IS Audit in Practice: Changing the Healthcare Paradigm: Risk Challenges With Interactive EHRs

The medical paper trail is one that many have closely safeguarded over the course of their lives. Somewhere, I still have paper records that my parents carefully preserved related to eyesight issues, childhood inoculations, fractures and irregularities that doctors and dentists considered worthy of documenting. With healthcare very much a specialty-driven industry, maintaining one’s own paper records was hard enough to coordinate. Going further to get relevant medical data from relatives was often impossible. That changed in the United States in 2014 when the US American Recovery and Reinvestment Act mandated the “meaningful use” of electronic health records (EHRs) to:

• Improve quality, safety and efficiency and reduce health disparities.
• Engage patients and families.
• Improve case coordination.
• Maintain the privacy and security of patient health information.¹

Now, almost 10 years after the mandate, case coordination and patient and family engagement in the United States has changed dramatically from the prior exchange of paper folders and notes to portal-enabled access to patient information. As Jenna, a healthcare worker who is diligent about managing her own records told me, “I want to know all the options the medical teams are considering about me, not just their final choices of care.”

There are many benefits of this technology revolution, but are the data being used with an eye toward understanding the risk involved? Do healthcare providers adequately inform their patients to build digital trust with patients and families? Has the industry become better at effective collaboration because of the availability of EHRs? These are questions the risk manager needs to assess with the business team. An integrated approach allows much needed collaboration between the medical team users and the IT software developers, while ensuring that risk managers and the first line of defense (FLOD) are able to build a governance model with appropriate controls so critical healthcare uses receive due attention.

Fast Forward From the Paper Trail

The world of portal-enabled access to patient information is a two-way street, bringing patient care teams together for better patient outcomes and bringing family members together to collaborate on choices their loved ones may have to make. Connected healthcare institutions can generate full patient data profiles that include test results, appointment records from participating care providers, medication lists, medical questions and answers, and medical instructions given to the patient from all parties involved. Test results are often accessible to patients even before they are contacted by their doctors.

In addition, it is not only hospitals, doctors and labs that can get authorization to access and collaborate on the data. The data can also be made available on sites such as Ancestry.com and to research programs such the US National Institutes of Health (NIH) All of Us Program² if the patient authorizes access. No longer does one need to maintain a paper file. Now, data from DNA results to x-rays to blood tests can be retrieved online and stored as soft copies.

How EHRs Work

Epic, a popular software provider,³ uses Software-as-a-Service (SaaS) technology to provide cloud-based EHRs with open-source integration that complies with HL7 requirements.⁴ The HL7 standards cover the full healthcare cycle with regard to taxonomy, implementation guides, document architecture, interoperability and templates for clinical notes.⁵ With portal-based entry to a cached database, Epic has both web and application-based access available to users and is, therefore, agnostic to the browser or hardware access method used. Standard security on the patient side allows for a login ID and password, with multifactor authentication (MFA) available if desired by the users and institutions. Institutional users must meet the regulatory requirements of the US Health Insurance Portability and Accountability Act (HIPAA). Some healthcare providers choose to go above and beyond the standard HL7 requirements. The programming language used by Epic is a version of the Massachusetts General Hospital Utility Multi-Programing System (MUMPS).⁶

Establishment of appropriate risk profiles and controls for the software that enables the EHR information exchange is critical.

Getting User Risk Right

There are several challenges that come with extending EHR use beyond the strict regulatory climate that dictates software security, privacy and accessibility. The audiences are often nontechnical, and even when they are familiar with technology, they are not expert coordinators or collaborators. With diverse user groups that include patients and family members, medical staff across multiple institutions who have knowledge in varying disciplines, and researchers that include student populations and experts in the field, there is not one single road map for ensuring appropriate use.

Instead, multiple risk models, control sets and audit programs need to be considered. Establishment of appropriate risk profiles and controls for the software that enables the EHR information exchange is critical. ISACA^® professionals can guide the audiences that use the provided risk assessments and audit results.

Given the mandated use of EHRs, the risk question is not to assess whether to provide electronic documentation, but rather to assess the choices made when selecting providers, managing compliant implementations and establishing governance models that monitor user audiences. Tackling user risk assessment and control development presents special challenges, meaning the practitioner must understand the user operating model and offer an interactive control framework for healthcare providers and governance managers. As information providers, medical users can present a risk to their client base of patient users if they do not recognize and use the software as intended based on the HL7 requirements of “meaningful use.”

The patient-doctor relationship is recognized as a key component of collaborative care, yet electronic data typically do not get the relationship attention to ensure that the data are understood, creating a high risk. The other key user communities are the specialist teams themselves, who, in the best case scenario, consume data and interact on behalf of the patient with other care team members. Facilitation through the lead or coordinating physician, if there is one, is equally important to assess whether the massive amounts of data are being used efficiently and effectively. If not, the risk of inappropriate data use can occur. Risk assessment and governance controls should be used to examine both the patient-doctor user group and the medical team user group not only to assess whether the most benefit is being derived from the software, but to live up to the EHR “meaningful use” requirements for all users involved.

Governance and controls must evaluate the effectiveness of building a collaborative model instead of simply a model that ensures that the patient understands the medical recommendation under review.

Mitigating Risk by Assessing Care Provider Collaboration

Gone are the days when nurses needed to page doctors during off hours to interpret bad penmanship on patient records. But EHRs, with large quantities of data and the high number of specialists consuming the data, can create a knowledge silo effect with different pieces of data used to arrive at potentially incomplete or incorrect conclusions based on the user’s backgrounds and skill sets. Two questions arise:

1. Are data being overlooked or misunderstood?
2. Is there actually time to strive for the kind of medical team collaboration that can bring about more robust patient outcomes?

These two risk scenarios must be evaluated by the risk manager by walking in the shoes of the medical user, with sufficient knowledge to understand the options and environments in which the care teams must work. This is where working with the business partners to secure knowledge for a risk walkthrough is critical. A careful risk assessment review can garner advantages, for example:

• Baseline requirements can be assessed by the IT team and the healthcare specialist team. Their input can expose difficulties the care team may encounter in utilizing the full data set. Reviews of user requirements across all providers within the care team help outline data consolidation opportunities that may reduce the risk of unused or misunderstood data.
• Information delivery can be refined to a model that allows push and query. Information that is necessary for timely diagnosis should be evaluated as high risk if not reviewed and pushed to users at a frequency that meets their needs. Other information can be considered for query availability—visible as soundbites to users but available via a link on the web portal if desired vs. added to the mountain of information.
• Risk factors can be assessed based on case complexity. A patient case requiring x-rays for a potential bone fracture carries a low risk of data being ignored or misunderstood, while a patient case involving potential transplant, with existing conditions such as diabetes and cardiovascular complications, is high risk for misuse of data—not only because the team of specialists is exponentially larger, but also because the data lake grows to monumental proportions when multiple tests are ordered to determine next steps.

Understanding the risk factors of ubiquitous data and creating a governance model with controls that mitigate data overload for the medical community is an important contribution for risk professionals to make. But it is only the start. Step one of the patient user risk assessment is an evaluation of healthcare provider knowledge of the software and the governance model used to build awareness and knowledge with patients. Governance and controls must evaluate the effectiveness of building a collaborative model instead of simply a model that ensures that the patient understands the medical recommendation under review.

In fact, awareness is the key control point for successful collaboration not only to foster a solid understanding of the data, but to allow patients to make appropriate decisions regarding granting access of their information to others, whether it is for research by the medical community or for inclusion of family members and friends in the decision-making process. The risk of choice has always been a hot topic, but with the need for data accuracy evaluation and the risk and opportunity of new software enhancements, including artificial intelligence (AI), to manage patient data information, proper risk assessment and establishment of tight control environments are essential, while making sure data are delivered as quickly as needed.

Conclusion

Medicine in the 21^st century is still science and art. Each time a data model points to predictability in terms of potential treatments and next steps for care, there are nuances because, after all, we are all unique. Some ways audit and risk professionals can help include:

• Walk in the shoes of all user communities. Make sure the system and software are designed with intuitive instructions.
• Dig into the end-user patient experience. Has access been granted by the patient to others because of appropriate patient awareness and knowledge?
• Probe to find out whether the risk of obtaining data has been adequately explained and vetted. Have implications such as health insurability been discussed?
• Understand the dynamics of the care team user community. Does the lead clinician involve the patient in reviewing all options? Does involvement of family members aid or detract from patient acceptance of treatment? Have treatment decisions been made as a result of collaboration, or is there too much data for the care team to humanly process and only a handful are making decisions?
• After evaluating the risk and examining where controls can be most effective, document the gaps where the system or software can be improved. Highlight the software elements that are most appealing and most often used by the user communities.

As in many other fields, advances in medical technology are occurring at a breakneck pace. Risk management, governance and controls, audit verification, and validation that the intended use and benefits of the software are achieved help elevate the maturity of the healthcare information flow and benefit both medical users and patient users alike.

Endnotes

¹ HealthIT.gov, “Meaningful Use,” Office of the National Coordinator for Health Information Technology (ONC), USA, https://www.healthit.gov/faq/what-meaningful-use
² National Institutes of Health, All of Us Research Program, USA, https://allofus.nih.gov/
³ Epic, “In a Nutshell,” https://www.epic.com/about
⁴ HL7 International, Standards-Based Product Grid, https://www.hl7.org/implement/standards/product_matrix.cfm
⁵ Ibid.
⁶ Epic, “From Healthcare to Mapping the Milky Way: Five Things You Didn’t Know About Epic’s Tech,” 10 February 2020, https://www.epic.com/epic/post/healthcare-mapping-milky-way-5-things-didnt-know-epics-tech

CINDY BAXTER | CISA, ITIL FOUNDATION

Is director at What’s the Risk, LLC. Her practice focuses on integrated risk control and process assessments for cybersecurity, privacy and business continuity/disaster recovery. She views risk management and control assessment as opportunities to learn the nuts and bolts of a business and help her clients worry less because gaps have been uncovered and a stronger operating model can be built. Baxter draws upon her experience in banking, insurance, healthcare and technology after holding compliance and management roles at State Street Corporation, American International Group (AIG), Johnson & Johnson and AT&T. When she is not doing risk and audit work, she enjoys volunteering on climate and environmental issues that impact her community.