• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Impacts of the East Japan Earthquake and Tsunami towards Governance, Risk and Compliance in Healthcare IT

Impacts of the East Japan Earthquake and Tsunami towards Governance, Risk and Compliance in Healthcare IT



Synthesis Journal 2011, published by the IT Standards Committee (ITSC), Inforcomm Development Authority of Singapore (IDA)

Synthesis Journal 2011, published by the IT Standards Committee (ITSC), Inforcomm Development Authority of Singapore (IDA)



Total Views
Views on SlideShare
Embed Views



1 Embed 1

http://www.slashdocs.com 1


Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

    Impacts of the East Japan Earthquake and Tsunami towards Governance, Risk and Compliance in Healthcare IT Impacts of the East Japan Earthquake and Tsunami towards Governance, Risk and Compliance in Healthcare IT Document Transcript

    • Section Four 65Impacts of the East Japan Earthquake and Tsunamitowards Governance, Risk and Compliance inHealthcare ITHealthcare institutions are critical in time of large scale natural or man-made disastersand therefore they must include disaster recovery planning within communities. The EastJapan Earthquake and Tsunami on 11 March 2011 crippled the communication and critical information systemsof most hospitals and clinics in Tohoku. Fortunately some empowered healthcare consumers managed to switchto using public cloud services, including Social Media and Mobile, as alternate means for ad hoc information andservices. In order to establish stakeholder-based healthcare emergency preparedness and response coalition, it isessential to develop a common rule to harmonise on-premise-based healthcare IT and cloud-based consumer ITfrom the viewpoints of governance, risk and compliance (GRC) value chains. Dr Eiji Sasahara Board Member, Cloud Security Alliance Japan Chapter vyt04351@nifty.com1 INTRODUCTION Healthcare institutions are recognised as critical infrastructure for disaster recovery planning within communities worldwide. In order to improve IT-related Governance, Risk and Compliance (GRC) for healthcare providers in Japan, in February 2010, the Ministry of Health, Labour and Welfare (MHLW) issued the “Security Guidelines for Health Information Systems (Version 4.1)” incorporating high-level security management, even in disaster emergency response. However, the East Japan Earthquake and Tsunami on 11 March 2011 caused severe damage to region- wide telecommunication networks and critical information systems of the healthcare providers in Tohoku, which proved surprisingly vulnerable. With limited knowledge and resources, many empowered healthcare consumers managed to switch quickly to using public cloud services, including social media and mobile telecommunications, as emergency communications tools for contacts and online services.
    • 66 Section Four In order to clarify the various impacts of the earthquake and the ensuing tsunami towards the supply side (e.g. Healthcare providers) and demand side (e.g. Healthcare consumers) of the healthcare value chains, face- to-face and online interviews with key persons dedicated to the relief and revitalisation activities for Tohoku have been conducted, and information from secondary resources, including central and local governments, industry associations and non-profit organisations have been gathered. In this paper, we would like to present real cases of healthcare providers and healthcare consumers, and discuss the impact of widespread disaster towards total healthcare value chain from the perspectives of IT-related GRC.2 IMPACT OF EARTHQUAKE AND TSUNAMI TOWARDS HEALTHCARE PROVIDERS: CASES OF ISHINOMAKI Ishinomaki is a coastal city near the peninsula in the northeastern part of Miyagi Prefecture. Table 1 shows the population trends of Ishinomaki City by age group in 2005-2010. While the younger age (0-14 years) and working-age (15-64 years) populations had decreased, the elderly age population (65 years or older) had increased year by year. After the earthquake, the total population decreased to 154,306 (as of July 2011). The shrinking and ageing population caused concern as there was negative impact on the proposed revitalisation plans, including healthcare delivery networks at Ishinomaki. Year Total population Age 0-14 Age 15-64 Age 65- Ratio of Age 65- 2005 170,630 23,131 106,904 40,595 23.8% 2006 169,147 22,564 105,217 41,366 24.5% 2007 167,474 22,002 103,203 42,269 25.2% 2008 165,894 21,538 101,401 42,955 25.9% 2009 164,433 21,025 99,756 43,652 26.5% 2010 163,216 20,459 98,902 43,855 26.9%Table 1: Population of Ishinomaki City by Age Group: 2005-2010 The tsunami inundated 46% of the city, having smashed and swept away large sections of coastal and central downtown areas, and destroyed or disabled operations of many hospitals, clinics, nursing homes and community health centres. In the region, there have been two major healthcare institutions: Ishinomaki Red Cross Hospital and Ishinomaki Municipal Hospital.2.1 Case of Ishinomaki Red Cross Hospital in Highland Area The 402-bed Ishinomaki Red Cross Hospital has been located in the newly developed highland area of Ishinomaki since 2006. The distance between the Red Cross Hospital and the sea is about 6 kilometres. On 11 March 2011, the hospital did not receive severe impacts from the tsunami directly. However, power outages hit wide areas around Tohoku region, and the hospital had to continue operations with emergency electricity generators. While local area networks (LANs) were available, external telecommunication networks were not available due to electricity blackout and off-duty staff. Outpatients and patients’ families could not communicate with
    • Section Four 67 the hospital online. The Red Cross Hospital informed the local governments of its status via wireless disaster prevention communication network. Regarding external communications with patients and families online, the Red Cross Hospital posted information on their website (www.ishinomaki.jrc.or.jp/), even in emergencies. However, the hospital does not have any official account in the social media. Before the disaster, the Red Cross Hospital had voluntarily developed “Ishinomaki Regional Network Council of Disaster Medicine Professionals” jointly with other healthcare institutions, regional medical associations, disaster prevention authorities and local governments. These activities, including Business Continuity Planning (BCP) and Disaster Recovery Planning (DRP), enabled the Red Cross Hospital to play a key role as a regional healthcare emergency response centre in the Ishinomaki area. Before the disaster, the hospital usually treated about 60 patients a day, 1,800 patients a month. But post-disaster, this had increased to 99 accepted emergency patients on March 11, 779 on March 12, and 1,251 on March 13. Even under an ad hoc system and hostile user environment with limited electricity and other resources, it was essential for the IT Department to maintain operations of its healthcare information systems. Regarding healthcare IT, no severe problems were reported at the Red Cross Hospital after the disaster.2.2 Case of Ishinomaki Municipal Hospital in Coast Area On the other hand, the 206-bed Ishinomaki Municipal Hospital has been located in central downtown area near the sea since 1996. The distance between the Municipal Hospital and the sea is about 0.3 kilometres. The hospital was severely damaged by the tsunami, with water reaching a maximum height of 5 metres. Figure 1 shows the landscape of the hospital building after the tsunami. Other buildings and houses in the central downtown area were swept away by the tsunami. Figure 1: Ishinomaki Municipal Hospital after the East Japan earthquake and tsunami After the disaster, about 500 people were isolated on the 4th floor of the hospital building. The tsunami destroyed the server room on the 1st floor where the hospital’s information systems were and the emergency electricity generators in the basement. Both intra-hospital and external communications networks were not available due to electricity blackout, and the hospital could not inform the emergency authorities about the status of its facilities, staff or patients. On March 13, the hospital staff had to walk about 3 kilometres through water in order to reach the City of Ishinomaki Office. On March 14, the Miyagi Disaster Medical
    • 68 Section Four Assistance Team (DMAT) dispatched rescue staff from the Ishinomaki Red Cross Hospital to rescue about 170 patients from the Municipal Hospital. Regarding external communications with patients and families online, the website of the Municipal Hospital (http://i-aru.jp/) was shut down as well, due to damage by the tsunami, and the hospital does not have any official account in social media. Old paper-based medical records in the warehouse were swept out by the tsunami, and it was impossible to recover the lost documents. However, in February 2011, the Ishinomaki Municipal Hospital started to share the electronic medical records (EMR) with Yamagata City Hospital SAISEIKAN in Yamagata Prefecture (next to Miyagi Prefecture) for backup purposes. EMR data recovery works were conducted in Yamagata, and on April 7, the tsunami-hit Ishinomaki Municipal Hospital was able to open temporary clinic facilities at the former City of Ishinomaki building in a safe area and to resume daily operations for outpatients. When the City of Ishinomaki started to discuss its revitalisation plan, and the plan to redevelop the Municipal Hospital to revive the central downtown area, they were faced with the ongoing problem of a shrinking and aging population.3 IMPACTS OF EARTHQUAKE AND TSUNAMI TO HEALTHCARE CONSUMERS Since Mississippi and New Orleans in the U.S. were hit by hurricane Katrina in 2005, social media has played the role as the go-to medium in times of crisis for victims, news and relief aid. It proved to be an essential tool during natural disasters in Iceland, Haiti and New Zealand. In Japan, the Ministry of Health, Labour and Welfare (MHLW) started the official YouTube channel (www. youtube.com/MHLWchannel) in February 2009 and responded to concerns over the spread of the H1N1 swine flu virus after April 2009, and also initiated an official Twitter account (http://twitter.com/MHLWitter) for immediate information sharing in September 2010. The goal of the MHLW has been to efficiently communicate critical information to the public, and create new channels of communication by leveraging on social media technologies. Some of the local governments in Tohoku have also officially adopted social media. For example, the Public Relations Department at Iwate Prefecture Government started to use Twitter (http://twitter.com/pref_iwate) as an external communication tool in April 2010, and set up an official page in Facebook (www.facebook. com/pref.iwate) in February 2011. In Miyagi Prefecture, the Risk Management Department at the City of Kesennuma started delivering information on disaster prevention, including public health issues, to local communities via Twitter (http://twitter.com/bosai_kesennuma) in July 2010. However, most of healthcare providers hesitated to implement social media technologies for public use, worrying about the IT management challenges, such as the development of social media policies and cloud security management.
    • Section Four 693.1 Case of Miyako Disaster FM Radio Station in Iwate In the immediate aftermath of the 9.0-magnitude earthquake and tsunami in Japan, the telephone and cellular networks were not available either because they were down or overwhelmed with traffic. While Tokyo’s fixed and mobile telecommunication services were subsequently restored, it was only with limited capacity, and unfortunately much of the Tohoku region continued to be cut off from the telephone, mobile and the Internet communication in the early stage of the disaster emergency response phases. In the Tokyo metropolitan area, consumers turned to the Internet to track down friends and family and connect with those who directly experienced the disaster. Commuters wanted to know if the trains were running, and whether their neighbourhoods were affected by electricity blackouts due to the damage to the nuclear and traditional electric power plants. Millions of consumers flocked to sites like the Twitter following the news on the earthquake and tsunami, and video streaming/sharing platform providers such as YouTube, USTREAM and Nico. Nico Douga saw a steep viewership climb. In the coastal areas of Tohoku, the tsunami knocked out roads, railways and electricity cables. The main methods of public communications then were paper-based documents posted on the walls of evacuation shelters, or the use of outdoor loudspeakers or sirens for emergency alerts, or to send local information via community radio stations. For example, in Iwate Prefecture, a group of residents obtained permission from the City of Miyako to create a small, emergency radio station called Miyako Disaster FM during the week of the disaster. As Internet service was partially restored in the coastal city, the Miyako Disaster FM used services like Twitter (http://twitter.com/ mcbs_staff), Facebook (www.facebook.com/miyakofm) and Ustream (www.ustream.tv/channel/miyakofm774) to spread the word about the broadcasts. Public health centres, community hospitals, clinics, pharmacies and health-related non-profit organisations had to depend heavily on the radio stations to provide updated information to a wide range of residents. Figure 2 shows the top pages of the Miyako Disaster FM on USTREAM and Facebook. Those services are also available through smart phones. USTREAM Facebok (www.ustream.tv/channel/miyakofm774) (www.facebook.com/miyakofm) Figure 2. Social media mix of Miyako Disaster FM in Iwate Prefecture
    • 70 Section Four On April 5, the Cabinet Secretariat, the Ministry of Internal Affairs and Communications (MIC) and the Ministry of Economy, Trade and Industry (METI) jointly issued the “Guidance of Information Disclosure Using Privately-held Social Media for Central and Local Governments” to standardise the social media policies among the government sectors. During the recovery phases of telecommunication networks after the disaster, the number of public bodies implementing social media increased significantly nationwide. However, among the healthcare providers, the adoption of social media is not widespread.3.2 Case of Digitised Parents Facing with Radiation Risks of Children in East Japan Social media technologies have heightened the Japanese consumer’s awareness and led to more participation in active decision making about their own health and the health of their families. Among the healthcare consumers, the early adopters of social media were cancer patient support organisations. An example is Cancernet Japan (www.cancernet.jp/), a non-profit organisation which focuses on cancer medicine, and has developed an integrated social media communications utilising Blog (http://ameblo.jp/cancernetjapan/), Twitter (http://twitter.com/CancerNetJapan) and USTREAM (www.ustream.tv/channel/cancernetjapan). After the earthquake, tsunami and the ensuing nuclear accidents in Fukushima, and parents and children facing the risks of radiation exposure, a new movement of digitised healthcare consumers emerged. The American Academy of Pediatrics’ general policy statement on radiation disasters and children states that kids do have a greater risk of harm after radiation exposure compared with adults. However, the Japanese government updated the guidelines allowing schoolchildren to be exposed to radiation doses that are more than 20 times the previously permissible levels. So parents in Fukushima and other areas in East Japan bought personal dosimeters and shared information about radiation levels utilising high-speed Internet, mobile phones and social media, such as Mixi, Twitter, USTREAM and YouTube. Slow action by the central and local governments has made parents worried. On May 23, a group of mobile- generation parents from Fukushima rallied outside the Ministry of Education, Culture, Sports, Science and Technology (MEXT) in Tokyo, protesting the government’s updated guidelines and bearing signs reading “Save our Children”. In response to the parents’ concerns, on May 27, the Education Minister said that the government would seek to reduce the radiation levels in the guidelines and the Ministry showed readiness to distribute dosimeters to teachers at schools in Fukushima Prefecture. The same kind of activities has expanded to areas outside Fukushima. For example, active mothers in Kashiwa City, the suburbs of Tokyo metropolitan area, circulated an online petition and garnered 10,000 signatures, requesting the local government to take more action to save the children from risks of radiation exposure. Those mothers connect with each other via social media on PCs and mobile phones. With regard to the public use of social media, the Education Ministry opened official Twitter accounts (http:// twitter.com/mextjapan) on 24 February 2011. However, the officials were not prepared to conduct real-time dialogue with citizens online, and communication was limited to monologue even after the disaster. In addition, the Fukushima Prefectural Board of Education, the local organisation responsible for student safety
    • Section Four 71 and health at public schools, and the Fukushima Medical University Hospital, the key institution related to health care for the radiation-exposed patients in the region, still do not have any official account in social media, and have difficulties letting parents know what they will or will not able to do with it online. While few healthcare institutions use social media to conduct dialogues with patients and families online, academic societies in the medical sciences are gradually accepting social media technologies. For example, the Japanese Society of Medical Oncology (http://jsmo.umin.jp/) has invited cancer patient organisations to their annual face-to-face meetings and online dialogue sessions utilising Twitter, Facebook, and USTREAM. While the Medical Oncology Society can listen more closely to the healthcare consumers as stakeholders, participating patients and families can access reliable evidence-based health information on radiation exposure and the risks of cancer and blood diseases.4 DISCUSSION First of all, healthcare is one of the strictly regulated industries with high-level requirements for Governance, Risk and Compliance (GRC). Licensed healthcare professionals (e.g. physician, pharmacist and nurse) have strict duty of confidentiality regarding patients’ information. The Japanese law also requires healthcare providers to comply with the Medical Care Act, the Health Insurance Act, the Personal Information Protection Act and other related regulations. As a result, the Japanese healthcare institutions tend to keep patient- centric data and information on non-standardised or customised information systems in-house, and usually hesitate to adopt a shared or public cloud services provided by external service providers. However, the East Japan Earthquake and Tsunami dramatically changed this traditional mindset about internal-focused healthcare IT. The cases of the Ishinomaki Red Cross Hospital and the Ishinomaki Municipal Hospital demonstrated the limitations of on-premise healthcare information systems in Business Continuity Planning (BCP) and Disaster Recovery (DR). This highlighted the role of external-focused development of human and information networks in disaster-preventive healthcare IT as an essential part of the social infrastructure. Following the disaster, more healthcare institutions are now considering cloud computing as an alternative. With regards to security requirements for healthcare providers, the MHLW issued a “Security Guidelines for Health Information Systems (Version 4.1)” on February 2010. The guidance document presented two expected fields in Disaster Emergency Response: fields in unsteady system and user environment; and a field in system error or shutdown. The Ishinomaki Red Cross Hospital case is linked with IT operations under unstable system and hostile user environment with highly changeable demands, and the Ishinomaki Municipal Hospital case was linked to emergency response during the period when the system was shut down. The MHLW’s guidance is based on traditional (on-premise) physical security, BCP and DR. The “Security Guidance for Critical Areas of Focus in Cloud Computing Version 2.1”, issued by the Cloud Security Alliance, points out the challenge of cloud computing adoption “to collaborate on risk identification, recognise interdependencies, integrate, and leverage resources in a dynamic and forceful way”. So the next step is to develop common security rules to harmonise on-premise-based IT and cloud-based IT for GRC optimisation in regional healthcare value chain.
    • 72 Section Four Secondly, healthcare consumers are the key stakeholders in the total healthcare value chain, eagerly seeking information about health promotion, disease prevention, treatment of specific conditions, and management of various health conditions and chronic diseases. After the earthquake, tsunami and nuclear accidents, the stakeholders are adopting and utilising social media, based on public cloud services, through both fixed and mobile broadband networks. However, currently, most of the healthcare providers do not have official accounts in Mixi, Twitter, Facebook, YouTube or USTREAM. From the viewpoints of stakeholder engagement in the management processes of GRC, lack of a communication gateway between healthcare providers and healthcare consumers online means gaps in stakeholder communications. In addition, the number of healthcare consumers with a good understanding of the potential risks in social media, such as security and privacy, is still small. As social media is a public communication tool and users need to understand their social responsibilities, it is essential to minimise the consumers’ security and privacy risks by utilising standardised social media technologies. In addition, information disclosure to stakeholders is one of the important processes in GRC management. It is also essential to focus on the development of better communication channels between on-premise-based healthcare providers and cloud-based healthcare consumers by leveraging on social media technologies.5 CONCLUSION The East Japan Earthquake and Tsunami is the starting point of developing a “new normal” healthcare IT with stakeholder engagement in Governance, Risk and Control (GRC) processes. In order to establish a reliable stakeholder-based healthcare emergency preparedness and response coalition, it is essential to develop common rules and standardised technologies to harmonise on-premise-based healthcare IT and cloud-based consumer IT through total healthcare value chains.6 ACKNOWLEDGEMENTS My appreciation to Mr Katsuhide Abe, Chief Executive Officer of the Healthcare Cloud Initiative, a registered non-profit organisation based in Tokyo, for his leadership and contribution to field work in this area.7 REFERENCES [1] Martin Fackler. “Quake Area Residents Turn to Old Means of Communication to Keen Informed.” The New York Times 27 March 2011. [2] Hiroko Tabuchi. “Angry Parents in Japan Confront Government Over Radiation Levels.” The New York Times 25 May 2011. [3] Mariko Sanchanta and Mitsuru Obe. “Moms Turn Activists in Japanese Crisis.” The Wall Street Journal 17 June 2011.
    • Section Four 73[4] The Cabinet Secretariat, the Ministry of Internal Affairs and communications (MIC) and the Ministry of Economy, Trade and Industry (METI). “Guidance of Information Disclosure Using Privately-held Social Media for Central and Local Governments” April 2011.[5] The Ministry of Health, Labour and Welfare. “Security Guidelines for Health Information Systems (Version 4.1)” February 2010.[6] Cloud Security Alliance. “Security Guidance for Critical Areas of Focus in Cloud Computing (Version 2.1)” December 2009.
    • 74 Section Four BIOGRAPHY OF AUTHOR Dr Eiji Sasahara Board Member, Cloud Security Alliance Japan Chapter vyt04351@nifty.comDr Eiji Sasahara is a Board Member of Cloud Security Alliance Japan Chapter, and, on a volunteer basis, promotesthe utilisation of information and communication technologies for quality assurance in care delivery, and provideseducation on the uses of Healthcare IT to help patient-centred and evidence-based medicine. He has providedresearch and consulting services to global ICT vendors and start-up ventures on interactive brand management andchannel marketing development. He also works with non-Japanese media industry such as The Wall Street JournalAsia and the Japanese public sector including the Ministry of Labour (currently the Ministry of Health, Labour andWelfare).Dr Sasahara holds a B.A. in human sciences from Keio University, Japan, an MBA from Boston University GraduateSchool of Management, the U.S., and a Ph.D. in Medical and Pharmaceutical Sciences from Chiba UniversityGraduate School of Medical and Pharmaceutical Sciences, Japan.