“Public health informatics is the systematic application of information, computer science, and technology to public health practice, research, and learning.” — Public Health Informatics: Improving and Transforming Public Health in the Information Age
Public health informatics is the efficient application of information and computer science, as well as technology towards public health practice. Additionally, the areas of public health research and continuous knowledge accumulation and transfer are also closely affected. IT Security and IT Operations efforts, if carried out properly, can absolutely have a positive impact on public health informatics. To help illustrate this, the following sections will expound on how both IT Security and IT Operations applies to the aforementioned areas pertaining to public health informatics, and how both IT fields benefit each area with a few examples.
The span of the public health informatics branch is very far reaching. However, to simplify matters a bit, public health informatics for this particular blog will be generalized into three main areas of focus. The three public health informatics areas will be public health practice, research, and knowledge. The first area, public health practice, refers to the application of established public health knowledge and expertise to the administration of public health services, with the goal of bettering and advancing population health. Usually at the helm of such undertakings are public health authorities, such as the Centers for Disease Control and Prevention (CDC). These authorities have the responsibilities of collecting and analyzing health sample population data to then apply it to the whole, locally, or nationwide. While collecting data, that same data needs to maintain high levels of confidentiality and integrity, which are two pillars of IT Security. To do so, thoroughly vetted data controls need to be in place. Controls that answer questions like: Where did this data come from? Were the suppliers of data aware that their data was being collected? Was the data securely transferred, and therefore not manipulated? Who has access to this data within the governing body? What controls are in place to prevent unwanted access or manipulation of the data? IT Operations on the other hand can take on a more reactive role, such as in the Gervera article (2015). Gervera informs of a developed diabetes telehealth screening tool, that as the article describes, was iteratively supported by IT Operations (and Development). If a tool such as this one is developed by a party, such as the CDC, they would surely also employ the services of a well-equipped IT Operations team to help maintain it. For example, if changes needed to be made to the tool, or if troubleshooting efforts with Care Coordinators (CCs) or patients were needed, then IT Operations would be the team to help support those efforts.
The second area, public health research, refers to investigative projects with goals of generating generalizable information in order to better public health practice. This resulting information will always have the end goal of bettering public health. Meaning that although a particular study will include a subset, or sample of a population, the benefits realized should aim to be applied at the population or societal level. One way that IT Security intersects with public health research is how data gathered from research is stored or accessed by individuals taking part in a study. For example, if a research study is being conducted in double-blind manner, meaning that neither the participant or the administrator of a certain intervention know whether a placebo or the actual intervention (such as an experimental drug) is being administered, then proper access to that information must be safeguarded. What is common in trial settings of this nature is to use barcodes to differentiate which participant and administrator is handling what treatment, whether that be the experimental or control. So, in order to safeguard whom has access to that information, proper access controls need to be set in place. Although, there will generally be clearly defined roles that will likely not have the administrator of treatments handling the back-end data, it is possible that they will have access to certain portions of the system. So, ensuring that these individuals are not able to take a glimpse at the treatment data (as this could compromise the validity of the whole trial) by segmenting access to certain parts of the data capturing system is still best practice. Additionally, because we are an increasingly more digital world, it is also likely that data being captured from public health research is being stored on drives and not on paper. Therefore, it is essential to leverage IT Operations efforts and expertise for this. The role of the Operations team in this setting would entail matters such as managing the servers in which data, systems, or applications used are up and running during trials. If the systems or applications being used to capture research study data is down, then data capture might also be stalled or will have to be reverted to paper-based efforts in the meantime. Either of these two outcomes are less than desirable, as they will only prolong the study or cause unnecessary errors in the process. Instead, it is imperative to have an Operations team that will ensure that systems remain operational, that data is being captured and that data servers are working accordingly, and finally that appropriate maintenance is conducted that will not impact the public health research being conducted.
The final area, public health knowledge and the collection and dissemination of it, closely parallels that of research. However, the main distinction here is that the data has already been collected, conclusions have been made, and ideally models, guidelines or informatics products have been established and are ready for practice. In this instance, the use of informatics tools such as a Health Information Exchange (HIE), to transfer patient data that has already been collected via established tools or following approved guidelines is a perfect example. With the introduction of such technology, the topics of appropriate security controls once again reappears. More or less the same questions apply here. This time, however, there is more emphasis on data transfer. For example, IT Security would ensure that the data being transferred is not manipulated. That those sending and receiving said data are who they say they are, whether that be internal or external parties. Similarly, proper vetting of HIE participants. A final example would be to provision or installation of proper security mechanisms to help detect any unwanted malware resulting from information being shared through the HIE. IT Operations again would have a similar role to that of supporting public health research efforts. Primarily, that would entail the maintenance of the vital systems used for knowledge capture and transfer. That can include but is not limited to proper server/resource utilization, upgrades, or patches. Additionally, they could also be tasked with maintaining a practice wide internal repository of knowledge articles. Not necessarily a database, per se, but a more user-friendly system that allows clinicians of all technical skill levels to partake in.
When it comes with dealing with large data sets, it is more common that the providers or clinicians in health care settings won’t be necessarily getting their “hands dirty” with the maintenance, cleaning, or storing of such large amounts of data. Instead, that work is dished out to IT departments to handle. After all, they have much more pressing matters to attend to, such as patients and their health concerns. Instead, IT Operations teams commonly deal with the storing and maintenance of the systems that will ultimately deal with holding such large data repositories. Commonly, they take care of the many facets of specialized database servers that will assist in maintain said data. Again, that can include monthly upgrades or patches to the servers or database management systems (DBMS). From previous experience working in IT Security, it was a dual-team effort in maintaining said database servers. The security team would be tasked with discovering which data servers were at risk (or “vulnerable) due to outdated versions or in need of vulnerability patches, and these findings would be conveyed to the IT Operations team to assist in the upgrade work. Although both areas do not primarily work with large data sets, they surely do help support data analysts or clinicians that need access to that data by ensuring its availability, integrity, and confidentiality.
How Telehealth Relates to IT Security and IT Operations, and Possible Applications
Telehealth is the use of telecommunication technologies to deliver healthcare remotely. Such technologies were on full display these past two years with a great part of the US workforce having to work remotely due to the COVID-19 pandemic. Technologies used were those such as Remote Desktops, Video Conferencing with Microsoft Teams or Zoom, or instant messaging applications to name just a few. Similar technologies exist in the healthcare industry today. As mentioned earlier, Gervera illustrated a diabetes management tool based primarily on telehealth technologies. This tool had a positive real-world impact towards diabetes care and management amongst the veterans that participated. However, in order to achieve positive results with telehealth technologies, the technologies first have to be properly developed, installed, and managed. That’s were IT Operations comes in. This IT discipline is known for being a “Swiss-army” knife, in the sense that they tend to be tasked with all sorts of initiatives (sometimes overbearingly so). So, it would make sense that during installation of any hardware or software, they might be tapped to help with doing so. In some industries it is common for tech-related support even visit parties that are not able to make the trek to where the technology is at. I envision that this might also be a sound idea if for example, it is inconvenient for a patient to lug healthcare equipment to their house or need assistance for hardware or software installation for telehealth use. If in-person assistance is not available, other telecommunication means could also be leverages, such as voice or video. So, that leads to a potential application of telehealth technologies in relation to IT Operations. That is the additional technological support of telehealth technologies (or otherwise) by leveraging existing telehealth technologies. This can apply to internal stakeholders, such as CCs, providers, nurses or externally facing parties like patients or healthcare consultants.
IT Security methods and expertise can also be leveraged in conjunction with telehealth. If a particular healthcare setting has a secure, private network achieved through encryption over the internet, or a VPN, then IT Security would most likely be needed to ensure it is properly set up and functioning as intended. This would include proper access to the network by internal or externally approved individuals, approvals of allowed sites, etc. As described by Blass, it is commonplace for telehealth technology to connect through VPN, since many services cannot use cellular or Wi-Fi capabilities (2020). Additionally, Blass also raises the point that HIPAA compliance tends to be a challenge for telehealth implementation. With the help of IT Security best practices, information that is captured, stored, and transmitted via telehealth means would be more likely to be HIPAA compliant.
Information in IT Security and IT Operations, Requirements, and a Potential Solution
A vital information need in both the IT Security and IT Operations areas are data points that lead to issue resolution. Both areas make heavy use of machine generated data to assist during troubleshooting or explorative situations. For example, when a server is down, IT Operations would tap into the server’s machine generated log output and comb through that data to try and pinpoint the root cause of the server’s failure. Another example would be similar machine generated logs from a server exhibiting abnormal behavior. A server that generally is used for data analysis, such as running Tableau for data manipulation, is suddenly attempting to log into file directories that it does not have access to. Well, the log data would show case that, and security tools would be able to detect that behavior as abnormal. Subsequently, analysts would then be alerted and would launch an investigation as to what could be causing the abnormal behavior. That is just one method of identifying malicious software running amuck in a network or system. So, both IT areas make heavy use of machine generated data. The same commonplace occurrences could be applied to healthcare settings. Instead of user PCs, perhaps a hospital network or database server is the producers of log data.
To define what information is required exactly, a proper inventory of all computer systems would need to be taken. It is safe to assume that most of the technology at any setting can produce log data for troubleshooting and exploration, and that same data should be collected. Additionally, it is just best practice to keep a comprehensive inventory of all technology deployed, specially if it is in-use or connected to any part of the network. This would also ensure that this same technology would receive any important updates or patches (if applicable). Without those, these end up being perfect vectors for external malicious threats to enter the environment. After properly inventorying all technology being utilized at a healthcare setting, identifying which technology benefits from log data collection would be the next logical step. Normally any technology that can produce log data would be a candidate. However, if resources are limited (such as computing power or funding) which is regularly the case, then only critical and high-important systems should be selected for log production and subsequent consumption. Systems that produce or house business critical data or data that if not readily available would cost the organization greatly (due to regulatory or financial losses), would be prime candidates. Afterwards necessary configuration steps would need to be performed for log information to be captured, such as installing forwarders to relay log data and set up an environment to capture said data. There are many commercial “data platforms” that make this process simpler. One that I am particularly familiar with is Splunk. After configuration (facilitated by a proper asset inventory described prior) a platform like Splunk would then be ready for the parsing of log data produced by the machines in the environment. For example, if hospital firewalls were configured to produce logs and those logs were captured, then a data platform would allow analysts to explore the produced data. Going back to the intrusion example, if there were suspicious activity occurring in a segmented part of the network and the firewall had detected the activity and produced logs, then querying through the data platform would make the investigative efforts far less complicated. This is in part because machine-generated data is generally not human-friendly, or in other words not easy to read by humans.
So, once a data platform is leveraged, by being properly configured to the identified assets (both systems and hardware), what is left is to evaluate whether the solution is producing the desired information. If there are some kinks that need to be worked out, such as reconfiguration of tools, or additional asset discovery, then both IT Security and IT Operations teams can work in conjunction to make that happen. A common way to determine whether such a tool is working properly, is to simply evaluate the data being produced. If the data is still not user friendly, then reconfiguration could be the answer. Alternatively, if data is missing then additional steps should be taken to ensure that the proper connections have been established. An iterative approach would be best suited for this kind of endeavor. This is because technology is always in need of upgrades, and it is constantly changing. New technology enters and leaves the environment constantly. So, a toolset like a data platform for log data analysis, if managed properly, would be enormously beneficial to any organization, but it would require constant evaluation and fine-tuning.
Meaningful Use and IT Security and IT Operations
Meaningful Use as it pertains to Health Informatics is the usage criteria that healthcare providers must adhere to with their certified Electronic Health Record (EHR) to also receive incentive payments. There are three main usage requirements stages that must be achieved. To some extent the challenges that both IT Security and IT Operations seek to manage can also translate to Meaningful Use in healthcare, particularly in achieving that status.
Meaningful Use can be achieved through the use of a certified EHR, which in turn can only be achieved by meeting certain requirements. These requirements, or criteria, are split into several specialized sections, as described by Braunstein (2014). One of those areas that leads to EHR certification is the “privacy, security, and trust domain”. Per Braunstein, this domain has various criteria of its own. Some are:
- Access Control
- Emergency Access
- Automatic Log-off
- Audit Log
- Integrity
- Authentication
- General Encryption
These criteria are essentially a one-for-one with common IT Security best practice controls. Logs (audit logs in this case) and having a trail of them for compliance purposes was something previously touched on. Authentication, in terms of two-factor or the use of passwords is yet another IT Security control. So, although IT Security is not directly related by definition to Meaningful Use, it would be considered a very close relative. Without these common security controls described in the criteria for achieving a certified EHR, then Meaningful Use could not be achieved. Furthermore, during what is known as Stage 1 of achieving Meaningful Use, the “mandatory core measures” that are used for evaluation can be divided into a category noted as “Privacy and security”, per Braunstein. Again, IT Security works hand-in-hand with Meaningful Use, although at times not specifically stated.
Additionally, a certified EHR would need to be constantly up and operational, with little to no downtime if at all possible. That is because without this “constantly operational” status, there could be missed opportunities for it to provide what Meaningful Use required of it, such as allowing access to patient data for various uses, or even capturing data at the point of care. So, it goes without saying that the constant challenge that IT Operations is faced with, that is to keep systems and applications up and running, translates seamlessly to certified EHRs and achieving Meaningful Use.
The Federal Health IT Strategic Plan and IT Security and IT Operations
The Federal Health IT Strategic Plan is federally created plan with the central goal of guiding national health information technology initiatives. Subgoals are outcomes driven. The goals for the 2015-2020 Plan include the following: expanding the adoption of health information technology, the advancement of secure and interoperable health information, the strengthening of health care delivery, the advancement of health and well-being of individuals and their communities, and finally the advancement of research, scientific knowledge, and innovation. It is evident that this plan is robust and constantly looking to improve. This can be seen by the subgoals being redeveloped from the previous Plan’s. For example, this can be seen by the newest set of subgoals from the 2020-2025 Plan, which include ensuring the use of health information technology empowers providers and patients alike, lowers the cost of healthcare, care is delivered in a high-quality fashion, and improving health for individuals, their families, and communities. This almost completely new set of goals keeps up with the new challenges faced in the healthcare information technology landscape, while also keeping the original mission in mind, that being the betterment of healthcare for the individual and their communities.
The Federal Health IT Strategic Plan relies on both IT areas of Security and Operations to succeed. In the Plan both area’s common responsibilities are referenced throughout as supporting agreed upon objectives or being key parts of recommended strategies. The following are examples of how IT Security challenges are reflected by the Plan, and how they relate.
The Plan states that in order for the general population or health IT user to confide in Health IT, a certain level of trust must be attained. This can be done so by IT Security measures and best practices being continuously enacted to ensure that the health IT solutions used are secure, safe, and confidential. To achieve this goal, the Plan itself highlights a core principle that directly relates to IT Security. This principle is that it is expected that non-federal organizations “Build a culture of electronic health information access and use” which through “actions will help establish an environment where secure universal health information exchange and use are expected and accepted so that everyone benefits…” (Page 7). So, the plan makes a direct call to the proper setup of information access, which should also be secure. A pillar of IT Security. It also calls for a secure universal HIE, which can also be achieved through IT Security methods. These ideas are further explored in the “Share” goal, which has the most IT Security related objectives. To summarize the objectives, the field of IT Security is being called upon to ensure that different healthcare IT stakeholders (patients, providers, etc.) can securely exchange electronic health information. This can be achieved via the securing of HIEs and the use of Direct messaging technologies, for example. Another objective is to approach the management of technological standards with a security management mindset, which ultimately results in secure and interoperable health information being used. A final objective highlighted in the Plan is the outright protection of health information privacy and security.
A strategy that the Plan recommends for achieving health information security as it pertains specifically to health information exchange, is the establishment of guidelines and governance mechanisms directly affecting standards, data policies, and operations that will enable secure and interoperable functions across various types of entities and networks. All while keeping safeguards and optimal levels of access in place. Additionally, the Plan also recommends that general standardization across organizations be the norm, for example during implementation efforts. Efforts to drive information integrity include ideas such as the standardization of data, such as terminology and vocabulary used across health IT. In addition to secure policy creation, the development and promotion of security best-practice and education that ultimately aim at protecting health information from being breached, lost, or corrupted are highly recommended. Cybersecurity threats and risks can also be addressed by similar means, one effective method being regularly administered user education. The Plan also references the effects that HIPAA has on covered and non-covered entities, either way stating that proper standards should keep the regulations set forth by it in mind when enforcing privacy and security of health information/IT. Finally, the Plan calls upon the requirement of tests that would certify health IT in incorporating privacy and security safeguards, again to attain a proper and robust security posture that multiple stakeholders can feel confident in.
Although IT Operations challenges are not referenced nearly as much as those pertaining to IT Security, they are in my opinion indirectly called on. As mentioned previously, IT Operations is the backbone of a lot of IT processes. This would not be much different in a health information setting. In the Plan, a strategy that does showcase the importance of IT Operations in the grand scheme of things is how it helps ensure health IT and telecommunications infrastructure is not only secure, but resilient. Recalling that resiliency is vital for health IT systems and applications, staying operational during times where the public needs health information the most, such as during health emergencies or disasters is imperative. Without IT Operations supporting these efforts, downtimes would be catastrophic during disasters.
Works Cited
Centers for Disease Control and Prevention. (2018, November 15). Introduction to public health informatics|public health 101 series|cdc. Centers for Disease Control and Prevention. Retrieved October 19, 2021, from https://www.cdc.gov/training/publichealth101/informatics.html.
Centers for Disease Control and Prevention (CDC). (1999). Guidelines for Defining Public Health Research and public … Retrieved October 19, 2021, from https://www.cdc.gov/os/integrity/docs/defining-public-health-research-non-research-1999.pdf.
Public Health NgPublic Health Nigeria an Interdisciplinary public health movement focused on health education. (2017, August 24). Definition and concepts of public health practice. Public Health. Retrieved October 19, 2021, from https://www.publichealth.com.ng/public-health-practice/#:~:text=Publichealthpracticecanbedefinedasthe,improvingandpromotingthehealthofthepopulation.
Gervera, K., & Graves, B. A. (2015). Integrating Diabetes Guidelines into a Telehealth Screening Tool. Perspectives in Health Information Management, 12(Summer), 1f.
Blass G., & Garrin P. Journal Of AHIMA. (2021, January 14). HIM’s role in evaluating and securing Telehealth Solutions. Retrieved October 19, 2021, from https://journal.ahima.org/hims-role-in-evaluating-and-securing-telehealth-solutions/.
Golder, D. (2020, January 30). 2020-2025 federal health IT strategic plan: What you need to know. Retrieved October 19, 2021, from https://www.impact-advisors.com/regulatory/federal-health-it-strategic-plan/2020-2025-federal-health-it-strategic-plan-what-you-need-to-know/#:~:text=TheStrategicPlanisintendedtoguidefederal,families%2Candcommunities.PlanGoalsCObjectivesandStrategies.