Medical Record Privacy: Is it a Facade?

8/7/2019 Medical Record Privacy: Is it a Facade?

1/6

Medical Record Privacy: Is it a Faade?

Abstract

Part of the job of healthcare providers is to manage

patient information. Most is routine, but some is

sensitive. For these reasons physicians offices provide

a rich environment for understanding complex,

sensitive information management issues as they

pertain to privacy and security. In this paper wepresent findings from interviews and observations of 15

offices in rural-serving southwest Virginia. Our work

demonstrates how the current socio-technical system

fails to meet the security needs of the patient. In

particular, we found that the tensions between work

practice and security, and between electronic and paper

records resulted in insecure management of files.

Keywords

Healthcare, security, usable security, privacy, work

practice

ACM Classification Keywords

H.5.3 [Information Systems] Group and Organization

Interfaces

General Terms

Human factors, security

Introduction

Traditionally, electronic and physical security have been

concerned with creating rules, locks, and passwords.

Copyright is held by the author/owner(s).

CHI 2011, May 712, 2011, Vancouver, BC, Canada.

ACM 978-1-4503-0268-5/11/05.

Aubrey Baker

Virginia Tech

250 Durham Hall

Blacksburg, VA 24060 USA

[email protected]

Laurian Vega

Virginia Tech

2202 Kraft Drive


[email protected]

Tom DeHart

Virginia Tech

2202 Kraft Drive


[email protected]

Steve Harrison

Virginia Tech

2202 Kraft Drive


[email protected]


2/6

However, security systems that neglect people as a

significant part of the equation are seldom secure inpractice [3]. Practice is what happens in the moment;

it is the activity; it is what is actually done. It is often in

the human-centered moment, and not in the computer-

centered planning stages, when security policies or

mechanisms break down and the safety of sensitive

information is compromised. For this reason we

propose that there exists a need to study socio-

technical systems to understand and evaluate what role

both humans and technology play in creating usable

security [1]. Specifically, we propose focusing on

physicians offices, where there is a plethora of

sensitive patient information that exists in variousstages and forms of documentation. Physicians offices

are valuable loci of study given the collaborative nature

of the work, the increasing adoption of electronic

medical records [6], and the implicit assumption of

security by the patient.

Prior work has documented that when systems are

provided to users that do not account for how they

work, the system is circumvented and used

inappropriately [2-4]. Within secure places, this can

mean writing down passwords, or as was observed in

this study, shouting them. This is because the

management of patient information is both socially

constructed and mediated while also being entered and

navigated in medical record systems. To further discuss

these issues in this paper we present data from

interviews and observations of 15 physicians offices in

Southwest rural-serving Virginia to continue the

discussion of usable security within aparticularlocation

and with a focus onpractice. By focusing on practice

within physicians offices our work represents an

important contribution of where security in action is

and is not located.

Related Work

The work of usable security in healthcare is an

amalgamation of prior work on healthcare, security,

and HCI [1]. Patients serve as users, owners of

sensitive information, and as part of the healthcare

system. In regards to security, prior work has

demonstrated balance is essential between policies and

software solutions that are constructed accounting for:

social and organizational context, temporal factors from

actions in that context, possible threats from

information usage, and trade-offs made by the user[1]. Some considerations would be the location of

computers and paper files within the physicians office

and users being inconvenienced by extra steps, such as

using a password every time they return to a computer

or putting files back on the shelving unit in between

frequent access. These factors demonstrated that all

solutions are not technical: the social context must be

accounted for in order to fully represent the needs of

the users as argued more generally in the work of

Palen & Dourish [4]. Despite the need for such context,

there has been little work done in real social practices

in regards to privacy and security. Thus, our work is a

valuable contribution to the growing need of

observations in social environments.

In prior work within the medical context, Adams &

Blanford [1] discussed with members of two hospitals

the use of passwords to protect access to sensitive data

when computers were unattended. They found that

many users were simply ignoring the password

protection system -- so many that it became difficult to

enforce the security mechanisms in place. Similarly,


3/6

Adams & Sasse discussed that system security often

lacks user-centered design and user training [2];however, users are a critical component in a successful

secure system. Additionally, the adoption of policies

such as the Health Insurance Portability and

Accountability Act (HIPAA) are stipulating how users

shouldbe managing patient information, with little

consideration for local policies. However, considering

security beyond password use has received little

attention. For this reason we present findings below

that include an analysis of security mechanisms that

extend beyond password usage (or the lack there of).

Within prior work there have been few examples ofqualitative analysis in regards to security and privacy in

healthcare (with valuable exceptions [1]). Qualitative

methods, such as interviews and observations, allowed

researchers to gain a deeper understanding of lived

experiences by exposing taken-for-granted

assumptions by witnessing how participants live in

their environment [5]. In particular, what work that is

being done has focused on technologically adept

locations, with little research regarding those who opt

not to use technology [7]. For these reasons we

present qualitative data from rural-serving physicians

offices in regards to their security practices.

Methods

Fifteen interviews were conducted with directors of

physicians' offices; and, 61.25 hours of observation

were carried out at 5 locations. The participants had, on

average, 20.16 years of experience as a director. The

average staff size was 10 people with approximately

128 patients seen weekly. All offices provided non-life-

critical care. Given the dearth of diversity of physicians

offices, more identifying information cannot be provided

as to the type of centers that were observed due to

participant anonymity. All participants were unpaid.

The interview protocol was developed and vetted by

two external researchers to the project. Participants

were asked demographic questions, questions in

regards to their daily information management

practices, and questions in regards to their electronic

systems. Pictures and forms were collected from offices

during interviews. Prior to starting each of the

observations each student re-read all prior interviews

and reports. The observer was centrally located in the

physicians office and able to watch over the shoulder

of the healthcare staff. Observations were spanned towatch during all times of the day and across days of the

week where patient load and temporal work rhythms

can vary.

We used a phenomenological approach to data analysis

to derive the essence of security and privacy within

collaborative management of patient information.

Phenomenology is a qualitative method used frequently

in healthcare research; see [5] for more information

about the details of phenomenology. For our study,

data was analyzed by creating a set of themes,

clustering the data into sets of meanings, establishing

agreement between the researchers, and then

examining the resulting body of data related to the

essence of security and privacy.

Results

We present these results not to point at any one place

where security and privacy were not accounted for.

Instead, we present these results to provide interlaced

examples to construct a broader understanding of

security and privacy.


4/6

Password Sharing

There were two instances where a participant withspecial access would log in for another office member

with a lower level access or no

access at all to utilize the system.

In one case, it was observed that

the employee that worked primarily

with Medicare needed to log into

the hospitals electronic database to

collect information. However, she

had not attended the required

course and received her own

individual access. To get this

information she asked one officestaff who did have this access to

log her in. What is important and

relevant is that this same office did

not use any passwords for their

own electronic medical record

system.

General Lack of Passwords

Even more prevalent was the complete lack of

password use. There was only one observed use of

passwords to enter an individual centers electronic

system. During interviews we additionally learned that

of the physicians offices that did have electronic

systems, only 6 even used passwords. For instance, the

observer writes while watching the director, brings a paper over and punches it on the

counter next to me. She leaves her office with it,

leaving her computer unlocked. This example is

canonical of how office staff would (a) leave their

computers open when they would leave their

workstation, and (b) the general lack of concern about

leaving a computer insecure. There were three

additional instances represented in interviews about

similar lack of password use.

When asked why the staff did not use passwords one

director responded that the staff at her office use each

other's machines because everyone "has the same

access" and "there is really no privacy act between

employees." Because everyone has the same

permission, there is not a need to have an explicit rule

specifying that they can or cannot use each others

computer. This fact is inherent in the work that they do

and the information that they are all allowed to

see/access/modify.

Difficulty Locating Patient File

There were fourteen occurrences of medical staff

having difficulty locating patient files. This was because

of the participants inability to use the system either

electronic or paper that breakdowns occurred. These

breakdowns resulted in additional patient files being

created, files not being in the correct location, and lost

patient information. The remaining instances were

derived from observations of three physicians offices.

Example causes for these problems are unusual

spellings of names, transposed names, and office staff

misspelling and/or misfiling. These problems are

interrelated because the patients name was the

primary and only key for locating a patients file at

these offices. When a patients file could not be located

based on the primary key, it was difficult it not

impossible to find the file again.

Electronic Systems Crashing & Loosing Information

Out of the nineteen physicians offices that we visited,

eighteen of them had some form of electronic records

used to manage their patients care. There were five

Figure 1. One participants patients files open for

anyone to access.


5/6

instances where the offices electronic system crashed

and lost pertinent information. One director explainedhow her office had been making automated electronic

back-ups when they experienced a fatal crash. This

crash led to the discovery that the back-ups had not

been properly collected for three weeks. As a result the

director worked a lot of weekends in order to re-enter

all of the lost information back into the electronic

system from their paper records, which they had still

been maintaining. Similar experiences occurred at the

other practices. All offices still had their paper-based

files.

Patient Information Left in the OpenThere were two incidents where private patient

information was mistakenly left out of a patient's file

which resulted in the information being exposed.

During an observation the observer noticed a patient x-

ray that was left on the counter that was detached from

a patients file. A nurse came over, randomly picked up

the x-ray, looked at it, and then put it back on the

desk. All offices had patient records freely available to

anyone to access as shown in Figure 1. No filing

cabinets were observed to be locked at night.

Discussion & Conclusion

These findings present obvious security risks of

confidential patient information within physicians

offices, whether those risks are the loss of crucial

information or exposure of sensitive material. In order

to progress toward a more usable system, it is essential

to identify why these phenomena are occurring to

assist in presenting a usable solution for these security

risks. However, it is critical to recognize the social

nature of how patient information is currently being

managed. Staff share passwords or do not use

passwords because of the social nature of their work.

Passwords ascribe to a one user one machine oneaccount system. Yet, the work that people do is open,

social and shared across both the electronic and paper-

based systems. Researchers may surmise that these

findings are not surprising. However truthful that may

be, the question remains, why are designs not

accounting for them. Our work represents a first take at

trying to understand and account for these

phenomenon and point at future design considerations.

For this reason we present the following issues in

relation to designing a system that is beyond usable for

managing patient information, but also social.

Passwords are Not Social

The breakdown in password utilization and personal

password security reflect that the need for this feature

is not represented in the work carried out in systems

that have password functionality. Because users do not

see the need for passwords, individual passwords are

not used. Similarly, office staff often leave information

out of files or do not return files to shelves

immediately. This means that systems should account

for quick access to information not based on

restrictions, but upon making knowledge of who is

accessing the system visible to all. Additionally,

breaking away from the one person one computer

one account model of supporting access to information

would better support social work.

Systematic Flaws

Electronic record systems crashing, data backups

failing, difficulty of locating patient files, and leaving

files in the open can all be attributed to flaws within the

socio-technical system. The unreliability of electronic

systems require practices to maintain their paper files


6/6

as a reliable backup source, resulting in twice the

amount of files to maintain and twice the amount ofdata to secure. Leaving information out of files or files

off the shelf, even temporarily in between uses, is in

direct conflict with keeping the information secure in

the sense that it is not locked away and protected from

prying eyes. Redundant information represents a

system flaw in regards to security, but was created to

support the social system. Designers should consider

the affordances of paper files that are difficult for

electronic systems such as having a physical location,

recognizable handwriting, and spotting inconsistencies

in the system (e.g., missing information within a file).

Is Patient Privacy a Fallacy?

Further improvements can be made to enhance the

reliability and security of electronic systems. Updates

can be tracked as well as regular backups that alert the

system administrator when they fail to run successfully.

Additionally machine learning algorithms can process

individual user access to patient files in order to identify

unusual behavior. For example, if a nurse is updating

the file of patient X, she will access and update Xs file

multiple times. However, if a nurse were to look at the

file of patient Y, her neighbor, she would only have a

need to look at the file once. This unusual pattern could

then be reported for investigation.

However, solutions like these can be accused of

throwing more technology at the problem without

accounting for the work that people do. A tenant of

usable security literature states that people will find a

way to circumvent a security measure when it comes in

conflict with another task. We therefore have presented

the previous security issues that demonstrate security

flaws in the everyday work of a physicians office staff.

These are not flaws of malice, but flaws of negligence

where the work of making patient information secureand private is not clearly embodied in the practice of

managing patient information. Our future work is to

respond to these issues by prototyping solutions that

do represent the social needs of information

management. Additional work should be done to

identify the costs and benefits of open access systems,

especially in life-critical situations.

Acknowledgements

We thank Laura Agnich for helping collect and analyze

the data and the VT Usable Security Group for their

feedback. This work was funded, in part by NSF Grant#0851774.

References[1] Adams & Blandford (2005). Bridging the gapbetween organizational and user perspectives of

security in the clinical domain, IJHCS, 63(1-2).

[2] Adams & Sasse (1999). Users are not the enemy.Communications of the ACM, ACM.

[3] Bellotti & Sellen (1993). Design for Privacy in

Ubiquitous Computing Environments, Conference on

CSCW, Kluwer Academic Publishers.

[4] Palen & Dourish (2003). Unpacking "privacy" for anetworked world, Conference on Human Factors in

Comp Sys, ACM.

[5] Starks & Trinidad (2007). Choose your method: Acomparison of phenomenology, discourse analysis, and

grounded theory, Qual Health Res, 17(10).

[6] Berner, Detmer & Simborg (2005). Will the Wave

Finally Break? A Brief View of the Adoption of ElectronicMedical Records in the United States, JAMIA, 12(1).

[7] Satchell & Dourish (2009). Beyond the user: Use

and non-use in HCI, OZCHI, ACM.

Documents

Medical Record Privacy: Is it a Facade?