society, people are increasingly being involved in e-health technologies, enabling users to avoid or postpone moving to care homes. The decision-making ability of ageing people is often diminished or compromised as a result of dementia or age-related changes. These people have a lesser ability to give informed consent to contracts or user agreements, or to understand digital footprints, and evidence of online activity and connections. The researchers found that many issues that come from a loss of competence have been addressed in existing regulations, such as managing their finances and property or powers of attorney, but the applicability to online environments is not straightforward and the issues have not been considered together in this context. The ethical and legal responsibilities and duties of care of technology providers, healthcare professionals, regulatory bodies and policymakers

“need sustained transdisciplinary research” (p. 101). The questions about the legal

framework concern not only the vulnerable people, but they concern all users of social media.

Issues with information availability resonate in sociological discussions about inequalities between patients in terms of access to, use of, or knowledge of information technology and the Internet. Patients who do not have the skills or means to access information about their condition or about healthcare services, are perceived to be disadvantaged in demanding the best possible care and to actively participate in medical decisions. Most of the health information is available through the Internet, however, the Internet is not equally accessible, with less educated, economically disadvantaged and socially marginalized persons being least likely to access it (Kalichman et al., 2002;

Neter & Brainin, 2012).