Health Information Technology (or Health IT) is any information technology related to the healthcare field. This is obviously an expansive category ranging from electronic health records to electronic billing software. In this way, Health IT isn’t as much a field, but a framework within which many different IT concepts reside.
What’s Your Health IT Type?
As mentioned, there are an expansive number of disciplines under the Health IT banner. Perhaps the central technology around which every other Health IT pursuit revolves is the electronic health record, or EHR. Aside from containing a patient’s medical record of hospital and clinic visits, EHRs are communicable software solutions that allow licensed users access to laboratory results, radiology imaging, referral records, treatment plans, and adjunct billing software. When working properly, EHRs allow the user to share medical information among subscribed healthcare practitioners at multiple locations.
Personal health records, or PHRs, are a bit tougher to define. Technically, PHRs are any electronic record that the patient has maintained for their own or their loved ones health history. So, while PHRs can be an offline Word document, it is more often a mobile application or cloud-based software that should in theory be secure, but it has become the subject of speculation for that very reason. EHRs and PHRs are sometimes party to Health Information Exchanges (HIEs), or agreements among different organizations and software companies to allow safe and secure exchange of medical records among otherwise incompatible, proprietary systems.
Some subsystems within EHRs are also considered Health IT, like electronic medical record billing systems, which are part of larger software bundles or standalone products that can be tacked onto existing electronic workflows. Medical billing systems must work seamlessly with both ICD-10 diagnosis and CPT procedure coding protocols, and are operated by either in-house billing staff or outsourced medical billing firms.
Other Health IT categories include medical imaging management systems like the Picture Archiving Communication Systems (PACS) or Vendor Neutral Archives (VNAs) that maintain the staggering amount of medical imaging information being collected every day in specialties like Radiology, Cardiology, and even Sports Medicine. The conversion from analog to digital medical record keeping was catalyzed by a 2009 “meaningful use” initiative and must now be in compliance with MACRA – the Medicare Access and CHIP Reauthorization Act. This bi-partisan law, signed in 2015 and amended in 2017, dictates that the U.S. Centers for Medicare and Medicaid Services (CMS) use collected performance data from the previous year to make payment adjustments.
Health IT Management
It goes without saying that health IT management is especially complicated, considering the drastic implications of any of the systems failing. Health IT is responsible for ensuring things like server stability, avoiding computing or access downtime, or hardware and system compatibility. All of the information transferred across these vast and labyrinthine networks is protected by the Health Insurance Portability and Accountability Act (HIPAA), a federal mandate established by the Health and Human Services Department. HIPAA is two-fold: it dictates that personal medical information must remain securely private from unauthorized parties (also known as electronic Protected Health Information or e-PHI), and patients must always be allowed access to their own information.
Specific HIPAA rules regarding technical and personal safety include:
- “Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit;”
- “Identify and protect against reasonably anticipated threats to the security or integrity of the information;”
- “Protect against reasonably anticipated, impermissible uses or disclosures; and
- “Ensure compliance by their workforce.”
- “Access Control. A covered entity must implement technical policies and procedures that allow only authorized persons to access electronic protected health information (e-PHI).”
- “Audit Controls. A covered entity must implement hardware, software, and/or procedural mechanisms to record and examine access and other activity in information systems that contain or use e-PHI.”
- “Integrity Controls. A covered entity must implement policies and procedures to ensure that e-PHI is not improperly altered or destroyed. Electronic measures must be put in place to confirm that e-PHI has not been improperly altered or destroyed.”
- “Transmission Security. A covered entity must implement technical security measures that guard against unauthorized access to e-PHI that is being transmitted over an electronic network.”
Breaches of HIPAA in any form are punishable under the purview of state medical licensing boards as well as the federal oversight of the Health and Human Services Office for Civil Rights.
Health IT Security Vulnerabilities
Bar none, the most pressing issue facing anyone in Health IT is maintaining privacy and cybersecurity of the information held on all HIT networks. This issue came into stark relief with the recent ransomware cyberattack of the publicly traded EHR Allscripts Healthcare Solutions, Inc., where a malicious piece of cryptovirology software was accidentally installed into the Allscripts firmware in January of 2018. This malware encrypted a massive amount of patient medical information, rendering it completely inaccessible by healthcare providers, health IT professionals, and patients unless they paid a cryptocurrency ransom to the perpetrators. This was a clear HIPAA violation, where both the privacy of the personal medical information was compromised, and the patients were denied access to their own medical records. Committee action is still being discussed as far as whether the attack will be considered a single HIPAA violation or if each piece of medical information will be considered its own individual breach.
While the Allscripts attack is a frightening revelation to both healthcare providers and patients, the commonality of cyberattacks in general is even scarier to any IT system like healthcare or banking, which has become completely reliant on digital infrastructure. Different cyberattacks, like Distributed Denial of Service (DDOS, where multiple programmed bots overload a server with requests until a security vulnerability is exposed), are even more common, and have famously affected large firms like Bank of America and the BBC. As most EHRs are not cybersecure against these types of cyber assaults, the most pressing issue of all major Health IT experts is to prevent DDOS and ransomware attacks from compromising patient records, and patient health, in the future.