By Nick Inglis
A myopic focus on protecting EMR (Electronic Medical Records) systems has left healthcare organizations open to shadow information risk.
In a world where hackers and ransomware criminals are regularly compromising healthcare organizations, it’s essential to evaluate your risk areas – all risk areas.
What are our information goals?
I frequently use the acronym “EMR” [Electronic Medical Records System] to represent patient information systems. However, if you prefer EHR [Electronic Health Records], EPR [Electronic Patient Records], or any other acronym – please use the abbreviation that you find more comfortable and in alignment with your understanding.
Around the EMR, I often circle three primary goals – all our other information goals tend to be a piece of one of those three primaries.
- Reduce information risk
- Improve information value
- Ensure successful patient outcomes (because everyone, even health information professionals, are involved in ensuring successful patient outcomes)
Reducing information risk includes adhering to specific privacy and security requirements, PII (personally identifiable information) assurance, PHI (personal healthcare information) assurance, and much more. Improving information value includes elements of strengthening quality, assuring browsability, and ensuring findability. Lastly, all our information goals and efforts must enable successful patient outcomes.
How do information goals work in an EMR and other systems?
We tend to view these goals as surrounding the EMR, as shown below. The question is if we do all these things, are our information environments well-governed?
That answer is no.
While those goals are laudable, they fall into a common mistake that healthcare information professionals make. They have forgotten that these goals aren’t just tied to the EMR – they are goals that should be spread across all systems that we use that contain information.
It is here, outside the purple circle of EMR-land, where the rotten apples are also focusing on achieving success.
We are EMR obsessed, but why?
According to a retrospective observational study of all available reported data breaches in the United States from 2013 to 2017 (made available from a federal regulatory database), less than 10% of data breaches in healthcare are related explicitly to your EMR.
EMR breaches account for 8.47% of all information security incidents. This number can be misleading because ‘hacking incidents’ reported do not specify what % are of the EMR or other system, so 24.01% of hacking incidents have unclear attribution.
What is clear, though, from this study is that 67.53% of information security incidents are data breaches unrelated to the EMR – shadow information.
How do we mitigate the threats of our shadow information problem?
The goal should be to have an organizational strategy across all information, both within and beyond the EMR.
Fortunately, a whole profession called Information Governance is precisely that – a unified strategy across all organizational information. Information Governance is not a healthcare-specific approach, so there is an abundance of guidance available on the approach.
Hello, Information Governance
Information Governance is your overarching and coordinating strategy across all organizational information – it is your information ‘one ring to rule them all.’ As healthcare organizations become more aware of the myriad of risks they must confront – this single, organization-wide strategic approach is gaining traction.
I recently presented on the topic of healthcare shadow information at the American Healthcare Legal Association (AHLA).