Overall, fully implemented implementation specifications outnumber other categories in all the four hospitals (Figure 5). Except hospital A who owns for itself 13 fully implemented implementation specifications, the rest three hospitals share the same number of them, nine for each hospital. Hospital A also has the lowest number of not implemented measures, followed by hospital C, B and D with 3, 5 and 5 not implemented measures respectively. Most of fully implemented implementation specifications fall into physical and technical safeguards, meanwhile the partially and not implemented ones mostly belong to administrative safeguards (Table 5).
FIGURE 5: The implementation level of security measures at four hospitals
The four hospitals also share the same grading results for physical and technical safeguards, and leave the difference for the administrative safeguards (Table 5). The details are reported by three groups of standards, administrative, physical, and technical safeguards in the following paragraphs.
32 Administrative safeguards
With regards to risk analysis, the process of identifying all the potential security risks, including threats and vulnerabilities, to the electronic medical records system and of thoroughly determining their probability of occurrence and magnitude was done at only hospital A for the first time during January 2019. This makes hospital A the only institute, where all factors were taken into account when considering new security measures and thus, risk management is fully implemented; while the other three hospitals miss the probability and criticality of potential risks to electronic medical records systems factor which must be drawn on the risk analysis’
results. In terms of sanction policy, only hospital A reported to have sanction policies and procedures against incompliant behaviors from staff, however, no hospital requires employees to sign a statement of adherence to security policy and procedures as a prerequisite to employment.
TABLE 5. Information security management at four hospitals by group of standards Standards
Fully implemented Partially implemented Not implemented
33
Audit logs are available in all four hospitals, as an extra, hospital B conducts access reports and hospital A has the security incident tracking reports. No hospital, but hospital A, conducts a periodic review of these reports, the other three hospitals only take a look at the reports when incidents happen. Therefore, “Information system activity review” is fully implemented at hospital A and partially implemented at rest of the group. Except hospital B, there is security official who is responsible for the development and implementation of the security policies and procedures for the electronic medical records system at the other three hospital. However, responsibilities for this security position are not clearly identified, agreed and documented by the hospitals. With respect to “Response and reporting” implementation specification, three out of four hospitals reported to have policies to address security incidents for their electronic medical records system. The policies include a list of possible types of security incidents and a general process of responding to the incidents and reporting to the IT department. Process of documenting and evaluating security incidents as part of ongoing risk management is yet not included.
Electronic medical records data is backed up once a day at three hospitals and four times a day at the rest one, hospital C. Only hospital A stores its backed up data at a center outside the hospital, the other three store their backed up data at the same place with the main data.
Procedures to restore any loss of electronic medical records’ data are available at all the four hospitals. In terms of emergency mode operation plan, again, all of them have prepared plans that allow the organization to continue their operation and business processes during emergent cases. According to this plan, it is claimed that data would be protected, but its availability is not well assured. Finally, only hospital A reported to perform a periodic technical and nontechnical evaluation of the electronic medical records data security which is done either by staff or a third party.
Physical safeguards
All the four hospitals have policies and procedures to specify the proper functions to be performed, the manner in which those functions are to be performed and the physical attributes of the surroundings of a specific workstation or class of workstation that can access EMRs’
data. Remote workstations are available at hospital A alone and they are also addressed in hospital A’s policies. With respect to workstation security, physical safeguards were implemented for all workstations that access electronic medical records’ data to restrict access
34
to authorized users at each hospital. In the real world, workstations are put in secured and locked rooms, or there are wall barriers for receptionist computers.
All the four hospitals have policies and procedures to proceed the disposal of electronic medical records’ data, and/or the hardware or electronic media on which it is stored and to remove EMRs’ data from electronic media before re-use. In conclusion, all the four physical implementation specifications are graded as fully implemented at four hospitals
Technical safeguards
At all the four hospitals, every authorized user has a unique user identifier which is a username based on staff code or full name in terms of unique user identification. Access to electronic medical records’ data in emergency situations is not set up in any hospital, which means emergency access procedure is not implemented at all. Concerning audit controls, all the four hospitals conduct process of recording activities in information systems that contain or use electronic medical record information. Finally, to authenticate authorized person or entity, username and password is the unique used mechanism at those hospitals.
Other results
Other comparisons were done regarding the hospital type, including public hospitals against private hospitals, and general hospitals against private hospitals. Public hospitals include hospital C & D and private hospitals include hospital A & B; meanwhile general hospitals include hospital A & C and specialized hospitals include hospital B &D (Table 4).
35
FIGURE 6: Level of security measures implementation by type of hospitals (public vs private)
FIGURE 7: Level of security measures implementation by type of hospitals (general vs specialized)
According to the analysis, public hospitals have fewer “Fully implemented” implementation specifications compared to private hospitals, 18 vs 22 (Figure 6). On the other side, general hospitals have more “Fully implemented” implementation specifications compared to specialized hospitals, 22 vs 18 (Figure 7). However, it is worth to point out that hospital A,
22
36
with an outstanding performance, is a private general hospital. That makes a better results for public hospitals and general hospitals in terms of hospital types.
As reported in section 5.1, the collected data showed no difference among four hospitals regarding their electronic medical records systems. Therefore, no analysis that uses any of the EMR’s characteristics as an independent variable could be done.
37 6 DISCUSSION