Information security in healthcare - An exploratory study of hospitals in Vietnam

INFORMATION SECURITY IN HEALTHCARE An exploratory study of hospitals in Vietnam

Linh Nguyen Master’s thesis

Master’s Degree Programme in Health and Business University of Eastern Finland

Department of Health and Social Management Faculty of Social Sciences and Business Studies May 2019

UNIVERSITY OF EASTERN FINLAND, Faculty of Social Sciences and Business Studies Department of Health and Social Management, health and business

NGUYEN, LINH: Information security in healthcare - An exploratory study of hospitals in Vietnam

Master's thesis, 44 pages, 2 appendices (11 pages)

Thesis Supervisors: PhD Ulla-Mari Kinnunen, PhD Virpi Jylhä

May 2019___________________________________________________________________

Keywords: security and privacy, health informatics, hospital, Vietnam

During the past decades, privacy and information security in healthcare has been attracting a lot of attention from researchers and policy makers worldwide. However, health information security is not adequately understood in the context of Vietnam, regardless of the fact that securing protected health information is an essential part of the mission of effectively delivering of health care services.

Therefore, this master thesis aimed at exploring the implementation level of security measures to protect the electronic medical systems at hospitals in Vietnam by answering the two research questions as below:

1. What is the adoption level of electronic medical systems at the hospitals in Vietnam?

2. What is the implementation level of security measures for electronic medical records systems at the hospitals in Vietnam?

Four tertiary hospitals were included into this exploratory study. The adoption level was assessed by a questionnaire answered by the IT staffs and the data were analyzed by using appropriate descriptive statistics techniques.

Based on the analysis results and reflection with earlier works, the study revealed four main findings: The tertiary hospitals in Vietnam are in the transition to electronic medical records system; the general level of implementation of security measures at tertiary hospitals in Vietnam is at medium level; administrative safeguards are normally at a weaker level compared to technical and physical safeguards; conducting risk analysis associates with a higher level of information security practices adoption. Further researches in the future on this topic could start from these findings as hypotheses.

TABLE OF CONTENTS

1 INTRODUCTION... 3

2 BACKGROUND AND MOTIVATION ... 5

2.1 Overview of information security in health informatics ... 5

2.2 Health information security in Vietnam ... 7

2.3 Descriptions of electronic medical records systems ... 10

2.4 Assessment of the information security management for electronic medical records (EMR) systems ... 12

3 AIMS AND OBJECTIVES OF THE STUDY ... 20

4 MATERIALS AND METHODS ... 21

4.1 Research approach ... 21

4.2 Design of assessment instrument ... 22

4.3 Research environment ... 23

4.4 Sampling and data collection process ... 25

4.5 Data analysis ... 28

5 RESULTS ... 29

5.1 The electronic medical records systems at studied hospitals ... 29

5.2 The implementation of information security management for the electronic medical records systems... 31

6 DISCUSSION ... 37

6.1 Reliability and validity of the study ... 37

6.2 Discussion of research results ... 38

7 CONCLUSION ... 44

REFERENCES ... 45

APPENDICES ... 51

FIGURES FIGURE 1: Research domains in the healthcare information security ... 13

FIGURE 2: The information security management model ... 15

FIGURE 3: The organizational structure of healthcare system in Vietnam ... 25

FIGURE 4: Gaining access to the field sites process ... 27

FIGURE 5: The implementation level of security measures at four hospitals ... 31

FIGURE 6: Level of security measures implementation by type of hospitals (public vs private) ... 35

FIGURE 7: Level of security measures implementation by type of hospitals (general vs

specialized) ... 35

TABLES TABLE 1. Summary of references used for research framework in previous studies ... 16

TABLE 2. The HIPAA Security Rule: Matrix ... 18

TABLE 3. Major health statistics in Vietnam ... 24

TABLE 4. Electronic medical records system at four hospitals ... 30

TABLE 5. Information security management at four hospitals by group of standards ... 32

3 1 INTRODUCTION

Modern and disruptive developments in information technology and telecommunications are transforming healthcare, and help to achieve the goals of timely access to high quality, cost- effective healthcare services for all people. Adopting information and communication technology in the context of hospitals is making radical changes in the way of collecting, storing, processing and achieving information of patients. Traditional paper medical records are now turning into electronic medical records, electronic health records, and recently, personal health records. This transformation requires a change in the way how to protect information and its integrity. (Janczewski & Shi 2002). The most recent effort in protecting identifiable information, the new European General Data Protection Regulation, is showing its significant impact in the health care sector (Orel & Bernik 2018). Despite several attempts to better secure the health information system, data breaches still happen around the world and it has raised a big question if health information is being properly secured (Tham 2018; Yaraghi

& Gopal 2018).

In Vietnam, the knowledge about how identifiable information and privacy is protected in the health sector is far from adequately understood because very limited information on this issue could be found in published papers. As such, the other way to find out about the situation in this country is to look at the relevant policies that include health information security and privacy as a part of them. Unfortunately, this issue has been addressed in a unilateral approach which mainly focuses on technical methods and appears to be much less comprehensive than it should be. This simply implies one thing, health information security is still underrated in Vietnam. (See Section 2.2.). Lessons learnt from other countries that risks to the confidentiality and integrity of health information are always available, therefore lack of adequate understanding and proper solutions will make the information systems much more vulnerable to those risks and will cause serious consequences for individuals and organizations as well (Samy et al. 2010).

Information security and privacy is actually a multi-aspect subject which could be discussed from the perspective of healthcare consumers, healthcare providers, inter-organizational relationship, and public policy making (Appari and Johnson 2010). This study chose to explore the phenomenon from the standing-point of healthcare providers because the hospitals in

4

Vietnam are now being obliged by new regulations to adapt electronic medical records system (Minh 2019).

Regarding the research goal, this study aims at studying the implementation of security measures for electronic medical records systems at hospitals in Vietnam. In more details, the information security management for electronic medical records system will be assessed at hospitals to gain the very first insights on this topic in the context of Vietnam. To achieve this goal, similar works around the world and relevant literature will be reviewed to build the theoretical frameworks. The assessment instruments, which includes a questionnaire and a grading scale, were designed based on those frameworks. In terms of research strategy, this study was designed as an exploratory research as an guiding star for sampling, collecting and analyzing data. In the final step, main findings will be carefully discussed and reflected on previous studies.

5 2 BACKGROUND AND MOTIVATION

2.1 Overview of information security in health informatics

The history of health informatics started long time before the computer age by a belief in the role of statistics in guiding health policy and practice. To tell that story, Pat Reynolds and associates (2008) had documented some remarkable events in England and the USA during the 19th and 20th century. Patient files, diagnosis indices and statistics in epidemiology are amongst the very early proofs of health information to be collected and used to support the delivery of health care. After that, the first use of computers in healthcare was by a dentist, Dr Robert Ledley at America’s National Bureau of Standards in 1950. (Reynolds et al. 2008). Ever since then, the history of human beings has witnessed the time when computers and information technologies are transforming the way everyone lives and works. Nowadays, there is almost no area which is untouched by the computer-driven technology and health care sector is not an exception. This trend is backed up by the arguments about the improvement of patient safety, quality and efficiency of the delivery of care with the help of new technologies.

Evidences are available. A systematic review conducted by Aziz Jamal, Kirsten McKenzie and Michele Clark (2009) on 17 studies showed a positive improvement on clinicians’ adherence to evidence-based guidelines thanks to the adoption of electronic health record, computerized provider order-entry, or decision support system. Increased adherence to guideline-based care, enhanced surveillance and monitoring, and decreased medication errors were also demonstrated in a larger scale systematic review on 257 studies relating to health information technology (Chaudhry et al. 2006). Financially, savings on administrative goods and/or personnel, savings on pharmaceuticals, and revenue gains through improved billing were reported by Low and associates in their systematic review of 57 articles (Low et al. 2013). The authors yet emphasized a scarcity of studies with strong study designs and financial analyses.

On the other hand, some adverse events of health information technology are also being questioned. In a very theoretical attempt, Sittig and Singh (2011) used the 8-dimension social- technical model to frame all possible health information technology-related errors that could cause more harms than benefits during the operation. According to them, health information technology-related errors might come from the technology itself or from the interactions between the technology, its user and the work system (Sittig & Singh 2011). However, even though advanced information technology does not always mean better outcomes, the benefits

6

of it still dominate (Bardhan & Thouin 2013; Buntin et al. 2011) and it is worthy for the long term of investing in the health information technologies.

Standing out from the debate between opponents and advocates for health information technologies, information security and privacy remains an undeniably hot. In fact, reports on data breaches in the health care sector could be found online effortlessly. In a very recent report, most of the incidents in the US related directly to covered entities which are health plans, health clearinghouses and healthcare providers; and the number of incidents increases over the studied years from 2010 to 2017 (Yaraghi & Gopal 2018). Or in the UK, 2,447 is the number of data breaches happened at the healthcare organizations and it made up 43% of all reported incidents between January 2014 and December 2016 (“ICO data shows health sector accounts for 43 percent of all data breach incidents”). Noticeably, around 1.5 million patients were affected by a large-scale cyber-attack on a healthcare group SingHealth in Singapore during May – July, 2018 (Tham 2018). All these numbers are raising a real concern about the health information security for all the relevant stakeholders, and information security is believed to be one of the most important issues for health informatics.

In their review on privacy and information security, Ajit Appari and M. Eric Johnson (2010) presented a general view of information flow in healthcare. Based on their description, patient health information or record is at the core of that flow which involves almost all the activities at the healthcare organizations and the relevant stakeholders. Healthcare professionals, employers, payers and business associates use a part or the whole of patient medical records for purposes beyond diagnosis and treatment provision. The medical record itself, at the same time, accumulates more and more identifiable information on the patient’s health over time.

(Appari & Johnson, 2010). Health information technologies smoothen that information flow but also expose it to risks that can threaten the privacy and information security. In fact, Ganthan Narayana Samy and associates (2010) listed 22 categories of threats; and their experimental results showed that power failure, acts of human error or failure, and other technological factors are the most critical threats for the hospital information system. This, again, confirms the importance of information security and privacy to a healthy information system, especially in the area of health.

From legal perspective, health information security and privacy issue has been intensively addressed, especially during the era of information technology. Yakov Flaumenhaft and Ofir

7

Ben-Assul (2018) reviewed the global policy and regulatory environment directly affecting the development of personal health records. The studied jurisdictions include international level, the USA, Canada, Japan, Australia, the UK and three European countries. In all of them, there are regulations available to protect data and personal information. In the same review, the authors pointed out two challenges that the policy makers are facing. First, governments are still struggling to balance between the wish to get the benefits from the technology and the requirement to protect users from unexpected events, especially in the time of fast changing technology. Secondly, the jurisdictional and geographical boundaries of data are now fading that puts more difficulties on the policy and law makers and calls for more than just local solutions. (Flaumenhaft & Ben-Assuli 2018).

In a nutshell, information communication technologies are transforming the traditional way of handling health-related information yet, at the same time, creating new risks to break its confidentiality and integrity. Information security thus becomes an essential integral part of health informatics than ever, and identifiable information from patient records is the most valuable asset to secure. Despite lots of effort, information security seems to be insufficient in the healthcare sector and policy makers are facing many challenges to address the balance between the security and mobility of health information.

2.2 Health information security in Vietnam

The current situation of health information security in Vietnam was reviewed through former researches and national regulatory documents. Generally, there is no published article on the health information security in the context of Vietnam that could be found by using the well- known search engines like Google Scholar and PubMED. Searching on some online resources for publications in Vietnamese also gave no relevant result. Hence, all health informatics- related publications found were scrutinized carefully to see if information security was discussed or not.

Published researches on the health informatics in Vietnam cluster in two main groups: the implementation of eHealth initiatives (cf. Sobowale et al. 2016; Katona et al 2014; Lam et al.

2018; McBride et al. 2018; Vu et al. 2016; Landgraf et al. 2016; Nguyen et al. 2013); and review of the current state of information technologies adoption at hospitals (cf. Nguyen &

Hoang 2017; Do et al. 2018). In some of those articles, data security and privacy issue was

8

acknowledged at some level. In a case report, for example, about the process of establishing a national laboratory information management system program for clinical and public health laboratories in Vietnam, the authors highlighted the need for stronger health information data security policies, at the laboratory and national levels, to comprehensively tackle with security issues and to fully maximize the benefits of the system (Landgraf et al. 2016). In an attempt to build a web-based system to manage and share anti-retroviral therapy information of human immunodeficiency virus patients in Vietnam, Phung Anh Nguyen and associates (2013) characterized “ensuring good enough security controls for the data stored and transferred among facilities” as one of the five features when building that system. Technical solutions, such as reliable backup tool, firewall, and authorized access were used to strengthen data security. In another recent scoping study about the mobile health initiatives in Vietnam, the fact of not having any legislation relating to mHealth or data security was humbly mentioned without any further discussion (Lam et al. 2018). This is to prove that health information security remains a neglected researching topic in Vietnam.

Regarding the regulatory environment for health information security in Vietnam, below is the list of four regulations directly affecting healthcare providers in taking actions toward health information security:

 Law on medical examination and treatment stated in chapter 2

“Article 8. Rights to respect for privacy

1. To have their health status and private information given in their case history dossiers kept confidential.

2. The information referred to in Clause 1 of this Article may be disclosed only when agreed by patients or for exchange of information and experience between practitioners directly treating the patients to improve the quality of diagnosis, care and treatment of patients or in other cases provided by law.”

(“Law on medical examination and treatment”, translated by author)

In the same law, article 59 explains further that the head of the healthcare provider holds the right to give permission of using medical records in two cases: one case is for training and researching purpose; and the other is for legal purpose such as investigation or audit. This means patient consent is unnecessary in these cases.

 Circular on requirements for provision of online healthcare services issued in 2014 by the Ministry of Health addressed information security in article 4 which consists of five

9

specifications about the policy, online system, application software, data and incidents management.

 In the circular on criteria for information technology adoption in health care providers issued in 2017 by Ministry of Health, there are 15 criteria for information security and confidentiality divided into basic and advanced levels. 13 criteria out of them are technical requirements, such as antivirus softwares, data encryption, back up or restore.

Only two criteria are about policies and procedures.

 A brand new circular on regulations for electronic medical records (EMR) was just launched lately in 2018. There are 12 articles relating to electronic medical records management, three out of them take on some aspects with respect to information security and privacy. First of all, article 6 covers the storage of EMR in terms of managing software, storing hardware, data center for backed up data, acquisition of healthcare providers. Secondly, article 7 specifies the process to use EMR which conforms to the law on medical examination and treatment as mentioned above. Finally, article 10 of “Privacy and information security of EMR” requires the healthcare providers to perform a number of technical measures, including access controls, anti malwares, restoring lost data, data encryption, and recording activities on EMR.

(“Circular on regulations for electronic medical records”).

Apparently, information security and privacy issue has been recognized consistently from the basic law to very recent health policies in Vietnam. However, comparing to other countries mentioned in section 2.1, it is still being addressed in a fragmentary and overlapping way.

Indeed, it is focused more on technical and specific measures rather than a systematic and comprehensive approach.

Despite that fact that there is no data breach officially reported in health sector so far, it does not mean that the health information is being secured enough for the future of networking and digitization because there is very limited known things about the information security, including perceptions, infrastructure, administration and so on in Vietnam. Therefore, this thesis is expected to give the very first insight into the situation in Vietnam and to attract the attention from researchers and healthcare providers on the information security issue.

10

2.3 Descriptions of electronic medical records systems

As explained in previous sections, patient records are the main source of information of the information flow in healthcare. During the time of paper-based work, each patient normally has one medical record at the clinics or hospitals where that person uses some healthcare services. The patients might or might not receive or store their own medical information at home. Nowadays, computers and information technologies allow the medical records to be used conveniently by different stakeholders, and since then, new terms were born to distinguish different types of medical records, the most popular ones are electronic medical record (EMR), electronic health record (EHR), and personal health record (PHR). Kristiina Häyrinen and associates (2007) documented many other terms to refer to the medical records, such as electronic patient record, computerized patient record, digital medical record, clinical data repository, electronic client record, virtual EHR, and population health record. Some of them are similarly defined, some are not. The key point that differentiates them is the users of the records information. (Häyrinen et al. 2008). Due to the study scope, only three main types of records, EMR, EHR and PHR will be discussed further.

For a long time, EMR and EHR had been interchangeably used, but recently, the line between them has been drawn. As such, EMR is defined as an internal organizational system that the records contain all or most of patient’s clinical information from a particular health care provider, meanwhile EHR is an inter-organizational system which contains all patient health information generated in multiple care delivery settings. That is because EMR is internally used by staffs of a health care provider and EHR which yields a cross-institutional and longitudinal compilation of patient’s records data would be accessed by health care professionals from different sites. On the other hand, PHRs are controlled by patient themselves which means patients can add their own medical history or personal information and grant access to their information to health care providers at their own discretion. There is absolutely an overlapping of information amongst those three types of records with respect to one patient’s data, therefore, integrating EMR, EHR and PHR data is another important topic. (Caligtan &

Dykes 2011; Häyrinen et al. 2008; Heart et al. 2017). In this study, the term EMR will be used because the study focuses only on the hospital context rather than inter-organizational health record system.

11

As set for the first goal, this part aims at reporting the basic features of the EMRs system at studied hospitals. It helps to build an overview about the study context for the main topic which is information security. Because EMRs system is nothing else but a pure information system, it could be described through the four generic components for any typical information system which are enterprise function, business processes, application components, and physical data processing systems (Winter et al. 2010). Some examples of each component relevant to a health-related information system are listed as below:

 Enterprise function: patient admission, medical and nursing care planning, financial accounting, decision support;

 Business processes: importing data and daily care plan, retrieving information;

 Computer-based application components: hospital information system program, pharmacy management system program;

 Physical data processing systems: terminals, servers, personal computers, or network.

(Winter et al. 2010).

In this study, the information on functions and application component will be collected to get a general view of the EMRs system at studied hospitals. Even though the subject is EMR, the author will adopt eight core EHR functionalities of the Institute of Medicine in the US (2003) for some reasons. First, EHR still plays the main role on the stage of health informatics, most of the researches and publications, especially for the purpose of setting standards, talks about EHR. Therefore, no literature about functions specified for EMR could be found. Second, with the concepts of EMR and EHR understood as above, EHR could be seen as the next step after connecting and integrating different EMR systems, thus, would inherit all the functions of EMR. And finally, the development stage of either EMR or EHR system at the hospitals in Vietnam remains unknown. By using the EHR functionalities, missing information and bias will be eliminated in case that some hospitals own much more advanced EMR systems than the others. The eight core EHR functionalities are briefly explained as below:

1 Health information and data: having adequate and accurate information and data allows the EHR to implement all the rest functionalities;

2 Results management: this requires of managing results of all types (e.g., laboratory test results, radiology procedure results reports) electronically;

12

3 Order entry/ order management: this is a process of electronic entry of medical order for the treatment of patients, a special popular term for this is computerized provider order entry (CPOE);

4 Decision support: this function would assist the clinicians to make more accurate decisions in many aspects, for examples, prescribing of drugs, diagnosis and management, prevention and so on;

5 Electronic communication and connectivity: this aims at enhancing the connectivity and communication among health care team members and other care partners (e.g., laboratory, radiology, pharmacy) and with patients;

6 Patient support: this function targets patients with chronic conditions by empowering them to self-manage their illnesses;

7 Administrative processes: this includes electronic scheduling systems for hospital admissions, inpatient and outpatient procedures, billing, claims, and so on;

8 Reporting and population health management: this involves of abstracting and reporting data within the organization or to higher authorities for patient safety and quality, as well as for public health.

(Institute of Medicine (US) Committee on Data Standards for Patient Safety 2003).

Those eight core functionalities all together complete objectives which are to enhance patient safety, to improve the effectiveness of patient care, to facilitate the management of chronic conditions, and to improve efficiency.

2.4 Assessment of the information security management for electronic medical records (EMR) systems

To draw a big picture about the information security research in healthcare, Appari and Johnson (2010) conducted a comprehensive review of information security in healthcare sector and proposed a research agenda based on their findings. Figure 1 breaks down four main perspectives of healthcare information security, which are healthcare consumers, providers, inter-organizational and public policy. These four perspectives surround “threats” which are argued to be at the core of information security and privacy. Apparently, without risk or threat, there would be no concern about protection of data of privacy. This will be discussed further in the following part. From each perspective, there are relevant research domains (dotted boxes) which have been done worldwide up to date.

13

(Adapted from Appari & Johnson 2010) FIGURE 1: Research domains in the healthcare information security

To zoom in Figure 1, some topics that had been covered until 2010 include access control, information integrity, network security, privacy policy management, and risk management from the provider’s perspective. Also from the standing point of healthcare providers, security culture and awareness, or security of cloud-based information system are emergent, respectively, non-technical and technical topics recently (Rodrigueset al. 2013; Shahri et al.

2013). As such, information security apparently appears to be a quite large field which, even from just one perspective, could be easily divided into many small pieces to be scrutinized further. Regarding this study, the research framework to study information security thus should be broad enough to generate a general view of the studied context which remains “mysterious”

as explained, but at the same time narrow enough to suit the limited time and labor resource.

Before getting into the main part, the most basic concepts when talking about information security and privacy will be first presented, they are privacy, security and risk. The meaning of

“privacy” and “security” regarding information management is highly consented across the literatures. This study uses two definitions adopted by Dixic B. Baker (2012):

“Privacy is the assurance that one’s health information is collected, accessed, used, retained, and shared only when necessary and only to the extent necessary and that the

14

information is protected throughout its life cycle using fair privacy practices consistent with applicable laws and regulations and the preferences of the individual.”

“Security is the protection of the confidentiality of private, sensitive, and safety-critical information; the integrity of health data and metadata; and the availability of information and services through measures that authenticate user and system identity and data provenance and that maintain an accounting of actions taken by users, software programs, and systems.”

From the above definitions, “privacy” and “security” appear to be two different concepts which, yet, relate closely to each other. “Privacy” is more about keeping information safe and undisclosed while “security” aims at the proper use of information by preserving its confidentiality, integrity and availability. As such, when the health information is well secured, not only patients’ privacy but also the quality of care is assured.

Dixic Baker (2012) also proposed a definition for risk which is “the probability that a threat will exploit a vulnerability to damage, destroy, or harm a valued asset”. As such, the three variables of risk are threat, vulnerability, and impact; and the process of making sense of data is nothing but a process of identifying threat, vulnerability going hand in and with evaluating the impact. Risk and other relevant concepts, such as risk analysis, risk assessment or risk management come first in many information security approaches which will be discussed further in the following parts.

To design the framework, the author reviewed well-known standards and regulations and academic books about information security. Major components of information security management and their relation are included in Figure 2. Ultimately, information security is meant to preserve the confidentiality, integrity and availability of information. The puzzle of ensuring accurate information protected from unauthorized access but still accessible for the delivery of care is the core mission. To accomplish that mission, the first and foremost step is to acquire understanding on the to-be-protected information system and its environment through risk analysis and assessment. In fact, each information system differs from the others about vulnerable points and potential internal and external risks, it, thus, requires if not remarkably different security strategies. Finally, reasonable security controls would be implemented based on the risks analysis results and other factors, such as compatibility rate or cost. Security controls could be classified into more general categories, for examples

15

operational, administrative, technical, or physical controls, depending on the literature. (British Standards Institution 2008; Canadian Institute for Health Information 2017; Harmening 2014;

Janczewski & Shi 2002; “Health insurance reform: Security standards”). Furthermore, Mehrdad Farzandipou and associates (2010) demonstrated that security requirements of electronic health records information in Australia, Canada, England and U.S.A are highly similar in their comparative study. Provenly, the general approach to tackle information security is becoming more mature and consistent up to this time.

FIGURE 2: The information security management model

There are six similar works found on the online database by searching these key terms:

“information security assessment”, “information security risk assessment”, and “hospital”.

Among them, two studies focus on risk analysis component, and the other four focus on the outer layer of the model, security controls. All of those studies were using researching framework or questionnaire based on well-known standards, regulations and guidelines. Table 1 summarizes their sources of references. The four studies on security controls work on the same purpose of assessing the information security state at hospitals give a better general view about it, meanwhile the studies on risk analysis yielded only the results on potential risks for the hospital information system.

Security controls

Risks analysis/

assessment

Confidentiality Integrity Availability

16

Therefore, this study will follow the direction of studying the implementation of security controls for the electronic medical records system and the research framework will be considered among the well-known standards and/or regulation. It is noted that domestic regulations and standards were not mentioned in this part because they lack of a comprehensive approach as explained before. Eventually, the Health Insurance Portability and Accountability Act (HIPAA), a US regulation, was selected because of two reasons:

 HIPAA is the most popular reference used in studies on information security that its validity was clearly proven (Table 1);

 And the HIPAA Security Rule were technology neutrally designed to apply for any organization regardless its current technology (“Health insurance reform: Security standards”);

TABLE 1. Summary of references used for research framework in previous studies Author & Year Subject Source of references

Tritilanunt &

Ruaysungnoen 2016

Risk analysis ISMS-201 IT Risk Management Standard Version 2.0;

NIST Risk Management Guide for Information Technology System;

OWASP Testing Guide;

HIPAA Security Procedures.

Coleman 2004 Risk analysis OCTAVE.

Mehraeen et al. 2016 Security controls HIMSS;

HIPAA.

Kwon & Johnson 2013 Security controls HITECH;

HIPAA;

Red Flags Rule;

State Security Laws;

CMS Regulations.

Landolt et al. 2012 Security controls ISO/IEC 27002 Park et al. 2010 Security controls ISO/IEC 27001;

ISO/IEC 17799;

JIS Q 15001 in Japan;

ISMS presented by the Korean Internet & Security Agency in Korea.

ISMS: Information Security Management System; NIST: National Institute of Standards and Technology;

OWASP: The Open Web Application Security Project; HIPAA: The Health Insurance Portability and Accountability Act; OCTAVE: Operationally Critical Threat, Asset, and Vulnerability Evaluation; HIMSS:

Healthcare Information and Management Systems Society; HITECH: Health Information Technology for Economic and Clinical Health Act; CMS: Center for Medicare & Medicaid Services; ISO/IEC 27002:

Information technology – Security techniques – Code of practice for information-security management

published by the International Organization for Standardization (ISO) and by the International Electrotechnical Commission (IEC); ISO/IEC 27001 Information Security Management published by ISO and IEC; JIS Q 15001 Personal information protection management systems published by Japanese Industrial Standards (JIS)

17

The Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104- 191, is a federal law that specifies the privacy, security and electronic transaction standards with regard to patient information for all health care providers. At the beginning, the act aimed at reducing insurance-related health transactions for patients by standardizing information transactions. Later on, the HIPAA Privacy Rule was published in December 2000 to better secure Protected Health Information, which is individuals’ health information, in all forms, including oral, written, and electronic forms. About two years later, in February 2003, the HIPAA Security Rule was then published to set national standards for protecting the confidentiality, integrity, and availability of electronic protected health information. (Office for Civil Rights 2017). In order to assess the implementation of information security management of the electronic medical records information, this study used the HIPAA Security Rule (“Health insurance reform: Security standards”) as the guiding framework.

18 TABLE 2. The HIPAA Security Rule: Matrix

Standards Implementation Specifications

(R)=Required, (A)=Addressable Administrative safeguards

Security management process Risk analysis (R) Risk management (R) Sanction policy (R)

Information system activity review (R) Assigned security responsibility (R)

Workforce security Authorization and/or supervision (A) Workforce clearance procedure (A) Termination procedures (A)

Information access management Isolating healthcare clearinghouse function (R) Access authorization (A)

Access establishment and modification (A) Security awareness and training Security reminders (A)

Protection from malicious software (A) Log-in monitoring (A)

Password management (A) Security incident procedures Response and reporting (R) Contingency plan Data backup plan (R)

Disaster recovery plan (R)

Emergency mode operation plan (R) Testing and revision procedure (A)

Applications and data criticality analysis (A)

Evaluation (R)

Business Associate Contracts and Other Arrangement

Written contract or other arrangement (R) Physical safeguards

Facility access controls Contingency operations (A) Facility security plan (A)

Access control and validation procedures (A) Maintenance records (A)

Workstation use (R)

Workstation security (R)

Device and Media Controls Disposal (R) Media re-use (R) Accountability (A)

Data backup and storage (A) Technical safeguards

Access control Unique user identification (R) Emergency access procedure (R) Automatic logoff (A)

Encryption and decryption (A)

Audit controls (R)

Integrity Mechanism to authenticate electronic protected health information (A)

Person or Entity Authentication (R)

Transmission security Integrity controls (A) Encryption (A) Source: “Health insurance reform: Security standards”

19

The HIPAA Security Rule encompasses three sets of standards which are administrative, physical, and technical safeguards. Table 2 presents the complete matrix of security

standards. In each set of safeguards, there is a number of standards which generally consists of a number of implementation specifications that are either required or addressable. If an implementation specification is required, the covered entity, which could be either healthcare providers, health plans, healthcare clearinghouses, or business associates, must implement policies and/or procedures that meet what the implementation specification requires. In case of an addressable implementation specification, the covered entity must assess and decide whether it is a reasonable and appropriate safeguard to implement in the entity’s

environment. (“Health insurance reform: Security standards”). In this study, all required implementation specifications, except “Isolating healthcare clearinghouse function” and

“Written contract or other arrangement”, were included into the assessing framework.

Therefore, 10 administrative, 4 physical, and 4 technical security measures were included into the questionnaire.

20 3 AIMS AND OBJECTIVES OF THE STUDY

Referring back to Figure 1, this study chose to stand on the healthcare providers’ perspective focusing on the security management issue. As depicted, there is little known about the current state of health information security in Vietnam, it is better to start from the most dynamic part of the picture. The most recent circulars on the adoption of information technology and electronic medical records at healthcare providers imply the fact that remarkable changes are taking place at the hospitals environment. Therefore, to kick start the above-mentioned research agenda in the context of Vietnam, the aim of this thesis is to study the implementation level of security measures for electronic medical records systems at hospitals in Vietnam. The study is expected to answer two research questions as below:

- What is the adoption level of electronic medical systems at the hospitals in Vietnam?

- What is the implementation level of security measures for electronic medical records systems at the hospitals in Vietnam?

21 4 MATERIALS AND METHODS

4.1 Research approach

This is an exploratory research in terms of the purpose of research with quantitative data. This type of research is normally conducted when there is little known about a phenomenon or an event, just like in this case, where the state of information security in the health care sector has not been uncovered in the context of Vietnam. The research conducted in the exploratory stage is regarded as preliminary and serves as the basis for future conclusive research efforts. They could be to provide more knowledge to the research about the problem environment, to set priorities for further research, or to design appropriate information collection procedure for the given situation. Furthermore, it allows researchers to generate formal hypotheses rather than definitive conclusions on the studied phenomenon or event.

Exploratory research question involves investigations that will describe the issue, for example in this case, “What is the implementation level of security measures for electronic medical records systems at the hospitals in Vietnam?”. That explains why the term “exploratory descriptive research” is used sometimes even though many authors tried to differentiate exploratory and descriptive researches. (Salazar et al. 2015, 82-83; Salkind 2010, 1254;

Stebbins 2001, 2-5). Typical ways to classify researches that include exploratory research are listed down as below:

 Exploratory, descriptive, explanatory, and evaluative research (Salkind 2010, 1254)

 Exploratory, and conclusive research (Salazar et al. 2015, 83)

By exploratory, the author would like to emphasize the idea of “exploration” itself, and as such, researchers have for themselves the freedom and flexibility to choose the research method. In this study, “exploratory research” is considered as a strategic concept which guides and explains the following steps.

This study was observationally designed. Observational meant collecting information about the subject of our study in the real world or in a laboratory setting without neither intervening nor manipulating any variables. The opposite idea of observational study is experimental study.

(Salkind 2010, 1255). It is argued that observational study serves the aforementioned purposes of exploratory research well because it studies the subject as it normally is (Salazar et al. 2015,

22

84). Beside that, conducting an experimental study requires a considerable body of knowledge about the subject that is not appropriate in this case.

The type of data and how to collect it should be considered next. Data could be one time, prospectively, or retrospectively generated; primary or secondary. Data collection methods may include questionnaires, observation, written reports, interviews and so on. (Salkind 2010, 1255; Krishnaswamy& Satyaprasad 2010, 86). Exploratory study might use qualitative data through interviews or quantitative data through surveys. Earlier works which used data from surveys for exploratory researches could be named here: Copes et al. 2010, Choo et al. 2008, or de Souza Bermejo et al. 2014. Regarding this study, as there is no relevant and useful information that is published or found online, primary data were collected at one time in selected sites. The type of data is quantitative that was collected mainly by a stuctured questionnaire.

One special thing is that triangulation practice were used. The term “triangulation” refers to the practice of using multiple sources of data or multiple approaches to analyzing data to increase the credibility of a research study, especially exploration validity in exploratory research (Stebbins 2001, 26). Practically, there are four types of triangulation: data triangulation – multiple sources of data in an investigation, investigator triangulation – multiple researchers in an investigation, theory triangulation – more than one theoretical perspective in conducting the research or in interpreting the data, and methodological triangulation – multiple methods to study a single phenomenon (Salkind 2010, 1537) . In this study, data were collected mainly through questionnaire, in applicable situations, other data sources like internal organization documents which were asked to show, and observations were conducted as an extra way of collecting data.

4.2 Design of assessment instrument

The instrument is a package of a questionnaire and a grading scale. The questionnaire (Appendix A) which was used to collect data consists of 39 questions divided into two parts.

A mixture of yes/no questions, multiple choices questions, and short open-ended questions was used. The reason of using mostly close-ended questions comes from the nature of the studied topic which is the implementation of information security management. Indeed, this is a very strongly built area proven by a large number of guidelines, standards and policies world wide.

23

Therefore, by using close-ended questions on the requirements recommended in well-known literature, it allows the author to “scan” a wide range of details within a limit of time and resource. The 4-question part A aims at studying the EMR systems at selected hospitals in a general view. Meanwhile, part B is more intensive with 35 questions focusing on 18 implementation specifications for the information security management as aforementioned. For each implementation specification, questions are asked based on the requirement for it stated in the HIPAA Security Rule (Health insurance reform: Security standards 2003), below is an example:

- Implementation requirement:

 Risk analysis: Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity

- Proposed questions to assess “risk analysis”:

 Are all the potential security risks, including threats and vulnerabilities, to the EMR system identified?

 Are the probability of occurrence and magnitude of risks thoroughly determined?

The second sub-instrument (Appendix B) is the grading scale for data analysis purpose emphasizing on information security management questions. Based on the collected answers, each implementation specification was graded as “Fully implemented”, “Partially implemented”, or “Not implemented” and this process was done by the author. The transformed data was then used for further analyses.

4.3 Research environment

Vietnam, officially the Socialist Republic of Vietnam, locates in Southeast Asia. In 2019, the country has a population of 97,4 millions citizens with a relatively high density, 314 inhabitants/km2. The country’s population is relatively young: the median age is 30.9 years and around one quarter of population under 15. (“Viet Nam population”). Table 3 listed down major statistics about the healthcare situation in Vietnam.

24

TABLE 3. Major health statistics in Vietnam (WHO 2015; WHO 2019)

Indicator Statistics Year

Life expectancy at birth (years) 76 2012

Current health expenditure (CHE) as percentage of gross domestic product (GDP) (%)

5.7% 2015

Hospital bed density (per 10 000 population) 26 2014 Probability of people dying between ages 30 and 70,

from four major noncommunicable diseases (%)

17% 2012

With respect to healthcare provision, the Ministry of Health takes the highest responsibility on the state management of health. Under it, there is a heavily hierarchical system covering 63 cities/provinces, the basic administrative geographical unit in Vietnam (Figure 3). Because of the high population density, Vietnam has established a relatively dense hospital network with over 1,100 public hospitals and about 180 private hospitals, that account for the rate of 26 hospital beds per 10 000 population. The system is now facing an unbalanced situation where public hospitals at higher level are always being overcrowded, compared to private hospitals or healthcare centers at lower hospitals. Beds at hospitals at provincial and nation level are always over 100% occupied. It is worth to note that Vietnam has made significant progress towards achieving universal coverage. In this situation, without a significant role of General Practitioners (GPs) at primary and secondary healthcare centers, patients tend to visit tertiary to receive treatments with affordable expense despite the crowd and long-queues. (“In Vietnam, private hospitals locked in survival struggle”; Gaskill & Nguyen 2014; Pham 2016;

World Bank ?).

25

(Adapted from Pham, 2016) FIGURE 3: The organizational structure of healthcare system in Vietnam

That information tells a fact that Vietnam healthcare system is now facing the same constraints as found in any other countries in the world. With this complex network and big number of population, any attempt to reform or innovate the system, for example creating a universal electronic health records system, would be a tough mission which requires both top-down and bottom-up intensive movements.

4.4 Sampling and data collection process

The unit of study was the hospitals in Vietnam, and to be more specific, the electronic medical record systems at hospitals in Vietnam. Up to the point of starting the research, there was no national report about the adoption of information technology at the healthcare providers in Vietnam in general, that causes trouble when building a valid sample frame for any probability sampling method. Therefore, purposive sampling was done for this exploratory research. This is a non-probability sampling method which is more recommended for exploratory studies and studies contributing new knowledge. After acquiring sufficient information or knowledge about the populations through the exploratory study, the author might use appropriate probability sampling design for further researches. (Salkind 2010, 923; Krishnaswamy&

26

Satyaprasad 2010, 81) . It is also a cost-effective and time-effective option regarding the limited time and resource. Finally, five tertiary hospitals satisfying the conditions below were contacted:

 Having the electronic medical record system that serves not just billing and administrative purposes

 Locating in the same city

 Providing both in-patient and out-patient services

 The final sample is mixed of general/specialized, and public/private hospitals.

Figure 4 illustrates the overall process of gaining access to those hospitals. First, the author contacted with the appropriate “gate keepers” at the hospitals to get information about the process and required documents to gain permission, they could be “Department of General Planning”, “Department of General Administration”, or “Training and Direction of Healthcare Activities Center”. During the consideration process, the author could be required to submit more documents to clarify the purpose and content of the research, or to present the research plan with the hospitals. After gaining the permission, the author worked with the IT department to collect data. Step 2 and 4 required many visits to the hospitals and were very time- consuming. As requested by the hospitals, all the data was treated anonymously.

27

FIGURE 4: Gaining access to the field sites process

In this study, the IT staffs were the informants because they are accountable for the electronic medical records systems at the hospitals. As by triangulation approach, policies were asked to be shown if it was answered to be available; physical safeguards to secure workstations were observed at each studied hospital.

First contact and submission of required

documents

Further discussion and response to extra

requirements

Gaining permission

Working with IT department to collect data

28 4.5 Data analysis

Data from the studied hospitals was compiled and checked for missing. The informants were contacted again if any data was missing. Then it was grouped into two groups of data according to two research questions and was prepared as below:

 Group 1 consits of data from part A of the questionnaire. Collected data was summarized in a table to give an overview about the study context and the adoption level of electronic medical records system at the studied hospitals.

 Group 2 includes yes/no and multiple choices answers from part B about the information security management for the electronic medical record system. The next step was grading based on these answers and the designed grading scale. Each implementation specification was graded as “Fully implemented”, “Partially implemented”, or “Not implemented”.

After that, the prepared data was next made sense by descriptive statistics method which is a process to describe quantitative data by the techniques of data summarization, organization or graphics. This analysis provides us with profiles of organizations, people together with a multitude of characteristics such as size, types, preferences etc. This sort of analysis allows us to describe data on one variable, two variables or more than two variables. They are univariate analysis, bivariate analysis and multivariate analysis respectively. Each of them is followed by other specific statistical and graphical analysis and techniques. (Krishnaswamy& Satyaprasad 2010, 161-162). In this study, the level of implementation of security measures at the hospital will be mainly assessed by the percentage of “fully implemented” measures. A closer scrutiny of sub-categories, including administrative, physical and technical safeguards was also done.

Other analyses on the differences between various groups of hospitals were conducted as well.

29 5 RESULTS

5.1 The electronic medical records systems at studied hospitals

There were, finally, four hospitals participating in the study which generated an equal mixture of hospital types (general : specialized – 2:2; private : public – 2:2). Three out of four run at least 400 beds, only one runs 200 beds.

All the four hospitals are in the transition to a complete electronic medical records system in the future, which means paper-based records systems are still being used in parallel with electronic ones. All the four electronic medical records systems are integrated into their own Hospital Information Systems (HIS) which are either internally designed by the IT staffs in the case of hospital B or externally outsourced to third party for the other three hospitals.

In four hospitals, they are all equipped by seven out of eight functions, except the patient support function. Their electronic medical records systems contain health information and data of patient, allow healthcare staffs to manage medical results and orders and to communicate with each other. The systems are installed with some kind of decision supports. They also facilitate the conventional jobs which are administrative works and reporting.

Digital Imaging and Communications in Medicine (DICOM) is the only interoperability standard that was applied for those four electronic medical records systems. Health Level 7 or HL7, a core set of international standards which is used worldwide for transfer of clinical and administrative data between healthcare providers was not followed by any hospital. In summary, the four studied hospitals has partially adopted the electronic medical records systems and appear to be at the same level of adopting and developing electronic medical records systems (Table 4).

30 TABLE 4. Electronic medical records system at four hospitals

Attributes Hospital A Hospital B Hospital C Hospital D

About the hospitals

Hospital type Private, general Private, specialized Public, general Public, specialized

Number of beds 400 200 500 400

About the EMR systems Current level of

adoption of EMR

Partial Partial Partial Partial

EMR's functions Health information and data;

Result management;

Order management;

Decision support;

Electronic communications and connectivity;

Administrative processes;

Reporting

Health information and data;

Result management;

Order management;

Decision support;

Electronic communications and connectivity;

Administrative processes;

Reporting

Health information and data;

Result management;

Order management;

Decision support;

Electronic communications and connectivity;

Administrative processes;

Reporting

Health information and data;

Result management;

Order management;

Decision support;

Electronic communications and connectivity;

Administrative processes;

Reporting Software HIS, designed by third party for

the hospital

HIS, designed by staff HIS, bought from third party HIS, bought from third party Interoperability

standard

DICOM DICOM DICOM DICOM

HIS: Hospital Information System; DICOM: Digital Imaging and Communications in Medicine

31

5.2 The implementation of information security management for the electronic medical records systems

Overall, fully implemented implementation specifications outnumber other categories in all the four hospitals (Figure 5). Except hospital A who owns for itself 13 fully implemented implementation specifications, the rest three hospitals share the same number of them, nine for each hospital. Hospital A also has the lowest number of not implemented measures, followed by hospital C, B and D with 3, 5 and 5 not implemented measures respectively. Most of fully implemented implementation specifications fall into physical and technical safeguards, meanwhile the partially and not implemented ones mostly belong to administrative safeguards (Table 5).

FIGURE 5: The implementation level of security measures at four hospitals

The four hospitals also share the same grading results for physical and technical safeguards, and leave the difference for the administrative safeguards (Table 5). The details are reported by three groups of standards, administrative, physical, and technical safeguards in the following paragraphs.

13 9

9 9

4 4

6 4

1

5 3

5

0 2 4 6 8 10 12 14

HOSPITAL A HOSPITAL B HOSPITAL C HOSPITAL D

Number of implementation specifications Not Implemented Partially implemented Fully implemented

32 Administrative safeguards

With regards to risk analysis, the process of identifying all the potential security risks, including threats and vulnerabilities, to the electronic medical records system and of thoroughly determining their probability of occurrence and magnitude was done at only hospital A for the first time during January 2019. This makes hospital A the only institute, where all factors were taken into account when considering new security measures and thus, risk management is fully implemented; while the other three hospitals miss the probability and criticality of potential risks to electronic medical records systems factor which must be drawn on the risk analysis’

results. In terms of sanction policy, only hospital A reported to have sanction policies and procedures against incompliant behaviors from staff, however, no hospital requires employees to sign a statement of adherence to security policy and procedures as a prerequisite to employment.

TABLE 5. Information security management at four hospitals by group of standards Standards

Implementation specifications Hospital A

Hospital B

Hospital C

Hospital D Administrative

safeguards

Risk analysis Risk management Sanction policy

Information system activity review Assigned security responsibility Response and reporting

Data backup plan Disaster discovery plan

Emergency mode operation plan Evaluation

Physical safeguards

Workstation use Workstation security Disposal

Media Re-use Technical

safeguards

Unique User Identification Emergency Access Procedure Audit Controls

Person or Entity Authentication

Fully implemented Partially implemented Not implemented

33

Audit logs are available in all four hospitals, as an extra, hospital B conducts access reports and hospital A has the security incident tracking reports. No hospital, but hospital A, conducts a periodic review of these reports, the other three hospitals only take a look at the reports when incidents happen. Therefore, “Information system activity review” is fully implemented at hospital A and partially implemented at rest of the group. Except hospital B, there is security official who is responsible for the development and implementation of the security policies and procedures for the electronic medical records system at the other three hospital. However, responsibilities for this security position are not clearly identified, agreed and documented by the hospitals. With respect to “Response and reporting” implementation specification, three out of four hospitals reported to have policies to address security incidents for their electronic medical records system. The policies include a list of possible types of security incidents and a general process of responding to the incidents and reporting to the IT department. Process of documenting and evaluating security incidents as part of ongoing risk management is yet not included.

Electronic medical records data is backed up once a day at three hospitals and four times a day at the rest one, hospital C. Only hospital A stores its backed up data at a center outside the hospital, the other three store their backed up data at the same place with the main data.

Procedures to restore any loss of electronic medical records’ data are available at all the four hospitals. In terms of emergency mode operation plan, again, all of them have prepared plans that allow the organization to continue their operation and business processes during emergent cases. According to this plan, it is claimed that data would be protected, but its availability is not well assured. Finally, only hospital A reported to perform a periodic technical and nontechnical evaluation of the electronic medical records data security which is done either by staff or a third party.

Physical safeguards

All the four hospitals have policies and procedures to specify the proper functions to be performed, the manner in which those functions are to be performed and the physical attributes of the surroundings of a specific workstation or class of workstation that can access EMRs’

data. Remote workstations are available at hospital A alone and they are also addressed in hospital A’s policies. With respect to workstation security, physical safeguards were implemented for all workstations that access electronic medical records’ data to restrict access