Contemporary Issues and Challenges Facing Consumer Health Informatics

Both consumers and patients are aware of the benefits that can be realized by health IT. The ultimate goals that are expected to be achieved using advanced health informatics methods and tools are an increase in effectiveness and quality of care (while also reducing costs as an added benefit). Even though the introduction of health IT into healthcare is largely envisioned to procure a net positive result, the negatives that also come along with it must also be taken into consideration. One of the main concerns that health IT introduces revolves around what generally occurs with collected patient data. From how it is stored to with whom it is shared, the areas of data privacy, security, integrity, and trust are often cited by studies showing to be key concerns amongst patients. As a now decade old California Health Foundation (CHF) study found, roughly 68 percent of respondents indicated that the security of their data was a concern (California Health Foundation 2010). With the advancement of technology and the wider reach of information and news about security breaches, it is safe to assume that this same figure will only continue to grow. In fact, a 2018 survey concluded that 83 percent of internet users polled in the United States indicated being “increasingly concerned about their online privacy”. The total worldwide percentage of the same category reflected a 74 percent as being concerned (internet users from the nations that were polled) (Statista, 2018). So, it seems that both consumer and patient perspectives regarding health IT (and IT in general) is that they welcome the added benefits and the advancements that will result, however there is an underlying concern about how these will be realized – especially if their data is somehow looped into these endeavors.

The same mindset would translate over to the patient’s families or caregivers. Those that are in some way related or connected to a patient should be concerned with the type of information that is collected about the patient. For example, if a patient is cared for by a caregiver, and that person’s private information is also tied to the patient, then any unauthorized disclosures of the patient’s information could also end up disclosing the lateral information belonging to the caregiver. The same could be said about a family, such as the home and billing addresses of a patient. In combination with other information, some serious cases of fraud could follow with this type of unauthorized information disclosure.

Overall, all consumers and patients, including those adjacent to patient’s (such as families or caregivers) should rightfully be concerned with how their data is collected, stored, and used. Given that they are direct (and sometimes indirect) stakeholders regarding their own data, user requirements solicitation should be conducted from these same data producing individuals. Unfortunately, instances of hacking and unauthorized data disclosures will continue to continue occur. After all, technology for all its greatness, is also flawed. No one single security control, safeguard or method applied to technology is foolproof. There is always a vulnerability that can be exploited. So, given this critical flaw, it is only a matter of time until the next breach occurs. So, this in combination with humans being rather leery of technology already, only heightens the larger problem of trust. The broader and more public these disclosures or breaches are, the less confident and trusting the general public will be in the technology that interacts with their personal data. One effective means of gaining patient trust, is the idea of patient Data Segmentation. As Braunstein describes it, Data Segmentation is the “specification by the owner of the data as to what data can be shared and who can see that data” (2014, p. 84). This technique gives patients concerned about their data some piece of mind due to it granting the data management reigns over to the owner, in this case the patient. This allows them to decide what exactly occurs with their data once they have decided to hand it over to a healthcare system. Of course, there are different forms of Data Segmentation, and these will vary from setting to setting, but the idea of self-management of data is generally the same. So, this technique could be argued to be a form of user requirements solicitation, or at the very least a decently good method of gaining their trust and a form of user involvement to keep them engaged in applicable informatics tools and methods.

Knowledge and decision-making regarding healthcare can be largely improved through the adaption of technology and thorough and widespread use of data. One such instance discussed in a previous blog post is the use of heath information exchanges (HIE) and their increasing adoption and use throughout the United States. This technology has opened the door for clinical knowledge obtained in one part of the country to be shared with another provider located across the country. The data shared through this network has also begun to be leveraged for advancing clinical decisions. For example, data exchanged through HIEs can be used for research purposes which in turn yield advancements in medicine. The same could be said about other consumer and patient facing technologies, data, and information. One area in particular is the area of self-service healthcare technologies and information. Within this area exists easily accessible web resources, such as health web sites, research paper repositories and databases, self-diagnosis tools, etc. As technology and its reach advances and grows, so does this plentiful area of self-service resources – resources that are rich in credible information that are literally at the fingertips of millions of regular users, patients, and their families. These resources can serve to better equip the general public about healthcare and their own health. In essence, drastically increasing their health literacy in topics ranging from general health concerns (such as healthy exercise routines) to specialized matters about their chronic health condition(s). These sources are jam-packed with information that can easily be accessed and leveraged by regular consumers. The benefit of this would be the increased autonomy that these consumers of information and users of informatics tools would gain. That being an increase in their abilities to be better equipped to deal with health concerns, make informed decisions about their health, and ask the right questions the next time they visit their doctor(s).

One contemporary issue that has not been addressed in this post (to some extent) as it relates to health IT and IT Security and Operations topics, is that of ensuring quality and access to both health information and care. Both focus areas of this blog (IT Security and IT Operations), when properly implemented and managed, can help facilitate these two areas of concern. Already previously touched upon in a prior post, both IT areas have the capabilities, knowledge, tools, and methodologies to enable the proper access of both health and healthcare knowledge, whether that is from a security perspective (as in providing the correct parties with proper access to data or the technology/tools needed to do their jobs) or building and maintaining the IT infrastructure necessary for different parties to interact with healthcare systems. One example being patient-facing web portals where they can access their personal health records (PHR). Without the proper access, an administrator of the portal would not be able to add new patient entries into the system. Without the proper IT Operations team supporting said system, if say, the system was suddenly down, then providers would be forced to fallback to paper operations until something was done to bring the system back “online”. This is where we see some overlap with the idea of quality, as well. Both areas, that of quality and access, overlap quite a bit, from an IT perspective. Without proper access and the infrastructure to support it, quality of either the systems, any data or information residing in those systems, or even the product (in this case healthcare) would see a drastic decline. Alternatively, without quality infrastructure, methods, tools, and resources to support said areas, there could be major setbacks in operations that would cut access to systems, information, and even care.

Finally, when practitioners are tasked with recommending web resources and technologies (whether new or current), they need to keep in mind the previously mentioned lack of trust in technology and security related issues that plague technology (vulnerabilities). This is an area where practitioners would benefit from being well-versed in IT Security. Besides methodologies such as Data Segmentation, a well-versed practitioners would be able to assure or even explain to patients how their health-related data is used and secured. This can be achieved by perhaps citing the security controls in place at the healthcare setting and those applied to the systems handling patient data, without getting too technical of course. Providing this type of information and clarity would (hopefully) appear genuine, thorough, and trustworthy to a general consumer or patient. The same line of logic can be and should be applied when recommending web resources and technologies to the patient. Not a particularly big proponent of scarring people about cybersecurity concerns (because this can have negative effects) but highlighting the dangers of not practicing safe online behavior is sometimes necessary. Furthermore, this would include how to properly access and discern which are reputable resources on the web. This is something that is absolutely key. Not only will this keep patients safe online, but it will provide reliable and credible information for the patients to digest. Again, the same can be said about technology. Educating patients about the real dangers of vulnerabilities, and how no single piece of technology is 100 percent adverse to exploits is essential. However, with many things in life, there are risks and benefits. The use of technology produces benefits, but also come at a risk. A risk of potential data disclosures, for example. That is why a practitioner would stand to benefit from knowing how to reassure their patients that they recognize the risks of collecting and using their health data, but that they are keeping up with industry standards and employing the best tools and methodologies available to keep their information as private as they desire.

Current Technologies used by IT Security and IT Operations to Support Health Consumers

There are vast numbers of technologies that both areas of IT Security and IT Operations use to support general healthcare consumers. If all the different kinds of supportive tools or even the type of technologies were to be listed out and explained in this blog, then this final post would quickly turn into a novel. To generalize, these technologies tend to operate behind the scenes and, as is commonplace of IT technologies, they support and advance whatever the line of business or task-at-hand is. To simplify things in this post, two technologies that are commonly used for support activities in both areas of IT Security and IT Operations will be highlighted. These two types of technologies are normally known to be supportive tools for their respective areas (and in turn provide support to patients or their care providers). They are Directory Services and Technical Management Support software. Both of these technologies are used and leveraged by both IT areas. In fact, during my time working in both IT Security and IT Operations in the financial industry, I made heavy use of both types of technologies concurrently while working in both areas. The Directory Services tool I am most familiar with is Active Directory (AD). AD is a directory service created by Microsoft for Windows environments, specifically domain networks. Per Paessler, it is a “distributed, hierarchical database structure that shares infrastructure information for locating, securing, managing, and organizing computer and network resources” (Paessler.com). This includes individual users and user groups, devices connecting to a network, and even files. It allows for the authentication and authorization of all these potential entity groups within a secured network environment. So, without getting any more technical, this is a service that has an interface where members of either IT Security or IT Operations can conduct some daily operations. IT Security could be tasked with defining user groups, such as admins or nurse practitioners. Then, within AD capabilities, they could assign prefabricated permissions, or in other words what they have access to within the network. This could be certain servers, file directories, etc. This same technology is what enables the addition of new users (employees such as nurses or providers) to the environment and allow for seamless access to network resources. On the other end of things, IT Operations could be tasked with building the file directories mentioned previously, and upload the name and details onto AD. From there other IT teams could engineer the finishing touches and start to grant permissions.

The second technology type is Technical Management Support software. One in particular that I am familiar with is named ServiceNow. ServiceNow is a software as a service (SaaS) platform for Technical Management Support solutions. The whole platform can range from one service (or type of module) to a package containing several or all. The best non-technical way of describing ServiceNow is as an all-things IT support and management hub. At its core, it is a rather robust platform that is also compatible with various other applications, plugins, and third-party tool offerings. The core ServiceNow services are IT services management (ITSM), IT operations management (ITOM), and IT business management (ITBM). All three specializations allow users to manage projects, teams, and even external customer communications. As a matter of fact, DePaul University’s IT department (as of the time of publishing this blog) leverages this same platform for general IT use. Once on the platform, common actions such as getting IT assistance, requesting service offerings or technology, and accessing published training or knowledge materials are all possible for students and staff. The same offerings existed at my previous financial services employer. They also leveraged the ServiceNow platform for general IT use. So, this only further illustrates that it is a widely adopted, universal and customizable platform for general IT use. Additionally, personally having a deeper insight into IT Security and IT Operations processes and tasks, more complex and involved endeavors were tackled using the platform. One in particular was proper Asset Inventory Management. Asset inventory management involves the use of tools and processes to keep accurate and updated records of all hardware and software within an organization. This aspect of IT is essential. Without proper inventories of objects such as personal computers or intangibles such as the software installed on said PCs, then an organization can quickly lose sight of what they manage. This in turn can lead to negative outcomes such as monetary losses, back doors for breaches to occur, or duplicate efforts or expenditures of valuable resources (human hours), to name just a few. ServiceNow makes the management of organizational assets much simpler. Acting as a “source of truth”, ServiceNow can be the IT repository of all assets within an organization. The platform has the capabilities to act as a master database that houses the names of hardware or software, their attributes, such as who is the technical owner, and other important and relevant information such as the next scheduled date for installing updates or security patches (i.e., in the case of a PC). It is also a cloud platform with modern communication technologies, such as the use of APIs to gather information from assets or third parties and their respective plugins or software. So, given the wide array of use cases for Technical Management Support platforms such as ServiceNow, the healthcare industry could also stand to benefit from said software. The same use cases highlighted previously can be applied to healthcare settings requiring health IT. Whenever health IT is deployed, proper Asset Inventory Management must accompany it. For example, if all nurses received tablets for daily use, then those same tablets would need to be asset tagged and recorded for proper maintenance and tracking. Additionally, these platforms could also serve as the portal for healthcare employees to communicate with IT personnel. Requesting technical support regarding health IT, searching for “how-to” knowledge articles, or placing a formal request for a new technology to be acquired and implemented could all be accomplished in this one central location. Because a tool such as ServiceNow would ideally make the daily activities of providers interfacing with health IT less cumbersome, any time saved could be allotted towards patients. Putting in a support request would no longer require a provider to take the time to track IT support, for example. Instead, a support ticket could be created, and IT support would facilitate the fix without having to steal any additional time away from the provider. This is time that could be spent providing better and focused patient care.

One particular set of technologies that are not yet widely used by either IT Security or IT Operations is the merging of novel concepts and technologies pertaining to Big Data and Data Modeling and Simulation with current IT solutions in their respective areas. At this moment in time these two newer IT topics are being heavily explored mostly by the “big tech” companies, such as Google, Facebook IBM, etc. The infant nature of these concepts and technologies, has been the primary barrier to adoption, especially in smaller or less technologically advanced settings. This is because of the substantial initial investment for a pilot program to be researched, planned, and implemented for either of these topics. So, it is understandable and somewhat expected that many smaller settings without the latest and greatest IT solutions will not be jumping at the first instance of potentially adopting such technologies or methods. Surely a clinical setting would recognize the benefits from leveraging all their collected data by using novel data mining techniques and even putting said data through developed simulations, but the previously mentioned barriers to entry would still be expected to prevent them from being early adopters, at least at the smaller healthcare settings. This is not to say that smaller clinical settings would be completely left out of any advancements or knowledge gained from the use of Big Data techniques or advanced statistical modeling, because ideally even smaller settings are currently setting up the necessary health network infrastructure (such as HIEs) to be able to receive this shared newfound information from the larger, pioneering healthcare organizations. Because the traditional teams of IT Security and IT Operations reside within an organization’s IT workforce, their abilities to make use of Big Data technologies or Data Modeling and Simulation methods are usually solely dependent on the strategic visions of IT management. Thus, if neither of these areas are on any IT roadmap, then it is very unlikely that any number of resources would be allotted towards them. However, as technology evolves, vendors are finding new ways of implementing the latest technological innovations into their IT solution offerings. A previously mentioned set of tools, one being Splunk and the other Tableau, are findings innovative ways to introduce the topics of Big Data and Data Modeling and Simulation into their packaged IT Solutions.

Legal and Regulatory Considerations for Health Informatics Tech in IT Security and IT Operations

From experience, working in a highly regulated industry meant that almost all technologies, data, and operations were extensively safeguarded and scrutinized. The extra precautions were not taken to create artificial barriers or to just plainly irritate IT personnel (although inevitably always managed to), but to adhere to strict laws and regulations targeted at protecting some of the most precious and coveted personal information – personally identifiable information (PII). In the healthcare industry this information takes on a slightly different name, but the significance is still the same, personal health information (PHI) is highly regulated and protected by federal, state, and even local laws. This information, if inappropriately disclosed, can cost organizations substantial amounts of money in fines, lawsuits, and lost credibility. So, for the most part, IT in general is well-aware that one of their main goals is to protect this information at all costs.

According to HealthIT.gov, the main federal law (and the most often cited) in healthcare that protects health information is the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Health IT, specifically the technology supported by and worked on by IT Security (and IT Operations) personnel is what drives the necessary levels of adherence to privacy and security that is required by HIPAA. Because of laws like HIPAA, PHI can remain private and secure, giving patients, providers, and families peace of mind that their information is safe within the healthcare system(s). This law requires the strict adherence to security policies and safeguards (controls) to accomplish this. Additionally, whenever there is a federal law or regulation in place, audits are taken very seriously. External auditors (at least in the financial industry) make regular visits to audit and ensure adherence to these strict laws and regulations. If organizations are not compliant, then change is sure to ensue, otherwise risk fines if they have not already been dished out.

Vision for the Future of Data, Information, and Technology in IT Security and IT Operations Supporting Health Informatics

With technology and innovation always moving at a rapid pace, it is sometimes hard to envision what the future holds in terms of IT innovation. I do not think that IT professionals before me envisioned this level of innovation to skyrocket a couple of decades ago. However, the main blueprints for the next 5-10 years of advances in IT have been somewhat drawn out already. As mentioned previously, in certain areas of IT Security and IT Operations, surely an emphasis on adoption of novel technologies and methods of Big Data and Data Mining and Simulation will occur, along with merging them with current technology that supports daily operations in both areas. For example, currently not widely used, are data mining techniques that dig through security breach data and help an organization build predictive models detailing how a certain attacker attempts to gain network access – such as their preferred method of infiltration, time of day, and any other patterns or clues that were not easily identified with the less trained human eye.

Additionally, during this past decade there has been a sizable boom in cloud infrastructure, services, and technologies. It is safe to assume that this movement will only continue to mature, and any stragglers who have not made the move to cloud technologies will do so (if it is beneficial for their business model). At some point in time, the benefits will outweigh the costs of cloud technologies, further prompting widespread adoption. With this of course, brings the need for IT Security and IT Operations professionals that are well versed in cloud technologies. These professionals will be consulted as subject matter experts in their respective areas to properly implement the technologies across different settings and industries. Given that this movement has been ongoing for some time now, challenges and roadblocks have been for the most part figured out. This is not to say that implementation cannot be challenging (or even costly), but instead it is much easier to implement cloud technology today than it was a few years ago given the breadth of information and experts in the field nowadays.

The advent of quantum computing and its commercial or widespread adoption is also not too far off. “Big Tech” companies such as Google have already hinted at working quantum computers and are now shifting towards the commercialization of their quantum machines down the road. With these new and exponentially more powerful machines, organizations of all types and sizes will have additional computational power at their fingertips. Granted they can afford the novel and very likely expensive hardware. Although with the advent of cloud technologies, these same quantum machines could be “rented” for use, bringing costs down for organizations substantially. Score another one for cloud technologies! This new quantum computing power will hold the promise of unlocking further micro and macro advancements in the field of technology, that being at the local organizational level and in society as a whole. For example, whereas computationally heavy simulations might not be possible with most of the hardware existing in clinical health settings, quantum computing will allow for simulations to run with ease. Additionally, these same processing power could be leveraged when transacting data and information across HIEs. Perhaps the results and findings from those previously mentioned simulations.

A personal favorite advancement in the world of technology, specifically in IT development, is the formation of the methodology known as DevSecOps. DevSecOps is a method that combines all three IT areas of Development, Security, and Operations during the development of products, applications, or systems. Being a Security and Operations minded individual, both areas have traditionally been left out of the requirements gathering, development, and testing phases of new systems. With this newer methodology, both areas are started to be looped into the development process from the very start. This is accomplished by having Security and Operations minded individuals sit in on developmental committees and efforts, providing their expertise throughout. This ensures that developers and the organization as a whole puts Security and Operations (the eventual maintenance team of the system) at the forefront, listening to any of their concerns and input. This in turn makes both IT Security and IT Operations not an afterthought, but continued contributors and active stakeholders of the product. Ultimately, this also ends up savings substantial amounts of resources in terms of human hours and money. At the time of writing this blog, DevSecOps is already widely used, so it is not necessarily a novel idea. However, with many methodologies, it is also giving way to similar or enhanced methodologies that will surely be the future of development in the next decade.

As with most new IT initiatives, getting user and organizational buy-in tends to be a difficult task. Using Data Mining as an example, it is not a technology that is widely used, yet. Be it because it is expensive to do so, or the benefits do not currently outweigh the costs for a certain organization. Some organizations or users are still not making the jump to adoption, for whatever the reason(s) may be. There will always be reluctancy or hesitation to adopt new technology, for a plethora of reasons. As was the case with HIE adoption in the United States, it was not until the government signed laws that would require providers to implement the new technologies into their practice. Similarly, if the healthcare industry ever wishes to catch up to (or at the very least just slightly lag) the tech industry, there will need to be a further environmental and governmental actions prompting healthcare settings to adopt new technologies and to innovate. Whether that includes new laws or financial incentives like those provided for achieving Meaningful Use of HIEs. It is clear, that if left up to health care providers alone, many would elect to stay with the way things are, and perhaps still rely on outdated methods such as paper record keeping.

Social, Political, and Economic Factors Influencing Change and the Role of Data and Technology in IT Security and IT Operations

Currently there are social, political, and economic changes brewing that have the potential to directly affect both areas of IT Security and IT Operations and how they interact with health informatics. For example, although not a new idea by any means, a push for universal health care has always surfaced in United States political discourse. Although many would argue this system would be a longshot from where the current United States healthcare system stands, there is a growing base and push for increased social safety nets that take some ideas from universal healthcare. As a result, healthcare, and the technologies it relies on would most likely also have to change to meet these new and drastic changes to how patients receive care. For example, as illustrated by Professor Enid Montague during lecture, receiving healthcare overseas was streamlined. From entering the clinic to billing, the process ran like clockwork without much need for patient interaction (and headaches might I add). The same is not the case here in the United States. I personally have had to call insurance companies regarding payments that were not received by health providers and have had to fill out new patient forms at the same doctor in back-to-back visits. To achieve a seamless and universal (or something very close) drastic changes or an overhaul of health informatics systems would also need to occur. Renewed and robust healthcare and governmental portals with appropriate access for patient use is one example that comes to mind. After all, an influx of new patients, providers, and insurers would surely follow when transforming to a more universal healthcare system. Unfortunately, I am of the belief that the hole that the United States healthcare system is currently in might be just a tad too deep to be able to get back out of. However, that may just be my pessimistic side showing itself again regarding the Unites States healthcare system.

Individuals are also becoming more empowered to take ownership of their own health and take matters into their own hands. This societal push from patients would hypothetically drive the need for engaging and quality self-service health applications and systems. A classic example of such is what private companies such as Apple are doing with their wearable health technology. They have commercialized their patented Apple Watches to include a range of health-related applications and tools so that any user can manage their health without having to visit a doctor. These health tools help users get a decent overall picture of their health. The same would need to occur on a grander level, like from different companies to promote competition (and thus further innovation) and perhaps from the federal government. Government sponsored tools would open the doors for those who cannot easily afford an expensive $500 dollar smartwatch to track their health data. So, perhaps the government could set aside funding to help develop open-source applications that can be used for free by the general public. After all, population health is a main concern of the government. It would be wise for the United States government to facilitate such undertakings and prompt their numerous health organizations to become major players in the mobile health space, as this has proven to be a very hot area of self-service regarding patient health. Of course, this would necessitate the need for IT Security and IT Operations methods and knowledge to be deployed. If a free-to-use application were to be developed by the CDC for example, they would need to ensure that proper security controls have been put in place to make the application safe, secure, and private. Keeping in mind that information housed in and being processed by the application is PHI.

Finally, with wealth inequalities ever expanding between the country’s top earners and lower and middle classes, health, and the access to it has started to take a spotlight as another benefit quickly eroding because of said inequality. More people find themselves not being able to afford a simple visit to the hospital. Instead of facing a bill for thousands of dollars, some uninsured individuals would rather not deal with a condition and remain untreated facing any consequences that may follow. Meanwhile, the ultra-wealthy have access to an abundance of health options, that I am sure, include too many for them to even know what to do with. Like the push for universal healthcare this economic challenge would necessitate action from the United States government to pick up some slack. Therefore, this challenge has the same implications of health informatics as the first political challenge, in the sense that once something is done from the government’s end to combat these inequalities, it is likely that more patients will have the resources to finally receive better (assuming they received any beforehand) healthcare. This in turn will drive an influx of patients receiving more care and could potentially start an increased strain on existing healthcare systems. IT Operations team would need to be looped in to help plan for and respond to situations like these, as this could necessitate additional servers being build or spun up in a cloud infrastructure. That is just one particular problem and solution, but many additional things could go wrong after system-wide changes occur, especially to legacy healthcare systems.

Course Concept Map: How it Was Developed, How to Read, and What is Included 

Final additions and corrections were made to my Health Informatics and IT Security and IT Operations Challenges Concept Map. Below you will find a copy of said map. The vision for this concept map was to try to encompass as many health informatics topics as possible into the map, but only if they were applicable to either IT Security or IT Operations challenges and/or the common sub-groups that support both IT areas in most organizations. So, the best way to make sense of this map is to work your way from the inside out, starting at the center and observing the first few seafoam green pills. These are the Health Informatics and IT Security and IT Operations challenges grouped into broad sets based on shared characteristics. Some of these issues or challenges are Communications, Heath IT Management, Data, and so forth. Next, these “challenge” pills can then be traced to a few different kinds of pills; either the corresponding IT sub-groups that would provide support for these challenges being either IT Security (light blue), IT Operations (light green), or running directly to either IT Security or IT Operations topics when no one group in either IT Security or IT Operations makes sense. One thing to note is that the color scheme for the pills is meant to translate across all pills, serving as somewhat of a legend. As mentioned previously, light blue colored pills indicate IT Security groups or topics, light green is used for IT Operations groups or topics, orange for Health Informatics topics, and in some instances, a combination of colors signifying an overlapping in areas, such as light blue- and orange-colored pills. Finally, the line types and thickness serve to aid the viewer with the layers presented, again starting from the center. The lines begin thicker in size – connecting the center to the main “challenge” pills. Then, they become dotted between “challenge” pills and supporting IT sub-group pills and finally, finely dotted lines connecting the rest of the topics.

This map mirrors my thought process approaching the various readings, assignments, and discussions accomplished for this course. As Health Informatics topics were being introduced and explained, we were asked to think about our chosen focus area and draw connections back to it. So, to aid in this process, I would recall back to my time on both of IT Security and IT Operations teams at my previous employer and recall instances that matched what was being introduced that week. Often, there were connections to be made, and challenges to equate. After all, Health Informatics and IT tend to go hand-in-hand. For example, when regulatory concerns were discussed, I immediately recalled my time on the Cybersecurity team. There I was tasked with assisting with reporting on the status of security control compliance. This line of work would be directly requested from the regulatory bodies that would oversee us. So, when topics such as HIPAA, laws, and compliance came up, there was an instant connection of how IT Security would be able to provide support in this regard. When I could not draw upon personal work experiences, I was relied on outside research on subareas or topics that would relate to the Health Informatics topic being discussed. For example, I personally did not have much experience within Identity and Access Management, but I was able to discern a few key sub-topics that would be applicable to learned Health Informatics topics and challenges. One being “Encryption” and how the use of it helps with patients concerned with their privacy.

To not over-burden the viewer with too many topics and their relations back to Health Informatics and IT Security and Operations challenges, there were some topics that had to be cut. However, there was some reasoning behind these choices. For example, the topics of Big Data and Data Models and Simulations were not included in the concept map. This was because, in my eyes, these two specific areas do not really relate to either IT Security or IT Operations, but something more along the lines of Data Analytics. As mentioned previously, Health Informatics and IT overlap quite a bit, however, to not overburden or draw connections where no real additional value can be obtained from them i.e., IT Operations just providing additional technical support for Simulation systems, these were left out or lumped into other concepts. In this case, if a connection were to be made between IT Operations and Informatics Simulation technologies, then that connection would most likely reside in the “Health IT Management” pill. The rest of the Health Informatics topics that were not included followed that same logic – that if a unique relationship could not be drawn and would be more or less a generic “Health IT Management” issue then it was left out. Some additional notable omissions include other data analysis concepts such as visualizations, specific topics surrounding population health (population health is included but nothing granular beyond that), and topics surrounding the United States healthcare system (such as federal policies and initiatives). I do recognize that this map is quite a busy, and can be a bit confusing at times i.e., overlapping lines. However, to some degree this depicts that same overlap that was mentioned to exist between the topics of Health Informatics and IT Security and IT Operations. The truth is that all three areas work alongside quite a lot. Additionally, I am of the belief that both IT areas, along with others, constantly work in the background to serve as the IT bedrock for which Health Informatics can properly operate and thrive.

Final Notes: Top 3 Biggest Learning Points Over the Course of the Semester? How Will Informatics Influence My Career Goals upon Completion of Program?

Some of my biggest learning points from this semester were the ones that were eye-opening, for one reason or another. The first of the bunch was the state of the United States healthcare system as it is today. I was quite disappointed to hear of the system’s shortcomings. As touched upon previously, the more I observed the system in action and learned about it, I was also able to witness the same deficiencies. The truth of the matter is that not everyone in this country will have access to the equal, effective, and quality care – and that’s a tough pill to swallow. I had historically dismissed it myself, as just having run into sub-par clinics. But learning about the system and discussing it with friends and family, slowly started to open my eyes to the same problems that were described during Week 1. I agree with Braunstein, that the main (although not the only) culprit is the pay-per-service healthcare model that currently exists. But not everything is bleak. Although a somewhat broken system, the United States healthcare system presents itself as an opportunity. An opportunity to rebuild, but this time with the future in mind.

Additional learning points that were of particular interest were all the robust and well-thought-out informatics tools and solutions used today, and those that are being formulated for future use. A few that come to mind are HIEs, the Direct messaging technology, and new and highly promising ones such as data mining techniques and data models and simulations. These last two in particular are especially interesting given that they are now regularly being used for the advancement of innovative approaches to combat illnesses that even to this day would be considered terminal for so many patients. Braunstein, highlights how advanced statistical methods and predictive modeling are being leveraged in combating cancer. He describes how these two techniques give way to personalized medicine and how “cancer is arguably the best target disease for personalizing medicine”. That in of itself is extremely hopeful for all of medicine. We are truly in a period of time where the power of data can be harnessed and so much good can come about from its effective use.

The last learning point is how much work there is still left to be done. As previously mentioned, the United States healthcare system needs some serious patch work. Of course, that is easier said than done. Additionally, all the sub-areas of Health Informatics require further support. For example, the area of Population Health is in need of some serious assistance after this once in a century pandemic. Population trust in healthcare has drastically decreased, and there needs to work done to regain patient trust. Although some would argue it to be a pipe dream, building out the ultimate and widely adopted HIE has yet to be accomplished. So is the widespread adoption of electronic health records (EHR) and attaining Meaningful Use across the nation. Also, more efficient healthcare delivery systems need to be developed. Said systems need to keep in mind Human Factors, and clinician workflows so that the most optimal care can be delivered to patients. There is always more technically involved work towards modeling, such as creating decision-support tools. The field of Health Informatics is still growing and evolving, and there is still a lot to be accomplished to advance healthcare systems and increase the effectiveness, quality, and equality of care for all.

The topics that I have learned in this Informatics course has opened my eyes to the endless possibilities that exist post the completion of my degree. The knowledge that I am sure to gain will position me to well-informed about the many sub-areas that together comprise Health Informatics. I personally plan on leveraging my higher education thus far, along with prior work experiences in the tech industry to be able to be a contributing factor towards the advancement of health informatics. As I progress though my degree program, I definitely foresee learning a lot more about where else contributions can be made and where my specific set of skills can best be utilized.

 

Works Cited

 

Feldman, S., & Richter, F. (2018, December 12). Infographic: Where are people concerned about online privacy? Statista Infographics. Retrieved November 15, 2021, from https://www.statista.com/chart/16400/internet-online-privacy/.

California Health Foundation. 2010. New National Survey Finds Personal Health Records Motivate Consumers to Improve Their Health. http://www.chcf.org/media/press-releases/2010/new-national-survey-finds-personal-health-records-motivate-consumers-to-improve-their-health.

Braunstein, M. L. (2014). Chapter 4 Privacy, Security, and Trust. In Contemporary Health Informatics (pp. 84–87). essay, AHIMA Press.

Braunstein, M. L. (2014). Chapter 10 Big Data Meets Healthcare. In Contemporary Health Informatics (pp. 228–232). essay, AHIMA Press.

Fitzgibbons, L. (2020, April 22). What is ServiceNow and what does it do? SearchITOperations. Retrieved November 16, 2021, from https://searchitoperations.techtarget.com/definition/ServiceNow#:~:text=ServiceNowisacloud-basedcompanythatprovidessoftware,interactionsviaavarietyofappsandplugins.

Paessler. (n.d.). Active directory. IT Explained: Active Directory. Retrieved November 16, 2021, from https://www.paessler.com/it-explained/active-directory.

HealthIT.gov. (2019, September 19). Privacy, security, and HIPAA. Privacy, Security, and HIPAA. Retrieved November 16, 2021, from https://www.healthit.gov/topic/privacy-security-and-hipaa.

 

Web Resources

https://www.statista.com/chart/16400/internet-online-privacy/

https://www.healthit.gov/topic/privacy-security-and-hipaa

https://www.paessler.com/it-explained/active-directory

 

Workflow and IT Security and IT Operations and Considerations Regarding Informatics Solutions 

Workflow in the context of healthcare can be defined as procedural work steps that are carried out by providers or other clinical staff to conduct routine patient care, clinical operations, observe regulatory constraints, and run other related business processes. If any of these common undertakings require health IT in any way, then it is very likely that either (or both) IT Security and IT Operations would be looped into these matters. To illustrate this, if a clinic required a simple database server, a couple of user PCs, and the appropriate installation of operating systems (OS), applications and other systems onto those machines, then an IT Operations professional or group would be best suited to conduct those implementations. That is not to say that current clinical staff is not capable of conducting said tasks, but it is more likely that they will not have the necessary time or resources to manage the initial deployment themselves. Subsequently, it is also imperative that these new systems and machines are well secured on the network that they are connected to, to ensure the safekeeping of any patient data and other sensitive information. Since, any unintended disclosure of said data, would most likely lead to regulatory penalties. So, if the same IT Operational staff is knowledgeable enough regarding security best-practices, they themselves could establish the necessary security controls. Otherwise, IT Security experts might need to be utilized.

Thus, from the very beginning, that is the setup of various health IT tools and systems, it is very likely that both IT Security and IT Operations would need to be involved in some capacity. Furthermore, it would be absolutely necessary for experts in both of these areas to elicit user knowledge and requirements from their stakeholders. This in turn gives way to a user-centered design. In this case, said stakeholders or users would be the clinical staff utilizing health IT. IT professionals tend to develop or implement solutions that they are the most comfortable with, or with the mindset that all implementations need to be standardized across the board. In some instances that may be the case but ensuring that stakeholders are looped into the process from start to finish ensures that the ultimate end-users of the technology are well equipped to adopt the technology and use it as effectively as possible. An example of this would be setting up the firewall configurations at a small clinic. IT Security best-practice tends to dictate a “pin-hole” approach when it comes to allowing network users to access external resources, specially those out in the world wide web. Meaning, that access tends to be set up in a least-privilege possible approach for users. For example, with this type of approach, a receptionist would most likely not be able to access social media sites from a PC connected to the clinic network. It is not likely that it was set up to prevent browsing social media during workhours, but instead to prevent the disclosure if important data or information through social media sites. An example would be an uploaded picture of a patient paper file that was included in the background of a selfie. So instead, what IT Security professionals recommend, is to allow certain categories of or (ideally) individual sites to certain individuals on an as-needed basis. So, for illustrative purposes, a brand-new medical references database has been released. Currently implemented firewall rules might pick up on the fact that this new site falls under a category along the lines of “Health and Medicine”. If such a firewall exists that allows for sites under this general category, then no further rules might be needed to allow traffic to the new database resource. However, if only certain clinicians should have access, or if the site is not currently categorized, then a brand-new firewall rule might need to be implemented by a network or IT security engineer. This is just one example of IT (and IT staff) contributing to a technology acceptance model for clinical health users.

Another technology with similar but slightly different implementation and configuration challenges to those of firewalls, are health information exchanges (HIE). In a similar fashion, while attempting to enhance the interoperability of a clinic’s electronic health record (EHR) with a new HIE, IT Operations would need to be involved. They would also need work with end-user stakeholders to ensure that the information or data being shared, such as forms, XML files, etc. are up to par with what staff use during their day-to-day operations and that systems work as intended post-deployment. Once again, the end goals of both IT Security and IT Operations are to secure data and maintain technology in an operational state, however a close secondary goal is to ensure that their supporting end-users can use health IT systems and tools efficiently and as intended.

Looping back to whom in clinical settings would stand to benefit from a user-centered design for workflows utilizing informatics solutions – that would be any user that intends to interact with said solution(s). A classic example of designing and implementing an IT technology to the benefit of IT Security and ease of use for end-users is Two-Factor Authentication (2FA). In the recent past, only passwords were required when users sought to gain access to potentially sensitive machines, systems, or data. However, with the advancement of computing power, hackers have leveraged said power to run complicated algorithms that can crack even some of the most complex of passwords (through multiple instances of trial and error). So, one solution that was born from this was the use of both physical and software tokens, a form of two-factor authentication. These tokens would be assigned to one and only one user and would display a constantly rotating string of random numbers or characters, that when used in conjunction with their login information would grant access. This in turn made guessing passwords exponentially more difficult for external threat actors. So, why bring up 2FA in a discussion of workflows for clinical staff? Well, if not already implemented, this is a potential solution that could positively benefit a healthcare setting. It would be best practice to assign tokens to all network accessing users. However, if hypothetically, only providers accessed sensitive platforms or data, then the development and implementation efforts for 2FA tokens would differ slightly in that only providers would be given physical fobs with tokens or made to download a secure authenticator application. This illustrates yet another important area of workflow observation – would providers feel more comfortable with physical tokens, or a smartphone application? Would those same tokens be required again when accessing even further sensitive applications or data once already logged in? A close analysis and requirements gathering would need to occur by the implementation team (most likely IT Security) to ensure that the new security control technology is adapted optimally for the intended users and their workflows.

 

 

 

 

 

 

 

 

 

 

 

AHRQ Health IT Tools on Workflow: Root Cause Analysis and its Use for Workflow Challenges in IT Security and IT Operations

Navigating through the Agency for Healthcare Research and Quality‘s (AHRQ) website on workflow tools for health IT, one will find that there are numerous tools that can be leveraged to gain a complete understanding of workflows in healthcare settings. Because the AHRQ has identified almost 100 tools, they have grouped them based on common characteristics, into “parent” categories. Some of these categories are Data Collection, Process Improvement, Process Mapping, Risk Assessment, Task Analysis, and Usability to name just a few.

One tool that stood out due to it being an all too familiar technique used during both my IT Security and IT Operations days, is Root Cause Analysis. This tool, found under the AHRQ’s Risk Assessment tools category is described as a “technique used to determine why a problem occurred” with the goal of identifying a problem’s origin by pinpointing the exact issue, why it occurred, and developing methods to prevent or drastically reducing the probability of the issue reoccurring in the future. To showcase this tool’s effectiveness in relation to IT Security, a common security concern will be examined through a Root Cause Analysis lens.

That common security concern is unwanted network intrusion or disturbance. To pick up again on the topics of networking and proper access, real-life, continuous issues that plague organizations that are front facing towards the web are those that include dealing with and fending off external threats. Two of those being threat actors attempting to gain access to safeguarded systems, applications, or data and the other fending off network disruptions. Said network disruptions are sometimes initiated by malicious threat actors, as well. A common means of doing so is what is known as a Distributed Denial of Service (DDoS) attack. This is a type of cyber attack that floods a network or machine with internet connection/traffic requests from various sources to overload the target. This in turn slows or renders the target incapacitated and thus cannot process any additional requests, be it legitimate or not. The main goal being to disrupt operations temporarily or indefinitely. These tend to be troublesome issues to deal with. So much that both areas of IT Security and IT Operations are sought out to assist during an attack. The common sequence of events begins with staff from both IT areas attempting to fend off the attack, while also trying to operationalize the machines, servers, or network being targeted. Ideally, if there are any existing backups, those would be spun up to handle the legitimate traffic in the meantime, but only after careful analysis that they would also not be affected by the attack. Concurrently (or perhaps after the attack is dealt with given resources constraints), other staff will start to work on a Root Cause Analysis. It is common that during a DoS attack, an organization will attempt to cut-off the malicious traffic. Although a rather difficult task, networking engineers might be able to pinpoint where the traffic is coming from via IP addresses and then limiting said traffic via firewall rules. Again, during an attack of this kind, many IP addresses will be used as attack vectors, so such an approach can prove to be rather complex. So, if the root of the issue can be discerned (and hopefully stopped), the next step in a Root Cause Analysis is to identify the reason for the DoS attack and then subsequently implement measures that will prevent it from reoccurring again. In this case, after the network and its traffic has been properly analyzed by both IT Security and IT Operations personnel, then patchwork can begin to occur. If for example a clinic’s externally facing web application was the target of such an attack, and it was found that the application was not behind a firewall protecting it from external traffic, then the next logical solution would be to place said application behind a web application firewall (WAF). Appropriate security controls would also be needed and configured to allow legitimate external and internal traffic to the web application.

Ultimately, if such an issue were to occur at a healthcare setting and the targeted system was a vital health system, then the clinical staff would be greatly affected. Perhaps to the point of not being able to provide care to patients. As Wiggill states, “IT professionals need to put on their detective hats to identify the source of the issue and solve it before the business and the patients experience any adverse impact” (2016). So, because DoS attacks are relatively common, a lesson learned from such an attack would elicit an investment into backup technologies as part of the workflow reevaluation. In essence, having a segmented network, a WAF, or backup servers and databases could be a part of the planning and re-design of the workflow that would be affected by a D/DoS attack. For instance, not allowing clinical staff to have access to certain parts of the network would prevent the same staff from accidentally leaking information of a potential network opening to attackers (although there really should not be one to begin with). Another workflow redesign could be developing user guidelines on how to switch over to backup technologies if another attack were to occur. Of course, the investment and workflow changes would come about from what was learned from one of the AHRQ’s workflow tools used during this technological debacle, that being the Root Cause Analysis.

 

Human Factors and IT Security and IT Operations – Challenging Areas Affecting Humans and Human Factors Based Solutions

A challenging and often tedious aspect of IT that users regularly deal with is login security. IT professionals are constantly suggesting that stronger passwords be used when creating an account or updating an existing password. I equate it to your parents making you eat your vegetables growing up. Sure, eating vegetables is a bummer, but they are good for you! The same can be said about complex passwords. It is not expected that users make passwords long and over-cumbersome, but it is also encouraged that users become more creative with their passwords and not just rely on old reliable “password123”. It is also very strongly encouraged to not reuse passwords, specially when logging into work or sensitive systems or applications, such as financial platforms. To be frank, that is quite a lot to ask of humans. I am a security driven individual, and often find myself being lazy and reusing the same password, or not adding extra non-alpha numeric characters. So, I can’t blame regular users of health IT for straying from best practice, when we as humans are wired to not think like computers and find numerous best suited and secure passwords, while remembering all of them. I have ran into some impressive individuals who can recite long strings of characters that do not make any sense, and claim those are passwords (now that I think about it, this is a quite foolish thing to do in a public setting). But, for those of us who have a particularly hard time remembering such lengthy strings of characters, there are tools that can be used to securely store passwords. These are often referred to as lockboxes, or programs that securely store passwords via encryption. Accessing the passwords usually requires the use of one master password and perhaps 2FA, as well. I would argue that at least a third of support calls that I dealt with while working at an IT Help Desk involved dealing with frustrated users that had forgotten their password(s). So, it is no surprise that technologists took aim at this user pain area and innovated a secure solution that could aid human performance and reduce frustrations with technology. This is an example of leveraging technology to reduce some of the mental strain resulting from technology from end-users so they can focus their own processing capabilities towards other matters.

A second IT Security related challenge that humans are historically substandard at, is successfully identifying instances of malicious phishing. Humans tend to be quite terrible at discerning cyber threats. Identifying phishing emails is one of those threat vectors. As someone who was tasked with creating phishing campaigns for user cybersecurity training and seeing the resulting metrics, I can confirm that you could always count on a sizable number of individuals falling for a simple phishing email. From entry level non-IT employees, to seasoned IT Security professionals, there were always a select few individuals clicking on suspicious links or opening malicious files. But this should not come as a huge surprise, as the human brain is wired to be curious, short-sighted, and overly trusting. In fact, there is a whole field of engineering that studies the psychological manipulation of individuals into performing actions that would grant unwanted access to confidential resources or information, or Social Engineering. Threat actors spent their livelihoods studying this field in order to take advantage of these human deficiencies. So how do we combat these threat actors, but also keep in mind human factors like those previously mentioned? We came up with an innovative way of leveraging certain aspects of the technology in place to help users make informed decisions before performing an action. An example of a decision support tool used was to code a simple HTML banner segment into all incoming email that would change in appearance based on the origin of the communication. If an email was external or come from a non-trusted source (that is a source not yet vetted and not necessarily malicious), then the banner atop of the email would be a yellow color with some warning text. This would draw the attention of the user and remind them of security best-practices when dealing with email communication from external sources. Alternatively, if an email was from a previously vetted and trusted source, a green banner would be displayed. Although a simple decision support tool, it proved to be quite effective, as clicks and redirection to external sites from suspicious email were down thereafter. Of course, this same tool and challenge is not exclusive to the financial industry. There are instances of phishing at DePaul university, and surely in the healthcare industry as well. Before leaving my previous employer, we saw a sizable upward trend in COVID-19 and work from home related phishing scams at both my organization and the technological landscape at large. The fact is that phishing remains a very popular and relatively easy vector for threat actors to launch attacks with. It preys on human vulnerabilities and has the capabilities to remain current with current events. In fact, phishing ranked 2^nd in a 2020 list of High-Risk Entry Points for Hackers in the Healthcare Industry, as reported by Wandera, a cloud security solutions firm. A staggering 56% of healthcare organizations had reported being affected by phishing attacks (SafetyDetectives).

 

Works Cited

 

Twilio. (n.d.). What is Two-factor authentication (2FA)? Authy. Retrieved November 2, 2021, from https://authy.com/what-is-2fa/.

Agency for Healthcare Research and Quality (AHRQ). (n.d.). Root cause analysis. Root Cause Analysis | AHRQ Digital Healthcare Research: Informing Improvement in Care Quality, Safety, and Efficiency. Retrieved November 2, 2021, from https://digital.ahrq.gov/health-it-tools-and-resources/evaluation-resources/workflow-assessment-health-it-toolkit/all-workflow-tools/root-cause-analysis.

Healthcare Innovation. (2016, August 26). Tips for investigating common workflow issues. StackPath. Retrieved November 2, 2021, from https://www.hcinnovationgroup.com/interoperability-hie/article/13007935/tips-for-investigating-common-workflow-issues.

Team, S. D. C., Author, A. the, SafetyDetectives Cybersecurity Team (2021, May 20). Healthcare Cybersecurity: The biggest stats & trends in 2021. SafetyDetectives. Retrieved November 2, 2021, from https://www.safetydetectives.com/blog/healthcare-cybersecurity-statistics/.

 

Web Resources

https://urlfiltering.paloaltonetworks.com/query/

https://digital.ahrq.gov/health-it-tools-and-resources/evaluation-resources/workflow-assessment-health-it-toolkit/all-workflow-tools

Relationship between EBP and Informatics: Clinical Guidelines

Evidence-based practice (EBP) can be defined as the application and translation of previous research discoveries to everyday patient care practices and clinical decision-making. More so nowadays, as technology advances and is widely being adopted, a clear relationship between EBP and Informatics can be observed. With the help of Informatics and the technologies and methods that come of it, the acquisition, processing, and analysis of a wide variety of healthcare data is made abundantly simpler. The same can be said regarding research data. Informatics methods and technologies can be leveraged for use on research data with an end goal of translating it and applying it in day-to-day clinical practice settings, and thus reaching a level of EBP.

The combination of these two ideas, EBP and Informatics, has been at times referred to as Evidence-based Health Informatics (EBHI). Rigby (2016) has defined this concept as “the conscientious, explicit, and judicious use of the current best evidence when making decision about the introduction and operation of IT in a given healthcare setting”. Rigby also goes on to make the point that EBHI must be an “ethical imperative” since there should be no changes in healthcare practice implementations unless these changes are proven to be safe, beneficial, and optimized to produce net benefits. This idea plays exactly into what broad Informatics does to support clinical activities or constructs, such as clinical guidelines.

Clinical guidelines are best-practice statements that have been systematically designed to provide direction for both clinician and patient decisions. These guidelines come in a variety of forms. From extremely detailed step-by-step guides to more stylistic graphical depictions, and even patient management algorithms, guidelines of all types are ultimately developed to assist the end user(s). An example of a clinical guideline can be seen in the graphical depiction below, which was gathered from the Journal of the National Comprehensive Cancer Network (JNCCN).

This graphical clinical guideline depicts just part of the process of breast cancer screening and diagnosis, showcasing some of the many paths taken when evaluating a patient during a breast cancer screening. It is safe to assume that to construct such a detailed clinical guideline, the use of current Informatics methods and tools were needed. Per the class reading by Horn (2015), it is showcased how a sophisticated and targeted study yields data and information on the best possible treatment of individuals with varying and unique characteristics stemming from instances of traumatic brain injury (TBI). An outcome from the study was a baseline admission FIM cognitive score for the use of analyzing best possible treatment combinations. Although probably just short of being called a formal clinical guideline, this and the other findings can surely serve as the groundwork for a guideline to-be.

The same can be said of other clinical guideline development. With the same or similar sophisticated statistical methods and tools, baseline knowledge that goes through several iterations and contributions becomes a robust guideline, like the breast cancer screening and diagnosis guideline published in the JNCCN that can be leveraged for clinical use.

Additionally, because of technologies and tools such as large data repositories (like databases), centralized or in the cloud, previous research can easily be queried and leveraged for any future clinical guideline creation. There is an abundance of data already collected on various topics. A quick and simple search tends to yield results. Results that can usually be easily exported for plug-and-play use in various Informatics tools. If there is a lack of data, then studies can be conducted and Informatics methods and tools (i.e., Data Mining) can also be leveraged to completely analyze the new data set(s), with the intent to further medical knowledge through new guideline creation and dissemination of findings.

Evaluation of clinical guidelines can come about from a variety of reasons. From a need to revisit outdated or conflicting data, or to further previous medical findings in a certain area, there are a variety of reasons and methods to evaluate clinical guidelines. One common method, that was discussed in the Penny (2012) reading, was the use of various data mining techniques. Pouring through previous research data and gathered evidence can be a daunting and sometimes difficult task. However, using data mining techniques such as algorithms, decision/classification trees, etc. the data can be thoroughly investigated, scrubbed, and analyzed for hidden meanings or higher-level evidence that can then be leveraged as new information for dissemination or guideline creation. Additional Informatics tools and technologies that can be leveraged for the same, include but are not limited to databases, EHR and EMRs, etc. which can be accessed through tools such as HIEs. Even more specifically, for the use of federated HIE models (Braunstein, 2014), Direct technologies are a perfect example of Informatics in use for the access and communication of data, evidence and even guidelines in clinical settings.

Data source (standard terminologies) have the potential to play a substantial role in the maturity of any clinical guideline, as well as other standardized healthcare processes. Because there is no one universally used or centrally managed system, different healthcare settings are left to make their own decisions as to what data they decide to collect and in what fashion. For example, it is common that an EHR/EMR in one part of the US will not look the same or house the same form of data in another part of the country. The collected information could be the same, but perhaps the wording or data types collected are not i.e., strings of characters vs. integers for prescribed amounts of medications. However, there are standardization codes to aid in such cases. A couple that have been discussed through readings (Braunstein, 2014) are ICD-9-CM and SNOMED CT diagnostic codes. Unless a computer is collecting the data (and sometimes even this isn’t good enough for standardization either), human provided data should be overly trusted since they tend to record information differently from one person to another. Using standard language/syntax, collected data and evidence can be transcribed and leveraged in the construction of clinical guidelines. Doing so would bring the healthcare industry one step closer to achieving standardization of data, information and evidence used in the clinical setting. For example, if the same language presented in the breast cancer screening and diagnosis guidelines were standardized, then the information later collected and used in practice would be more uniform across the board. Although an undertaking that is easier said than done, the use of Informatics can make this an achievable endeavor.

 

Informatics on Clinical Guidelines and IT Security:

For my particular focus area, that being the intersection of IT Security and Healthcare Informatics, there are several “guidelines” or best-practice standards to follow when implementing technology into a healthcare setting. In general, there are organizations such as the National Institute of Standards and Technology (NIST) that provide broad guidelines known as cybersecurity frameworks for public use in various settings. These same guidelines can be applied to more specific settings, like clinics. Health Informatics and Health centered organizations like the Office of the National Coordinator for Health Information Technology (ONC) and the United States Department of Health and Human Services (HHS) have developed their own guidelines for this intersection. The “Guide to Privacy and Security of Electronic Health Information” and “Reassessing Your Security Practices in a Health IT Environment: A Guide for Small Health Care Practices” are two examples, respectively. Just these two examples seem more than adequate in providing the necessary baseline understanding and steps in setting up a secure network that protects assets, monitors, and manages IT-related risks.

The beauty of organizations like NIST and their broad guidelines, as that they can easily be applied to many different settings, of different sizes or specializations. Personally, the only thing that I would change with the guideline provided by the HHS is to provide literature on a broader body of clinics, and not just small-scale sites. Although it is very likely that a resource like that exists, I was not able to readily find it on the HHS site.

One way that Informatics solutions could be used to improve guidelines, particularly the two previous examples, would be to leverage newer data being collected at the clinic level to drive novel examples that end up in the guidelines. These current use cases would entail technologies that have not yet been addressed, such as Health Information Service Provider (HISP) use for verifiable internal or external messaging and communication through Direct. To qualify such a technology for being a use-case, data could be gathered to observe how extensively the solution is used in healthcare settings. Subsequently, data and information on security issues that result from this Informatics solution can also be collected and presented, to ultimately provide guidance for those users looking to implement the solution in their environments.

 

Relationship between PBE and Informatics: Evidence Derived from Practice

The relationship between Practice-based Evidence (PBE) and Informatics, tends to overlap quite a bit with that of the relationship with EBP. After all, PBE tends to be the precursor and ultimate driver of EBP efforts. Touched upon briefly before, the field of Informatics along with its methods and common tools, sets itself up nicely to assist in multiple facets of PBE. Starting from the actual gathering of evidence (data) from clinical practice settings to the application of said data in advanced studies or out in the field, Informatics brings along with it advanced developmental, communication, and analytical tools that make the feat of producing PBE a lot less problematic.

As mentioned previously, Informatics lends a hand in the complex field of research studies, particularly when it comes time for advanced statistical analysis. After data for PBE use has been selected, whether the data is freshly collected or not, researchers are still presented with the challenge of making sense of the data, to ultimately prove or disprove a healthcare related hypothesis. At this point various statistical techniques can be employed, such as multivariate analysis, or even newer and far more sophisticated data mining techniques. These techniques can be leveraged to evaluate and find meaning in the dataset(s), that otherwise could not be done with more traditional techniques or at the very least not as easily.

Once conclusions have been drawn from the analyzed data and findings have been published, the next logical step for PBE would be the dissemination of said findings to the healthcare community. Although a main issue that plagues the healthcare community today is a lack of time or incentive for clinicians to review all the extensive published research out there, Informatics tools have made the access and communication of said research a lot simpler over time. Currently, there are numerous reputable public and private sites, each with their own databases, modules, and even analytical tools to assist in the retrieval of research data and findings. Whereas a few years ago, a clinician might have had to compare certain findings from a research study in-house with their own unique dataset (i.e., population of overweight urban children under 15 years old), there is a very good chance that the data already exists, or the actual analytical work has been done or can be easily done. So, all a clinician would need to do is access the wide array of resources currently available and conduct some less-intensive research for the desired information.

 

Data Mining at the Crossroads of Healthcare Informatics and IT Security:

Even though data mining is a relatively newer field, it certainly has caught a lot of traction since its inception. First being leveraged heavily in the marketing business world to capture untapped profits, nowadays the technology is slowly but surely being adopted in various other areas. One such area is Healthcare. Another area that is also seeing the emergence of data mining techniques is IT Security. Data mining techniques are being heavily leveraged in IT Security for its advanced capabilities to detect malware before it is too late. Through pattern detection techniques, data collected on infiltration efforts can shed light as to when attackers are more likely to strike, why (certain events), or how. Since both the Healthcare industry and IT Security have been seeing growth in the areas of data mining and machine learning, I believe that the marrying of both areas around the idea of utilizing both advanced Informatics techniques can only benefit any healthcare setting that adopts these practices.

One particular use case for data mining in healthcare, with an emphasis on IT Security, would be to collect data on possible entry points for attackers to infiltrate a healthcare network, possibly in the form of event logs. One particular entry point that stood out to me from Braunstein’s work was the use of HISPs and Direct messaging for provider and even patient communication (2014). Although the technology seems robust, and the use of PKIs is a commonly used tactic to combat unwanted infiltration, email and messaging communication vectors tend to still be an all-time favorite method that attackers like to leverage to wreak havoc on a network and even compromise an organization with precious data like Protected Health Information (PHI). It would be an interesting study to see if users are careful with their Direct emails, whether clicks on malicious URLs occur using those emails, and whether any unwanted malware ends up anywhere during the communication cycle. To do so, techniques like data mining would come in handy, especially to sift through thousands of potential email phishing log data. However, there a couple of issues that come with the use of log data for security recon. One being the sheer amount of data. Although data mining could be used to dig through it, this process would most likely be resource intensive. Not to mention that log data tends to not be as straight forward or easy to read unless properly parsed. There are various vendors out there that provide solutions for working with machine-generated data, one being Splunk. Again, solutions like these are both financially and resource intensive, so electing to use them would necessitate buy-in from most if not all applicable stakeholders, something that seems particularly difficult in smaller or privately owned clinical settings.

 

CDS and IT Security: Opportunities for Integration, Required Management, and Efficiencies

Clinical Decision Support (CDS) is a key functionality found in Health Information Technology that helps provide clinicians or patients with timely information that helps inform decisions at the point of care. This is commonly accomplished by sifting through enormous amounts of collected data, stemming from EHRs or repositories, and then suggesting the best next steps for treatment(s).

I believe that there is some opportunity to implement CDS type functionality and tools in conjunction with one of the major areas of focus in IT Security, that being data Integrity. The idea of a Personal Health Record (PHR) was particularly of interest to me when first reading about it. The first thing that came to mind was how the data being input by a patient would align with the data standards set by a healthcare organization. Like a children’s toy involving shaped pegs and holes, would patient provided data in the shape of a square peg be allowed in a triangle opening? Then, the ideas of data scrubbing and standardization and even proper data capture design occurred to me. These ideas allow this technology to not be overly difficult to implement at an organization attempting to leverage patient provided data. For example, if standardized patient forms with just drop-down menus are used, this could aid attempts to eliminate data-entry errors. However, at the same time, I am personally a little reluctant to completely trust a patient to provide high-level health information. If a device like a smartwatch could provide heartrate readings, then that would be acceptable, but anything less, not so much. So, this is where the idea of crossing CDS systems with IT Security, particularly checks for data integrity could come in handy.

The general concept would follow a decision tree style format, where one of the first gates for PHR data input would be something along the lines of “Was this data auto-generated by an approved medical device?” or “Was this data manually collected by the patient?”. This would then trigger appropriate checks to properly vet, transform, or mark the data as “non-official”. Later, at the point of care, CDS systems would be able to recognize these more or less “data compliance” checks and be able to suggest appropriate treatment options. For example, if a patient had recently conducted some simple vitals or blood tests at home, then these would not be required upon admittance at a clinic or hospital.

In essence the goal of CDS, in conjunction with IT Security, would be to provide the necessary mitigative steps, or “checks”, to allow for increased efficiency and cost savings initiatives. By looping in an IT Security mindset and applying it to innovative ideas, CDS technologies would be allowed to function without any worry of data integrity or compliance issues. This is a currently popular idea when developing new and efficient technologies. The idea of putting IT Security at the forefront of any new technology development, is sure to prevent any security or compliance headaches down the line.

Ultimately, CDS would be the most effective in the hands of the clinicians wielding the technologies and making the health-related decisions. In my previous example, data provided by a patient would need to be taken with a grain of salt, unless a clinician has a very good reason to think that it is quality data. The systems would automatically deem the data as “unofficial”; the ultimate decision would be handed down to the authority, in this case a clinician. In an outcomes-based clinical setting, this particular use of CDS tools would end up saving considerable amounts of resources of various types. However, implementation of such tools would be dependent upon stakeholder buy-in. If approved, the tools could be implemented at various points in the data gathering process, not just limited to PHRs. The same concept could be translated to EHRs, where data checks would ensure data is up to date and not stale, otherwise alerting if so. Such an undertaking would require significant documentation and subsequent review and approval of said documentation. This documentation would need proper vetting from various stakeholders, namely a review board, physicians, and informaticists. The goal remains the same, and that would be the ability to capture patient level data that the healthcare organization is comfortable in accepting as valid, and eventually promoting to a patient’s EHR/EMR. Data that could very well end up in formal research studies, and thus requiring high levels of integrity to be accepted.

 

Works Cited

Tallie Casucci, M.-J. (G. A., Tallie Casucci and Barbara Wilson | 4 minutes, & minutes, K. G. | 4. (2021, February 26). What is evidence-based practice? What is Evidence-Based Practice? Retrieved October 5, 2021, from https://accelerate.uofuhealth.utah.edu/improvement/what-is-evidence-based-practice.

Rigby, M., Magrabi F., Scott, P., Doupi, P., Hypponen, H., & Ammenwerth, E. (2016). Steps in

Moving Evidence-Based Health Informatics from Theory to Practice. Healthcare informatics research, 22(4), 255-260. https://doi.org/10.4258/hir.2016.4.255

Clinical guideline. IAHPC Pallipedia. https://pallipedia.org/clinical-guideline/. Accessed October 4, 2021.

Bevers, T. B., Helvie, M., Bonaccio, E., Calhoun, K. E., Daly, M. B., Farrar, W. B., Garber, J. E., Gray, R., Greenberg, C. C., Greenup, R., Hansen, N. M., Harris, R. E., Heerdt, A. S., Helsten, T., Hodgkiss, L., Hoyt, T. L., Huff, J. G., Jacobs, L., Lehman, C. D., … Kumar, R. (2018). Breast cancer screening and diagnosis, version 3.2018, NCCN clinical practice guidelines in oncology. Journal of the National Comprehensive Cancer Network, 16(11), 1362–1389. https://doi.org/10.6004/jnccn.2018.0083

HealthIT.gov. (2015, April). Guide to privacy and security of electronic health information. Retrieved October 5, 2021, from https://www.healthit.gov/sites/default/files/pdf/privacy/privacy-and-security-guide.pdf.

United States Department of Health and Human Services. (n.d.). Small practice security guide – hhs.gov. Retrieved October 5, 2021, from https://www.hhs.gov/sites/default/files/small-practice-security-guide-1.pdf.

Horn, Susan D., et al. Traumatic Brain Injury–Practice Based Evidence study: design and patients, centers, treatments, and outcomes. Archives of physical medicine and rehabilitation 96.8 (2015): S178-S196.

Penny, K. I., & Smith, G. D. (2012). The use of data‐mining to identify indicators of health‐related quality of life in patients with irritable bowel syndrome. Journal of clinical nursing, 21(19pt20), 2761-2771.

CMS – Centers for Medicare and Medicaid Services. (n.d.). Clinical decision support Tipsheet – CMS. Retrieved October 5, 2021, from https://www.cms.gov/Regulations-and-Guidance/Legislation/EHRIncentivePrograms/Downloads/ClinicalDecisionSupport_Tipsheet-.pdf.

Operational definition of Informatics (and Health Informatics) in relation to my future career.

The term ‘Informatics’ is somewhat of a broad term. To define it, informatics is the science that is made up of both information and computer science and is used to research the development, management, use and dissemination of data, information, and knowledge.

As it pertains to Health Informatics, the definition only slightly differs. Health Informatics is a unique field in Informatics, in which health related data, information and knowledge is developed, managed, analyzed, and used in numerous health-related settings, through the application of information and communication technology in various health settings. Additionally, because of the wide breath of disciplines in healthcare, Health Informatics as a whole, can be sub-divided into said discipline-specific classifications (Giddens, 2012, p.444).

 

Personal focus area(s) for this blog. A short description and currently identified informatics challenges and application opportunities.

Based on previous professional experience and a personal passion for IT Security, the focus area(s) of this blog (apart from Health Informatics) will be IT Security and general IT Operations issues that are commonplace in business and customer-facing settings. The main goal will be to relate these issues and the unique challenges that they bring to Health Informatics.

When relating to IT Security, this encompasses all the facets of cybersecurity, specifically the strategies, tools and technologies used to prevent the unauthorized use or access of safeguarded assets ranging from PCs to data. The goal of IT Security is to maintain high and appropriate levels of Confidentiality, Integrity and Availability.

The reason this applies to Health Informatics is that the field, per our definition, heavily relies on information and communication technologies. From access to the internet, to the use of software applications that manipulate, transmit or store important health data, these technologies and many more are commonplace in healthcare settings. So, to ensure that proper levels of Confidentiality, Integrity, and Availability are met for said technologies and data, established best practice standards and policies in the field of IT Security should be leveraged in healthcare settings that heavily rely on technology. After all, some of the most coveted and safeguarded information in any organization is data. Thus, I believe that IT Security must be at the forefront of any implementation or management discussions on new or existing technologies for use in healthcare settings since these settings tend to house sensitive and highly regulated patient or consumer data. Data that must remain confidential, have high levels of data integrity and availability (along with proper access to said data). So, a particular informatics challenge thus far identified is the proper base-level safeguards needed to house and protect health data.

 

 

An additional focus area that is of personal interest involves overall organizational or system IT issues, or what I refer to as IT Operations issues. These are issues with current systems in use that have inefficiencies, be it technological or procedural. Having had embarked on Six Sigma training and having experience in IT Operations with the technologies used in this area, I can attest to that the world of IT is always on the lookout for ways to improve processes and increase efficiency for internal or external (customer) use. Automation almost always tends to be the first answer, and to its credit, is more commonly becoming the most efficient answer. However, before getting to such a solution, a bare-bones procedural look at processes and tasks must be conducted to fully grasp the system and inefficiencies at play. Otherwise, issues could be overlooked, or solutions could not be adequately implemented to resolve the problems that were initially set-forth to be resolved.

Currently, baring my lack of clinical or healthcare experience, I do not know of many current healthcare system inefficiencies. From HIT 421 – Week 1 readings, it seems that issues of multidisciplinary triage and cooperation, and patient data errors tend to be major pain-points in existing systems. It is my belief that breaking down these processes and closely observing them for inefficiencies could prove to be extremely beneficial in properly engineering a solution. Similarly, to the Model Case presented in Giddens (2012, p.449) on informatics nurse specialist Ellipse Wrigglesworth, MSN, RN, and their efforts of following a very methodical and process-oriented approach to resolving issues with an existing fall risk management protocol for electronic health record (EHR) use, I envision that similar organizational or system IT issues can also be addressed and even yield beneficial contributions to the advancement of Health Informatics by design. Like how the protocol developed by Wrigglesworth produces meaningful data for Nursing Quality Indicators (NDNQI) use.

 

Why is this challenge an “informatics” challenge? 

Both IT Security and Operations issues as they relate to health informatics, pose “informatics” challenges due to the close-knit relationship these areas (and their accompanying issues) have with the technology leveraged for informatics efforts. To illustrate this, if threat actors were to launch a sophisticated campaign at a health clinic through the use of malware or a DDoS attack, the data in the form of records, repositories or even communications could be compromised or severely halted. Not only would this pose a serious short-term risk, but also a long-term risk for many parties including the organization and its patients. Without properly ensuring that all collected data for health informatics use is properly safeguarded, this opens the doors for disastrous and continuous threats. Threats that include the corruption or even theft of said data, rendering it useless or inaccessible.

 

Additional outside research in support of Informatics definitions and its application towards IT Security and Operations focus areas.

Per Ronquillo’s article (2018) “Despite making up less than 25% of all breaches, hacking was responsible for nearly 85% of all affected patient records over the last 5 years, highlighting the broad potential reach of this kind of breach. The 2017 WannaCry ransomware attack on Britain’s National Health Service, which forced numerous clinics to close their doors and refuse patient care…” As security threats become more common and technology is further adopted by healthcare organizations, there will clearly be a needed for heavy investment and scrutiny placed on this section of informatics. Although most hackers are incentivized by monetary bounties, their actions can have secondary and sometimes dire consequences when health is involved. If one sophisticated attack such as WannaCry can have such an impact as to halt health clinics for some time, then this just further supports the ideology that Security should be at the forefront of any Health IT or informatics discussions.

(Table 2 was imported from Ronquillo’s JAMIA Open article, which was tabulated from the referenced 5-year study).

Finally, from Ronquillo’s same article (2018), it is mentioned that over the 5-year period in which the article’s study is conducted, “there were 1,512 reported data breaches of protected health information affecting 154,415,257 patient records…” with “1,073 (71.0%) breaches of a hospital or health care provider”. These figures alone paint a relatively stark picture of the landscape of the health industry’s security posture and the potential threats looming over health data. However, there are effective solutions that can be implemented early on and maintained throughout the life cycle of technologies and data. From individual level solutions, such as engaging physicians, researchers, or nurses in cybersecurity best-practices to strong data encryption policies for data at REST or being transferred. As Ronquillo suggests, “as big data, machine learning, and artificial intelligence are integrated into the practice of medicine, policies must be revised to help build the informatics infrastructure necessary to safely and effectively monitor, detect, and eliminate cyber threats” (2018).

 

Works Cited

Jay G Ronquillo, J Erik Winterholler, Kamil Cwikla, Raphael Szymanski, Christopher Levy, Health IT, hacking, and cybersecurity: national trends in data breaches of protected health information, JAMIA Open, Volume 1, Issue 1, July 2018, Pages 15–19, https://doi.org/10.1093/jamiaopen/ooy019

Connors H, Warren J, Popkess–Vawter Technology and informatics. In: Giddens JF, ed. Concepts for Nursing Practice. St. Louis, MO: Elsevier; 2012:443-452.

Hello and welcome!

My name is Luis Orozco and I am a graduate student of Health Informatics at DePaul University. Thank you for visiting my blog!

This blog will serve as a space for reflection and discussion of studied Health Informatics topics and concepts as they relate to IT Security and Operation issues and the challenges these issues pose to the area of Health Informatics.

Hopefully, you the reader find subsequent posts engaging and thoughtful. I always encourage discussion or feedback, so please feel free to reach out!

Luis Orozco