Difference between revisions of "Journal:Password compliance for PACS work stations: Implications for emergency-driven medical environments"

From LIMSWiki
Jump to navigationJump to search
(Saving and adding more.)
(Saving and adding more.)
Line 47: Line 47:
A [[Picture archiving and communication system|picture archiving and communication system]] (PACS) is a digital storage system designed to address the limitations of film and paper records. A conventional storage system imposes disadvantages that become an impediment to the continuity of patient care, because the records could be easily misplaced and therefore difficult to retrieve, resulting in delayed medical treatment.<ref name="BeachMaint14">{{cite journal |title=Maintaining best practice in record-keeping and documentation |journal=Nursing Standard |author=Beach, J.; Oates, J. |volume=28 |issue=36 |pages=45–50 |year=2014 |doi=10.7748/ns2014.05.28.36.45.e8835}}</ref> PACS is inherently a radiology archiving system that may be extended to various other sections within a hospital. It allows for remote and instant access to radiology data by a multidisciplinary complement of health professionals (HPs) who are based in different locations within a hospital setting, so that the data of the same patient may be accessed simultaneously by different HPs.<ref name="BolanTech13">{{cite journal |title=Technology Trends: A view of the future image exchange |journal=Applied Radiology |author=Bolan, C. |volume=42 |issue=11 |pages=32–7 |year=2013 |url=https://appliedradiology.com/articles/technology-trends-a-view-of-the-future-image-exchange}}</ref> PACS has contributed to improved patient care by increasing efficiency and the accessibility of data, and has led to fewer delays in the clinical management of patients.<ref name="BolanTech13" /> The electronic nature of PACS makes it possible for patients’ data to be accessed, duplicated, and exported without the patient’s knowledge and consent.<ref name="BenetarIndis10">{{cite journal |title=Indiscretion and other threats to confidentiality |journal=South African Journal of Bioethics & Law |author=Benatar, D. |volume=3 |issue=2 |pages=59–62 |year=2010 |url=http://www.sajbl.org.za/index.php/sajbl/article/view/101}}</ref> The use of passwords aids in restricting access to PACS data, to minimize the risk of breaching patient confidentiality.
A [[Picture archiving and communication system|picture archiving and communication system]] (PACS) is a digital storage system designed to address the limitations of film and paper records. A conventional storage system imposes disadvantages that become an impediment to the continuity of patient care, because the records could be easily misplaced and therefore difficult to retrieve, resulting in delayed medical treatment.<ref name="BeachMaint14">{{cite journal |title=Maintaining best practice in record-keeping and documentation |journal=Nursing Standard |author=Beach, J.; Oates, J. |volume=28 |issue=36 |pages=45–50 |year=2014 |doi=10.7748/ns2014.05.28.36.45.e8835}}</ref> PACS is inherently a radiology archiving system that may be extended to various other sections within a hospital. It allows for remote and instant access to radiology data by a multidisciplinary complement of health professionals (HPs) who are based in different locations within a hospital setting, so that the data of the same patient may be accessed simultaneously by different HPs.<ref name="BolanTech13">{{cite journal |title=Technology Trends: A view of the future image exchange |journal=Applied Radiology |author=Bolan, C. |volume=42 |issue=11 |pages=32–7 |year=2013 |url=https://appliedradiology.com/articles/technology-trends-a-view-of-the-future-image-exchange}}</ref> PACS has contributed to improved patient care by increasing efficiency and the accessibility of data, and has led to fewer delays in the clinical management of patients.<ref name="BolanTech13" /> The electronic nature of PACS makes it possible for patients’ data to be accessed, duplicated, and exported without the patient’s knowledge and consent.<ref name="BenetarIndis10">{{cite journal |title=Indiscretion and other threats to confidentiality |journal=South African Journal of Bioethics & Law |author=Benatar, D. |volume=3 |issue=2 |pages=59–62 |year=2010 |url=http://www.sajbl.org.za/index.php/sajbl/article/view/101}}</ref> The use of passwords aids in restricting access to PACS data, to minimize the risk of breaching patient confidentiality.


The original research aimed to determine the extent to which the practices of HPs complied with patient-confidentiality principles when using PACS. The study invitation was initially extended to six hospitals in Johannesburg. However, owing to a 75% refusal rate among this group, the eventual study sample was drawn instead from a private hospital and radiology setting affiliated to different healthcare-facility groups located in Johannesburg instead. The selection criteria included HPs who were willing to participate and were using PACS as either part of routine activity or as a means of delivering patient care. The study sample comprised a multidisciplinary complement of HPs such as radiologists, radiographers, student radiographers, doctors, medical specialists, and nurses.
Prior to data collection, ethical clearance was obtained from the research settings as well as the research committee of the University of Johannesburg (ref. no. HDC67/02-2011), South Africa (SA). Data were collected from various sections within the hospital, namely radiology, emergency, casualty, theatre, and intensive-care units, including coronary care, acute care, respiratory, trauma intensive care, neurology, and surgical-care units. Data were collected over a period of three months using a self-designed questionnaire, the Picture Archiving and Communication Confidentiality Scale (PAC-CS). Consent was obtained verbally and implied through the completion of the PAC-CS. Informed consent was ensured by allowing participants to ask questions relating to the study, and the data were anonymized. Access to study data was restricted to the researchers.
The PAC-CS design was informed by the content of the ISO/IEC 17799:2005<ref name="BirdImproved05">{{cite web |title=Improved ISO/IEC 17799 makes information assets even more secure |author=Bird, K. |work=ISO News |publisher=International Organization for Standardization |date=20 June 2005 |accessdate=24 October 2017}}</ref> standard, from which the constructs, the choice of questions, and the quantification were derived and adapted. The ISO/IEC 17799:2005 is a model used in information technology to benchmark an organization’s compliance with international standards of data security. The consistency of the PACS-CS design with the ISO 17799 model helped to establish its content validity and reliability. A sample size of 115 participants was achieved through the hand-delivery of PAC-CS using a non-probability quota-sampling technique.<ref name="DanielSampling12">{{cite book |title=Sampling Essentials: Practical Guidelines for Making Sampling Choices |author=Daniel, J. |publisher=SAGE Publications |year=2012 |isbn=9781412952217 |doi=10.4135/9781452272047}}</ref>
A quantitative, correlational design was deemed suitable for determining the extent of compliance of the situated practices of effective password usage by HPs with minimum standards for effective password usage. The lack of guidelines pertaining to PACS by the Health Professions Council of SA (HPCSA) at the time of this study led to the use of the [[Health Insurance Portability and Accountability Act]] (HIPAA)’s security rule of 1996 as an alternative model for compliance with data-security rules.<ref name="HPCSAGuide08">{{cite web |url=http://www.hpcsa.co.za/Uploads/editor/UserFiles/downloads/conduct_ethics/rules/generic_ethical_rules/booklet_10_confidentiality_protecting_and_providing_information.pdf |format=PDF |title=Guidelines for Good Practice in the Health Care Professions |author=Health Professions Council of South Africa |date=May 2008}}</ref><ref name="CaoMedical03">{{cite journal |title=Medical image security in a HIPAA mandated PACS environment |journal=Computerized Medical Imaging and Graphics |author=Cao, F.; Huang, H.K.; Zhou, X.Q. |volume=27 |issue=2–3 |pages=185–96 |year=2003 |doi=10.1016/S0895-6111(02)00073-3}}</ref> The HIPAA security rule is a detailed outline of the national standards and steps necessary to protect electronic health information from inadvertent disclosures through breaches of security. The choice of this U.S. legislation was informed by its reputation as one of the best regulatory rules pertaining to electronic data security, embedded in the fact that it is continually updated in line with technological advances, and most importantly, addresses the security needs of PACS technology explicitly.<ref name="CaoMedical03" />


==References==
==References==

Revision as of 21:10, 30 July 2018

Full article title Password compliance for PACS work stations: Implications for emergency-driven medical environments
Journal South African Journal of Bioethics and Law
Author(s) Mahlaola, T.B.; van Dyk, B.
Author affiliation(s) University of Johannesburg
Year published 2017
Volume and issue 10(2)
Page(s) 62–6
DOI 10.7196/SAJBL.2017.v10i2.00600
ISSN 1999-7639
Distribution license Creative Commons Attribution-NonCommercial 4.0 International
Website https://www.ajol.info/index.php/sajbl/article/view/165242
Download https://www.ajol.info/index.php/sajbl/article/download/165242/154702 (PDF)

Abstract

Background: The effectiveness of password usage in data security remains an area of high scrutiny. Literature findings do not inspire confidence in the use of passwords. Human factors such as the acceptance of and compliance with minimum standards of data security are considered significant determinants of effective data-security practices. However, human and technical factors alone do not provide solutions if they exclude the context in which the technology is applied.

Objectives: To reflect on the outcome of a dissertation which argues that the minimum standards of effective password use prescribed by the information security sector are not suitable to the emergency-driven medical environment, and that their application as required by law raises new and unforeseen ethical dilemmas.

Method: A close-ended questionnaire, the Picture Archiving and Communication System Confidentiality Scale (PAC-CS) was used to collect quantitative data from 115 health professionals employed in both a private radiology and a hospital setting. The PACS-CS sought to explore the extent of compliance with accepted minimum standards of effective password usage.

Results: The percentage compliance with minimum standards was calculated. A significant statistical difference (p<0.05) between the expected and observed data-security practices was recorded.

Conclusion: The study interrogates the suitability of adherence to minimum standards of effective password usage in an emergency-driven medical environment and calls for much-needed debate in this area.

Introduction

The effectiveness of password usage in data security has been heavily criticized. A variety of assumptions regarding password usage have been made, depending on the focus of the literature. From a technical perspective, passwords are considered ineffective in restricting access only to individuals with authorized and legitimate access to data.[1] Engineers suspect that human factors play a significant role in determining the effectiveness of technical safeguards, so that human beings are deemed the weakest link in data security.[2] It remains unclear whether the use of passwords is effective in safeguarding electronic data.

Literature findings do not inspire confidence in the usage of passwords for data security. Several quotes taken from various points in time attest to this fact, for example: "Boot passwords, put your computer under lock and key"[3]; "Goodbye, passwords. You aren’t a good defense"[4], and more recently, "Forget passwords – use your face instead."[5]

There is extensive literature focusing on the effectiveness and suitability of password usage in preventing confidentiality breaches within environments such as computer security. The researchers have no knowledge of similar studies relating to the suitability of password usage within the medical environment. The aim of this article is to bring to the fore factors unique to the medical environment that argue against the direct "copy and paste" adoption of the minimum standards for effective password usage from computer security into the medical environment.

Background

The use of passwords is ineffective in restricting access only to individuals who are authorized to access data. This popular and easy means of controlling access to data may, in fact, provide the easiest way to breach confidentiality. Information technologists insist that with proper management, passwords are an effective means of protecting the security of data. Measures include, but are not limited to, the use of strong passwords, having individual rather than shared passwords, and changing passwords on a regular basis.[6]

Compliance with the minimum standards for effective password usage requires knowledge of and to some extent expertise in data security on the part of the healthcare provider.[7] However, the responsibility to comply cannot be placed solely on the healthcare provider. Standards for effective password usage should be well accepted and applied by all users of the technology. At times, factors unique to the medical field may influence the acceptance of security measures. For instance, in a medical emergency, there may be a legitimate need to circumvent the minimum standards of effective password usage in order to save a life.[2][8] It is for this reason that the contributions of both human and technical factors in normative research are noteworthy, but will never be adequate if the context in which technology is applied remains excluded.

This paper draws on the assumption that the situated use of technology creates challenges to the inscribed ethics of technology use, resulting in the emergence of new ethical dilemmas. Based on this assumption, we argue that the proper management of passwords as described in the environment of computer security is not suitable to the emergency-driven medical environment. In this paper, we reflect on the research outcome of the first author’s dissertation in putting this argument forward.[9]

Methods

A picture archiving and communication system (PACS) is a digital storage system designed to address the limitations of film and paper records. A conventional storage system imposes disadvantages that become an impediment to the continuity of patient care, because the records could be easily misplaced and therefore difficult to retrieve, resulting in delayed medical treatment.[10] PACS is inherently a radiology archiving system that may be extended to various other sections within a hospital. It allows for remote and instant access to radiology data by a multidisciplinary complement of health professionals (HPs) who are based in different locations within a hospital setting, so that the data of the same patient may be accessed simultaneously by different HPs.[11] PACS has contributed to improved patient care by increasing efficiency and the accessibility of data, and has led to fewer delays in the clinical management of patients.[11] The electronic nature of PACS makes it possible for patients’ data to be accessed, duplicated, and exported without the patient’s knowledge and consent.[12] The use of passwords aids in restricting access to PACS data, to minimize the risk of breaching patient confidentiality.

The original research aimed to determine the extent to which the practices of HPs complied with patient-confidentiality principles when using PACS. The study invitation was initially extended to six hospitals in Johannesburg. However, owing to a 75% refusal rate among this group, the eventual study sample was drawn instead from a private hospital and radiology setting affiliated to different healthcare-facility groups located in Johannesburg instead. The selection criteria included HPs who were willing to participate and were using PACS as either part of routine activity or as a means of delivering patient care. The study sample comprised a multidisciplinary complement of HPs such as radiologists, radiographers, student radiographers, doctors, medical specialists, and nurses.

Prior to data collection, ethical clearance was obtained from the research settings as well as the research committee of the University of Johannesburg (ref. no. HDC67/02-2011), South Africa (SA). Data were collected from various sections within the hospital, namely radiology, emergency, casualty, theatre, and intensive-care units, including coronary care, acute care, respiratory, trauma intensive care, neurology, and surgical-care units. Data were collected over a period of three months using a self-designed questionnaire, the Picture Archiving and Communication Confidentiality Scale (PAC-CS). Consent was obtained verbally and implied through the completion of the PAC-CS. Informed consent was ensured by allowing participants to ask questions relating to the study, and the data were anonymized. Access to study data was restricted to the researchers.

The PAC-CS design was informed by the content of the ISO/IEC 17799:2005[13] standard, from which the constructs, the choice of questions, and the quantification were derived and adapted. The ISO/IEC 17799:2005 is a model used in information technology to benchmark an organization’s compliance with international standards of data security. The consistency of the PACS-CS design with the ISO 17799 model helped to establish its content validity and reliability. A sample size of 115 participants was achieved through the hand-delivery of PAC-CS using a non-probability quota-sampling technique.[14]

A quantitative, correlational design was deemed suitable for determining the extent of compliance of the situated practices of effective password usage by HPs with minimum standards for effective password usage. The lack of guidelines pertaining to PACS by the Health Professions Council of SA (HPCSA) at the time of this study led to the use of the Health Insurance Portability and Accountability Act (HIPAA)’s security rule of 1996 as an alternative model for compliance with data-security rules.[15][16] The HIPAA security rule is a detailed outline of the national standards and steps necessary to protect electronic health information from inadvertent disclosures through breaches of security. The choice of this U.S. legislation was informed by its reputation as one of the best regulatory rules pertaining to electronic data security, embedded in the fact that it is continually updated in line with technological advances, and most importantly, addresses the security needs of PACS technology explicitly.[16]

References

  1. Dayarathna, R. (2009). "The principle of security safeguards: Unauthorized activities". Computer Law & Security Review 25 (2): 165–72. doi:10.1016/j.clsr.2009.02.012. 
  2. 2.0 2.1 Ifinedo, P. (2012). "Understanding information systems security policy compliance: An integration of the theory of planned behavior and the protection motivation theory". Computers & Security 31 (1): 83–95. doi:10.1016/j.cose.2011.10.007. 
  3. Steers, K. (2003). "Boot passwords, put your PC under lock and key". PC World 21 (9): 168. 
  4. Stross, R. (9 August 2008). "Goodbye, Passwords. You Aren’t a Good Defense". The New York Times. https://www.nytimes.com/2008/08/10/technology/10digi.html. Retrieved 27 May 2017. 
  5. Graham, J. (5 January 2015). "Forget passwords - use your face instead". USA Today. https://www.pressreader.com/usa/usa-today-us-edition/20150105/281801397332402. 
  6. Payton, L. (2010). "Memory for Passwords: The Effects of Varying Number, Type, and Composition". PSI CHI Journal of Psychological Research 15 (4): 209–13. doi:10.24839/1089-4136.JN15.4.209. 
  7. Williams, P.A.H. (2008). "In a ‘trusting’ environment, everyone is responsible for information security". Information Security Technical Report 13 (4): 207–15. doi:10.1016/j.istr.2008.10.009. 
  8. Robinson, R. (2016). "Moral Distress: A Qualitative Study of Emergency Nurses". Dimensions of Critical Care Nursing 35 (4): 235–40. doi:10.1097/DCC.0000000000000185. 
  9. Mahlaola, T.B. (20 January 2015), "Compliance of health professionals with patient confidentiality when using PACS and RIS", {{{website{{{}}}}}} (University of Johannesburg), https://ujcontent.uj.ac.za/vital/access/manager/Repository/uj:13153 
  10. Beach, J.; Oates, J. (2014). "Maintaining best practice in record-keeping and documentation". Nursing Standard 28 (36): 45–50. doi:10.7748/ns2014.05.28.36.45.e8835. 
  11. 11.0 11.1 Bolan, C. (2013). "Technology Trends: A view of the future image exchange". Applied Radiology 42 (11): 32–7. https://appliedradiology.com/articles/technology-trends-a-view-of-the-future-image-exchange. 
  12. Benatar, D. (2010). "Indiscretion and other threats to confidentiality". South African Journal of Bioethics & Law 3 (2): 59–62. http://www.sajbl.org.za/index.php/sajbl/article/view/101. 
  13. Bird, K. (20 June 2005). "Improved ISO/IEC 17799 makes information assets even more secure". ISO News. International Organization for Standardization. 
  14. Daniel, J. (2012). Sampling Essentials: Practical Guidelines for Making Sampling Choices. SAGE Publications. doi:10.4135/9781452272047. ISBN 9781412952217. 
  15. Health Professions Council of South Africa (May 2008). "Guidelines for Good Practice in the Health Care Professions" (PDF). http://www.hpcsa.co.za/Uploads/editor/UserFiles/downloads/conduct_ethics/rules/generic_ethical_rules/booklet_10_confidentiality_protecting_and_providing_information.pdf. 
  16. 16.0 16.1 Cao, F.; Huang, H.K.; Zhou, X.Q. (2003). "Medical image security in a HIPAA mandated PACS environment". Computerized Medical Imaging and Graphics 27 (2–3): 185–96. doi:10.1016/S0895-6111(02)00073-3. 

Notes

This presentation is faithful to the original, with only a few minor changes to presentation. In some cases important information was missing from the references, and that information was added.

Retrieved from "https://www.limswiki.org/index.php?title=Journal:Password_compliance_for_PACS_work_stations:_Implications_for_emergency-driven_medical_environments&oldid=33628"