Health Information Privacy and Security (November 8, 2021)
Health IT, Digital Transformation and Security/Privacy for Hospital Executives (February 14, 2020)
1. Health IT, Digital Transformation, and
Security/Privacy for Hospital Executives
(Parts 1 & 2)
นพ.นวนรรน ธีระอัมพรพันธุ์
14 ก.พ. 2563
www.SlideShare.net/Nawanan
2. What words come to mind when you hear...
Digital Health
Transformation
7. “Big data is like teenage sex:
everyone talks about it,
nobody really knows how to do it,
everyone thinks everyone else is doing it,
so everyone claims they are doing it...”
-- Dan Ariely @danariely (2013)
Substitute “Big data” with “AI”, “Blockchain”, “IoT”
of your choice.
-- Nawanan Theera-Ampornpunt (2018)
8. Hype vs. Hope
Jeremy Kemp via http://en.wikipedia.org/wiki/Hype_cycle
http://www.gartner.com/technology/research/methodologies/hype-cycle.jsp
11. A Real-Life Personal Story of
My Failure (as a Doctor and as
a Son) in Misdiagnosing
My Mom
Would AI Help?
12. • Nothing is certain in medicine &
health care
• Large variations exist in patient
presentations, clinical course,
underlying genetic codes, patient &
provider behaviors, biological
responses & social contexts
Why Clinical Judgment Is Still Necessary?
13. • Most diseases are not diagnosed by
diagnostic criteria, but by patterns of
clinical presentation and perceived
likelihood of different diseases given
available information (differential
diagnoses)
• Human is good at pattern
recognition, while machine is good at
logic & computations
Why Clinical Judgment Is Still Necessary?
14. • Machines are (at best) as good as
the input data
–Not everything can be digitized or
digitally acquired
–Not everything digitized is accurate
(“Garbage In, Garbage Out”)
• Experience, context & human touch
matters
Why Clinical Judgment Is Still Necessary?
16. • “Don’t implement technology just for
technology’s sake.”
• “Don’t make use of excellent technology.
Make excellent use of technology.”
(Tangwongsan, Supachai. Personal communication, 2005.)
• “Health care IT is not a panacea for all that ails
medicine.” (Hersh, 2004)
Some “Smart” Quotes
21. To treat & to care
for their patients
to their best
abilities, given
limited time &
resources
Image Source: http://en.wikipedia.org/wiki/File:Newborn_Examination_1967.jpg (Nevit Dilmen)
What Clinicians Want?
22. Why Aren’t We Talk About These Words?
http://hcca-act.blogspot.com/2011/07/reflections-on-patient-centred-care.html
23. The Goal of Health Care
The answer is already obvious...
“Health”
“Care”
24. • Safe
• Timely
• Effective
• Patient-Centered
• Efficient
• Equitable
Institute of Medicine, Committee on Quality of Health Care in America. Crossing the quality
chasm: a new health system for the 21st century. Washington, DC: National Academy
Press; 2001. 337 p.
High Quality Care
26. • Humans are not perfect and are bound to
make errors
• Highlight problems in U.S. health care
system that systematically contributes to
medical errors and poor quality
• Recommends reform
• Health IT plays a role in improving patient
safety
Summary of These Reports
28. 28
Image Source: (Left) http://docwhisperer.wordpress.com/2007/05/31/sleepy-heads/
(Right) http://graphics8.nytimes.com/images/2008/12/05/health/chen_600.jpg
To Err Is Human 2: Attention
29. 29
Image Source: Suthan Srisangkaew, Department of Pathology, Facutly of Medicine Ramathibodi Hospital, Mahidol University
To Err Is Human 3: Memory
30. 30
• Cognitive Errors - Example: Decoy Pricing
The Economist Purchase Options
• Economist.com subscription $59
• Print subscription $125
• Print & web subscription $125
Ariely (2008)
16
0
84
The Economist Purchase Options
• Economist.com subscription $59
• Print & web subscription $125
68
32
# of
People
# of
People
To Err Is Human 4: Cognition
31. 31Klein JG. Five pitfalls in decisions about diagnosis and prescribing. BMJ. 2005 Apr 2;330(7494):781-3.
“Everyone makes mistakes. But our
reliance on cognitive processes prone to
bias makes treatment errors more likely
than we think”
Cognitive Biases in Healthcare
32. 32
External Memory
Knowledge Data
Long Term Memory
Knowledge Data
Inference
DECISION
PATIENT
Perception
Attention
Working
Memory
CLINICIAN
Elson, Faughnan & Connelly (1997)
Clinical Decision Making
33. 33
External Memory
Knowledge Data
Long Term Memory
Knowledge Data
Inference
DECISION
PATIENT
Perception
Attention
Working
Memory
CLINICIAN
Elson, Faughnan & Connelly (1997)
Possible Human Errors
Possibility of
Human Errors
35. 35
• Clinical Decision Support (CDS) “is a
process for enhancing health-related
decisions and actions with pertinent,
organized clinical knowledge and patient
information to improve health and healthcare
delivery” (Including both computer-based &
non-computer-based CDS)
(Osheroff et al., 2012)
What Is A CDS?
36. 36
• The real place where most of the values
of health IT can be achieved
• There are a variety of forms and nature
of CDS
Clinical Decision Support
Systems (CDS)
37. 37
• Expert systems
–Based on artificial
intelligence, machine
learning, rules, or
statistics
–Examples: differential
diagnoses, treatment
options
CDS Examples
Shortliffe (1976)
38. 38
• Alerts & reminders
–Based on specified logical conditions
• Drug-allergy checks
• Drug-drug interaction checks
• Drug-lab interaction checks
• Drug-formulary checks
• Reminders for preventive services or certain actions
(e.g. smoking cessation)
• Clinical practice guideline integration (e.g. best
practices for chronic disease patients)
CDS Examples
42. 42
• Pre-defined documents
–Order sets, personalized “favorites”
–Templates for clinical notes
–Checklists
–Forms
• Can be either computer-based or
paper-based
CDS Examples
43. 43
Order Sets
Image Source: http://www.hospitalmedicine.org/ResourceRoomRedesign/CSSSIS/html/06Reliable/SSI/Order.cfm
44. 44
• Simple UI designed to help clinical
decision making
–Abnormal lab highlights
–Graphs/visualizations for lab results
–Filters & sorting functions
CDS Examples
46. 46
External Memory
Knowledge Data
Long Term Memory
Knowledge Data
Inference
DECISION
PATIENT
Perception
Attention
Working
Memory
CLINICIAN
Elson, Faughnan & Connelly (1997)
How CDS Supports
Decision Making
Abnormal lab
highlights
47. 47
External Memory
Knowledge Data
Long Term Memory
Knowledge Data
Inference
DECISION
PATIENT
Perception
Attention
Working
Memory
CLINICIAN
Elson, Faughnan & Connelly (1997)
How CDS Supports
Decision Making
Order Sets
48. 48
External Memory
Knowledge Data
Long Term Memory
Knowledge Data
Inference
DECISION
PATIENT
Perception
Attention
Working
Memory
CLINICIAN
Elson, Faughnan & Connelly (1997)
How CDS Supports
Decision Making
Drug-Allergy
Checks
49. 49
External Memory
Knowledge Data
Long Term Memory
Knowledge Data
Inference
DECISION
PATIENT
Perception
Attention
Working
Memory
CLINICIAN
Elson, Faughnan & Connelly (1997)
How CDS Supports
Decision Making
Drug-Drug
Interaction
Checks
50. 50
External Memory
Knowledge Data
Long Term Memory
Knowledge Data
Inference
DECISION
PATIENT
Perception
Attention
Working
Memory
CLINICIAN
Elson, Faughnan & Connelly (1997)
How CDS Supports
Decision Making
Clinical Practice
Guideline
Alerts/Reminders
51. 51
External Memory
Knowledge Data
Long Term Memory
Knowledge Data
Inference
DECISION
PATIENT
Perception
Attention
Working
Memory
CLINICIAN
Elson, Faughnan & Connelly (1997)
How CDS Supports
Decision Making
Integration of
Evidence-Based
Resources (e.g.
drug databases,
literature)
52. 52
External Memory
Knowledge Data
Long Term Memory
Knowledge Data
Inference
DECISION
PATIENT
Perception
Attention
Working
Memory
CLINICIAN
Elson, Faughnan & Connelly (1997)
How CDS Supports
Decision Making
Diagnostic/Treatment
Expert Systems
56. ภาพรวมของงานด้าน Health IT
Intra-Hospital IT
• Electronic Health Records &
Health IT for Quality & Safety
• Digital Transformation
• AI, Data Analytics
• Hospital IT Quality
Improvement (HA-IT)
Inter-Hospital IT
• Health Information
Exchange (HIE)
Extra-Hospital IT
• Patients: Personal
Health Records (PHRs)
• Public Health: Disease
Surveillance & Analytics
Patient
at Home
58. ภาพรวมของงานด้าน Health IT
Intra-Hospital IT
• Electronic Health Records &
Health IT for Quality & Safety
• Digital Transformation
• AI, Data Analytics
• Hospital IT Quality
Improvement (HA-IT)
Inter-Hospital IT
• Health Information
Exchange (HIE)
Extra-Hospital IT
• Patients: Personal
Health Records (PHRs)
• Public Health: Disease
Surveillance & Analytics
Patient
at Home
59. Hospital A Hospital B
Clinic D
Policymakers
Patient at
Home
Hospital C
HIE Platform
Health Information Exchange (HIE)
62. Areas of Health Informatics
Patients &
Consumers
Providers &
Patients
Healthcare
Managers, Policy-
Makers, Payers,
Epidemiologists,
Researchers
Copyright Nawanan Theera-Ampornpunt (2018)
Clinical
Informatics
Public
Health
Informatics
Consumer
Health
Informatics
63. Incarnations of Health IT
Clinical
Informatics
Public
Health
Informatics
Consumer
Health
Informatics
HIS/CIS
EHRs
Computerized Physician
Order Entry (CPOE)
Clinical Decision
Support Systems
(CDS) (including AI)
Closed Loop
Medication
PACS/RIS
LIS
Nursing
Apps
Disease Surveillance
(Active/Passive)
Business
Intelligence &
Dashboards
Telemedicine
Real-time Syndromic
Surveillance
mHealth for Public
Health Workers &
Volunteers
PHRs
Health Information
Exchange (HIE)
eReferral
mHealth for
Consumers
Wearable
Devices
Social
Media
Copyright Nawanan Theera-Ampornpunt (2018)
64. Where We Are Today...
Copyright Nawanan Theera-Ampornpunt (2018)
Clinical
Informatics
Public
Health
Informatics
Consumer
Health
Informatics
Technology that
focuses on the sick,
not the healthy
Silos of data
within hospitalPoor/unstructured
data quality
Lack of health data
outside hospital
Poor data
integration across
hospitals/clinics
Poor data integration
for monitoring &
evaluation
Poor data quality (GIGO)
Finance leads
clinical outcomes
Poor IT change
management
Cybersecurity
& privacy risks
Few real examples
of precision
medicine
Little access
to own
health data
Poor patient
engagement
Poor accuracy
of wearables Lack of evidence
for health values
Health literacy
Information
Behavioral
change
Few standards
Lack of health IT
governance
65. • CDS as a replacement or supplement of
clinicians?
– The demise of the “Greek Oracle” model (Miller & Masarie, 1990)
The “Greek Oracle” Model
The “Fundamental Theorem” Model
Friedman (2009)
Wrong Assumption
Correct Assumption
Clinical Decision Support Systems (CDS)
66. Being Smart #5:
Don’t Replace
Human Users.
Use ICT to Help Them
Perform Smarter & Better.
67. Some Risks of Clinical Decision Support Systems
• Alert Fatigue
Unintended Consequences of Health IT
73. 73
• “Unanticipated and unwanted effect of health IT
implementation” (ucguide.org)
• Key Resources
▪ Ash JS, Berg M, Coiera E. Some unintended consequences of
information technology in health care: the nature of patient
care information system-related errors. J Am Med Inform Assoc.
2004 Mar-Apr;11(2):104-12.
▪ Campbell, EM, Sittig DF, Ash JS, et al. Types of Unintended
Consequences Related to Computerized Provider Order
Entry. J Am Med Inform Assoc. 2006 Sep-Oct; 13(5): 547-556.
▪ Koppel R, Metlay JP, Cohen A, Abaluck B, Localio AR, Kimmel SE,
Strom BL. Role of computerized physician order entry systems
in facilitating medication errors. JAMA. 2005 Mar
9;293(10):1197-203.
Unintended Consequences of Health IT
74. 74
Standard view
▪ With uncertainties around new technology, “scientific
evidence counsels caution and prudence.”
▪ Evidence & reason determine appropriate level of
caution
▪ If such systems improve care at acceptable cost in
time & money, there’s an obligation to use it
▪ Follows evolving evidence and standards of care
Goodman & Miller. Chapter 10: Ethics and Health Informatics: Users, Standards, and Outcomes.
In Shortliffe (3rd Edition).
Appropriate Use of Health IT
75. 75
Standard view
▪ For computer-assisted clinical diagnosis CDS, human
cognitive processes are more suited to complex task
of diagnosis than machine, and should not be
overridden or trumped by computers.
▪ When adequate CDS tools are developed, they should
be viewed and used as supplementary and subservient
to human clinical judgment
Appropriate Use of Health IT
Goodman & Miller. Chapter 10: Ethics and Health Informatics: Users, Standards, and Outcomes.
In Shortliffe (3rd Edition).
77. 77
Standard view
▪ Practitioners have obligation to use tools responsibly,
through adequate training & understanding the
system’s abilities & limitations
▪ Practitioners must not ignore their clinical judgment
reflexively when using CDS.
Appropriate Use of Health IT
Goodman & Miller. Chapter 10: Ethics and Health Informatics: Users, Standards, and Outcomes.
In Shortliffe (3rd Edition).
78. 78
▪ Health IT “should be used in clinical practice only
after appropriate evaluation of its efficacy and the
documentation that it performs its intended task at an
acceptable cost in time & money”
▪ Qualified (licensed, trained & experienced) health
professionals as users
▪ Systems should be used to augment/supplement,
rather than replace or supplant individuals’ decision
making
▪ Adequate training
Appropriate Use of Health IT
Goodman & Miller. Chapter 10: Ethics and Health Informatics: Users, Standards, and Outcomes.
In Shortliffe (3rd Edition).
79. 79
Health IT, Digital Transformation, and
Security/Privacy fo Hospital Executives
(Part 2)
นพ.นวนรรน ธีระอัมพรพันธุ์
14 กุมภาพันธ์ 2563
http://www.slideshare.net/nawanan
98. 98
หลักจริยธรรมที่เกี่ยวกับ Privacy
• Autonomy (หลักเอกสิทธิ์/ความเป็นอิสระของผู้ป่วย)
• Beneficence (หลักการรักษาประโยชน์สูงสุดของผู้ป่วย)
• Non-maleficence (หลักการไม่ทาอันตรายต่อผู้ป่วย)
“First, Do No Harm.”
99. 99
Hippocratic Oath
...
What I may see or hear in the course of
treatment or even outside of the treatment
in regard to the life of men, which on no
account one must spread abroad, I will keep
myself holding such things shameful to be
spoken about.
...
http://en.wikipedia.org/wiki/Hippocratic_Oath
108. ▪ Attack
▪ An attempt to breach system security
▪ Threat
▪ A scenario that can harm a system
▪ Vulnerability
▪ The “hole” that is used in the attack
Common Security Terms
110. Alice
Simplified Attack Scenarios
Server Bob
- Physical access to client computer
- Electronic access (password)
- Tricking user into doing something
(malware, phishing & social
engineering)
Eve/Mallory
111. Alice
Simplified Attack Scenarios
Server Bob
- Intercepting (eavesdropping or
“sniffing”) data in transit
- Modifying data (“Man-in-the-middle”
attacks)
- “Replay” attacks
Eve/Mallory
112. Alice
Simplified Attack Scenarios
Server Bob
- Unauthorized access to servers through
- Physical means
- User accounts & privileges
- Attacks through software vulnerabilities
- Attacks using protocol weaknesses
- DoS / DDoS attacks Eve/Mallory
114. Alice
Safeguarding Against Attacks
Server Bob
Administrative Security
- Security & privacy policy
- Governance of security risk management & response
- Uniform enforcement of policy & monitoring
- Disaster recovery planning (DRP) & Business continuity
planning/management (BCP/BCM)
- Legal obligations, requirements & disclaimers
115. Alice
Safeguarding Against Attacks
Server Bob
Physical Security
- Protecting physical access of clients & servers
- Locks & chains, locked rooms, security cameras
- Mobile device security
- Secure storage & secure disposition of storage devices
116. Alice
Safeguarding Against Attacks
Server Bob
User Security
- User account management
- Strong p/w policy (length, complexity, expiry, no meaning)
- Principle of Least Privilege
- “Clear desk, clear screen policy”
- Audit trails
- Education, awareness building & policy enforcement
- Alerts & education about phishing & social engineering
117. Alice
Safeguarding Against Attacks
Server Bob
System Security
- Antivirus, antispyware, personal firewall, intrusion
detection/prevention system (IDS/IPS), log files, monitoring
- Updates, patches, fixes of operating system vulnerabilities &
application vulnerabilities
- Redundancy (avoid “Single Point of Failure”)
- Honeypots
118. Alice
Safeguarding Against Attacks
Server Bob
Software Security
- Software (clients & servers) that is secure by design
- Software testing against failures, bugs, invalid inputs,
performance issues & attacks
- Updates to patch vulnerabilities
119. Alice
Safeguarding Against Attacks
Server Bob
Network Security
- Access control (physical & electronic) to network devices
- Use of secure network protocols if possible
- Data encryption during transit if possible
- Bandwidth monitoring & control
120. Alice
Safeguarding Against Attacks
Server Bob
Database Security
- Access control to databases & storage devices
- Encryption of data stored in databases if necessary
- Secure destruction of data after use
- Access control to queries/reports
- Security features of database management systems (DBMS)
121. 121
User Account Security
So, two informaticians
walk into a bar...
The bouncer says,
"What's the password."
One says, "Password?"
The bouncer lets them
in.
Credits: @RossMartin & AMIA (2012)
134. • Common and accessible language
• Adaptable to many technologies, lifecycle
phases, sectors and uses
• Risk-based
• Based on international standards
• Living document
• Guided by many perspectives – private
sector, academia, public sector
Key Framework Attributes
Principles of Current and Future Versions of the Framework
135. The Framework Core
Establishes a Common Language
• Describes desired outcomes
• Understandable by everyone
• Applies to any type of risk
management
• Defines the entire breadth of
cybersecurity
• Spans both prevention and reaction
Function
Identify
Protect
Detect
Respond
Recover
136. An Excerpt from the Framework Core
The Connected Path of Framework Outcomes
5 Functions 23 Categories 108 Subcategories 6 Informative References
137. Implementation Tiers
The Cybersecurity Framework Version 1.1
1 2 3 4
Partial Risk Informed Repeatable Adaptive
Risk
Management
Process
The functionality and repeatability of cybersecurity
risk management
Integrated Risk
Management
Program
The extent to which cybersecurity is considered in
broader risk management decisions
External
Participation
The degree to which the organization:
• monitors and manages supply chain risk1.1
• benefits my sharing or receiving information from
outside parties