PATIENT CONFIDENTIALITY

Across the world software on information services are increasingly under threat of computer viruses and malware.

The recent shut down of over 50 health organization information systems in the UK by WannaCry ransom ware was just one of many recent examples of a malicious global cyber-attack on vulnerable information systems.

The attack froze computers and threatened to delete key files unless a ransom was paid.

The result was cancelled operations and hospital clinical appointments.

The UK government which is responsible for health care ignored warnings in the middle of 2016 from Dame Fiona Caldicott, the UK National Data Guardian that the threat of attacks 

“has not only put patient information at risk of loss or compromise but also jeopardises access to critical patient record systems by clinicians”.

And it came to pass that it happened.

The attack came from a derivative of software developed by the US National Security Agency to enable it to covertly snoop on people.

The ransomware attack exploited a vulnerability in Microsoft Windows XP which was released at the turn of the century in 2001.

Microsoft blamed the health organizations for not updating their software.

But health organisations use specialised equipment that was designed to work with Windows XP and cannot work with newer versions.

Blaming the user is common practice by software companies when things go wrong. 

They fail to own up to their responsibility by not providing software that can be exploited despite earning billions of dollars.

Microsoft earned billions of dollars with Windows XP and had the resources to repair the exploits that was in their product but chose not to.

In many ways, the product was not fit for purpose.

And we are all living with the consequences.

For Microsoft to walk away from acknowledging their responsibility for their product is like a different company saying that having bought a machine that had a life threatening fault, the company is not responsible for the repair.

So Microsoft you made it, you fix it.

Imagine as a nurse if you walked away from accepting the responsibility of an error that you made, all hell would come down upon your head.

The same consequences should occur with companies.

After all, the US Supreme Court said that companies are “persons” too!!

With computers open to being compromised almost at will, the question of whether electronic health records (EHR) are safe, is a fundamental issue for all health care providers.

Nurses have an ethical obligation to protect their patient’s private health information.

In 2017, there is no guarantee that patient confidentiality can be maintained in a world where there are vulnerabilities in information systems.

Prior to EHR, it was sufficient that records were protected by being on paper and under lock and key.

The potential audience for the records was kept to a relatively small number compared to the millions of people that could look at a data dump if an EHR was placed on the internet.

In a 2013 study, patients expressed concern about safety and trust when an EHR was used.

They were concerned about the easy access to their information and that others might use it incorrectly.

They also said that there was an inconsistency when nurses spoke to them about how patient information was kept private within the EHR.

There have been instances where staff shared user names and passwords which could lead to unauthorized use.

There is a benefit with EHR – it can lead to improved patient centred care.

With enhanced access to a patient’s health information, it would be possible for better coordination of care with all member of the healthcare team.

At the moment, the consequences of a breach of trust of a patient with a compromised electronic health record outweighs the positives.

After all, if patients do not trust that confidentiality can be maintained, they may be reluctant to be honest or completely disclose all relevant information, which could have grave consequences for the quality of the patient’s care.

All health organisations need to actively improve patient record security.

The fear is that if patient records cannot be protected now, it may never be possible.

To learn more about compromised health records:

Strauss, Beth. “The patient perception of the nurse-patient relationship when nurses utilize an electronic health record within a hospital setting.” CIN: Computers, Informatics, Nursing 31.12 (2013): 596-604.

Wallace, Ilse M. “Is patient confidentiality compromised with the electronic health record?: A position paper.” CIN: Computers, Informatics, Nursing 33.2 (2015): 58-62.