7/25/2019 Jothi EMR Chapter2 LiteratureReview 07072009 MC
1/46
Chapter 2: Literature Review
7/25/2019 Jothi EMR Chapter2 LiteratureReview 07072009 MC
2/46
22
2.1 INTRODUCTION
The huge growth of information in the medical environment deemed the necessity of an
information system. Both clinical and related medical information that managed by these
programs, are commonly referred as the Electronic Medical Record (EMR). The
implementation of the EMR promises significant advances in patient care because such
program enhances readability, availability, and data quality.
EMR are readily accessible, increases the standardization for seamless use where and when
required and greatly reduces the likelihood of error in either entry or interpretation of
medical information (Asefzadeh, 2005). Having a patients medical and contact
information readily available can be potentially life-saving during critical medical events
such as severe allergic reactions or heart attacks. Moreover, by reducing errors and saving
time, EMR may therefore help reduce the large number of deaths attributed to medical
errors.
Enhanced availability of health information in an electronic format is strategic for industry-
wide efforts to improve the quality and reduce the cost of healthcare. However, it brings a
concomitant concern of greater risk for loss of privacy among healthcare participants. Due
to the level of security provided for data storage, integrated circuit (IC) cards or commonly
known as Smartcard seem to offer a new perspective for healthcare applications. Medical
applications of smartcards can be used for storing information including personal data,
insurance policies, emergency medical information, allergies, hospital admission data and
7/25/2019 Jothi EMR Chapter2 LiteratureReview 07072009 MC
3/46
23
recent medical records. Numerous national hospitals in the United States, Europe (France
and Germany) and even in Asia (Hong Kong) have already started implementing the
healthcare card solution. (Samuel, 1998)
Literature study of this research starts by critically analyzing the various definitions of
EMR. To understand the contribution of EMR in the medical world, its strengths and
weaknesses will be analyzed in detail. Next, a study on the adoption of the EMR program
will be presented to identify the acceptability of the program by the various stakeholders in
the healthcare environment. The second part of the study will focus on the smartcard
technology and its application in the healthcare systems. A detailed critical analysis study
will be done on the architecture, features and applicability of the smartcard technology in
ensuring the security of health data. Finally, current studies by other researchers in the
healthcare smartcard area also analyzed to distinguish with the study undertaken in this
research.
2.2 DEFINITION AND TERMINOLOGIES
In recent years, clinical and related medical information is increasingly managed by
information systems as so-called the electronic medical record (EMR). However, a
common definition of the term "electronic medical record" has not yet been established,
causing problems in business transactions as well. (JAMI, 2003) To date there are
approximately 13 sets of terminologies and definition for EMR. In the recent years, the
terms Electronic Medical Records (EMR), Electronic Health Records (EHR) and Patient
7/25/2019 Jothi EMR Chapter2 LiteratureReview 07072009 MC
4/46
24
Health Records (PHR) have gained popularity. Most of these terms have arisen mainly
from vendors marketing efforts to claim mind share over what EMR should actually be
called. The Google search trend data indicates an increased usage of EHR, but EMR
remains more prevalent. The same is true when we look at the usage of terminology by
other software vendors (Neal, 2006).
The following chart shows the distribution and the popularity of terminologies used in
medical software:
Figure 2.1 Popularity of Terminologies used in Medical SoftwareSource: Software Advice, (2006)
The next section will discuss the definitions of these terms to further understand the
differences and the similarities of these acronyms. However, this research will use the
7/25/2019 Jothi EMR Chapter2 LiteratureReview 07072009 MC
5/46
25
definition provided recently by the US National Alliance for Health Information
Technology (NAHIT).
2.3 AN ANALYSIS ON MEDICAL RECORD TERMINOLOGIES
Many terminologies such as Electronic Medical Record, Electronic Health Record and
Electronic Patient Health Record are in use in medical informatics to refer to a digitalized
patient health data. Although these terminologies share some common attributes, the
distinctions between their definitions, contents, sources and storage medium are significant
and the nature of implementation is differs from one system to another.
2.3.1 THE ELECTRONIC MEDICAL RECORD (EMR)
Many researches in the information technology (IT) field have presented the definition of
EMR according to the nature and its field of application. In reference to the Japan
Association of Medical Informatics (JAMI) publication; a common definition of the term
"electronic medical record" has not yet been established, causing problems in business
transactions. To present a meaningful opinion under the present circumstances, we should
primarily evaluate the current situation, since various functions expected of the EMR and
its current achievements need to be taken into consideration (JAMI, 2003).
This paper highlights the fact that EMR is best defined after evaluating the functionality
and application of EMR in medical informatics. JAMI examined the necessity and the
functions of the EMR and defined EMR inline with its function whereby the main function
7/25/2019 Jothi EMR Chapter2 LiteratureReview 07072009 MC
6/46
26
of the EMR is to store patients' medical information such as clinical findings and
examination results. Meanwhile Pat Wise at Healthcare Information and Management
Systems Society, said that EMRs are what currently exist in most practices that have
adopted electronic record, but that EHRs are what the nation aspires to and what
President Bush calls for. An electronic medical record is owned by the organization,
practice or corporation that you received your healthcare from - be it St. Elsewhere,
County-Municipal, or Doc Smith" Wise explained. "When you're discharged from St.
Elsewhere, you know they don't hit the 'delete' button and wipe out everything. And while
that information is theirs to own, it's also expected that it's theirs to protect, she said.
Another common definition is an electronic medical record is a patient medical record that
is computer based. It was founded to make patients data available by clinical staff easily at
any location. A patients record contains any allergic and drug reactions (Clinfowiki,
2005). At this point, very few hospitals have EMR solutions that can effectively reduce
medical errors or improve the quality and efficiency of patient care.
2.3.1.1 Contents of EMR
In many implementations, EMRs represent an attempt to translate information from paper-
based records into a computerized format. Over time, it is anticipated that the content of
EMR will expand beyond that, from a mere digitized record to including x-rays and videos
of telemedicine sessions. At the present time, EMRs includes patients histories, family
histories, risk factors, findings from physical examinations, vital signs, test results, known
allergies, immunizations, health problems and responses to therapy.
7/25/2019 Jothi EMR Chapter2 LiteratureReview 07072009 MC
7/46
27
2.3.1.2 Sources of EMR
There are two primary categories of the EMR; the born-digital record and the
scanned/imaged record. The born-digital record, which is information captured in a
native electronic format originally, is information that may be entered into a database,
transcribed from an electronic tablet or notebook PC, or in some other manner captured
from its inception electronically. The information is then transferred to a server or other
host environment, where it is stored electronically. The second category is records
originally produced in a paper or other hardcopy form (x-ray film, photographs, etc.) that
have been scanned or imaged and converted to a digital form. These records are best
described as "digital format records", as their content is not able to be modified or altered
(with the exception of the use of third party software to make "overlay notations") as
electronic records are (ClinfoWiki, 2005). Figure 2.2 illustrates the different sources of
EMR.
Figure 2.2 Sources of EMRSource: The Norwegian University of Technology and Science
7/25/2019 Jothi EMR Chapter2 LiteratureReview 07072009 MC
8/46
28
There are many ways of defining an EMR. According to the findings above, EMR is
simply defined as digital medical records or clinical records and EMR based systems are
applications designed to manipulate these records according to the implementation
environment.
EMR: The electronic record of health-related information on an individual that is
created, gathered, managed, and consulted by licensed clinicians and staff from a single
organization who are involved in the individuals health and care.
2.3.2 THE ELECTRONIC HEALTH RECORD (EHR)
Many in the healthcare industry including the Malaysian government and the press use the
terms Electronic Medical Record (EMR) and Electronic Health Record (EHR)
interchangeably. However, these terms describe completely different concepts, both of
which are crucial to the success of local, regional, and national goals to improve patient
safety, improve the quality, efficiency of patient care, and reduce healthcare delivery costs.
The EMR is the legal record created in hospitals and ambulatory environments that is the
source of data for the EHR. The EHR represents the ability to easily share medical
information among stakeholders and to have patients information follow him or her
through the various modalities of care engaged by that individual (Garets and Davis, 2006).
EHR are a more complex version of an EMR and fundamentally depending on the
interoperability or communication among and between multiple healthcare stakeholders.
7/25/2019 Jothi EMR Chapter2 LiteratureReview 07072009 MC
9/46
29
An EHR is a linking system rather than an independent database, and is more of a process
than a product. An integrated EHR will link to separate sources detailing medical history
and images, laboratory results and drug allergies.
EHR: The aggregate electronic record of health-related information on an individual
that is created and gathered cumulatively across more than one healthcare organization
and is managed and consulted by licensed clinicians and staff involved in the
individuals health and care.
2.3.3 THE ELECTRONIC PERSONAL HEALTH RECORD (ePHR)
The Electronic Personal Health Record (ePHR) contains medical information and it is
owned by the patient. Information contained in the ePHR may have been created by any
number of sources including the patient, a lab, a physicians practice, a hospital or an
insurance company (Hartley and Jones, 2005).
Unlike EMRs kept by some doctors, healthcare facilities and insurance companies, the
contents of an ePHR are determined by the patient and stored in the manner he or she
wishes. They may be stored on a local computer, a thumb drive (small personal hard drive),
or through an online service.
Generally, patients begin by typing the basic information such as blood type, family history
into their records. If they have kept paper copies of records obtained from their doctors,
then they may scan those records and save them as word processor or PDF files.
7/25/2019 Jothi EMR Chapter2 LiteratureReview 07072009 MC
10/46
30
2.3.3.1 Contents of ePHR
Patients may choose to keep only emergency information for easy retrieval, or may decide
to keep a complete record of all their doctor visits, prescriptions, hospitalizations, medical
tests, and insurance information. Some patients do this so that family members have a more
detailed record, should it be needed.
2.3.3.2 Storage of ePHR
American Health Information Management Association (AHIMA) website states there are
three forms of ePHR technologies from which a patient might choose to record their health
information:
Local computer harddrive
Removable USB Drives
Online Subscription Services (Free/Paid)
ePHR: An electronic, cumulative record of health-related information on an individual,
drawn from multiple sources, that is created, gathered, and managed by the individual.
The integrity of the data in the ePHR and control of access to that data is the
responsibility of the individual.
2.3.4 CO-RELATION BETWEEN AN EMR, EHR AND ePHR
EMR, EHR and ePHR are all managed by computers; meaning they are retrieved and
updated using computer hardware and software. Both EMR and EHR are very similar in
nature and are updated by the care providers. The vast difference between them is that they
7/25/2019 Jothi EMR Chapter2 LiteratureReview 07072009 MC
11/46
31
relate to the owner of the record, to seemingly give the patient more control over the
management of their own healthcare. Meanwhile, Electronic Personal Health Record
(ePHR) is making its way through the market as a potential alternative to EMR and EHR
with the patient being the owner and managing the control access to the record. All health
information records, contains very personal and private information. Therefore they are
subject to a numerous of ethical and legal issues such as the third-party access level,
appropriate storage and disposal methods and the privacy and security measures needed to
protect every patients right to privacy.
ePHR gives the patient more control over the tracking of their medical care, the sharing of
their medical information and the ability to populate the record with pertinent information
that a new doctor may otherwise not be aware because the patient failed to disclose the
information. However, the ability given to both the patient and the payers to edit and
modify health records raises the question of integrity of the data.
EMR program are owned by the healthcare organization. They contain the full record of all
medically related information about a patient including billing and procedure data from all
instances of care provision. On the other hand, the EHR contains just the health information
and is usually controlled by the care providers. The PHR is owned by the patient and
possibly the payer, depending on which way the market decides to turn (Clark, 2008).
However, according to the Medical Records Institute, five levels of an Electronic
HealthCare Record (EHCR) can be distinguished:
7/25/2019 Jothi EMR Chapter2 LiteratureReview 07072009 MC
12/46
32
The Automated Medical Record is a paper-based record with some computer-
generated documents.
The Computerized Medical Record (CMR) makes the documents of level 1
electronically available.
The Electronic Medical Record (EMR) restructures and optimizes the documents of
the previous levels ensuring inter-operability of all documentation systems.
The Electronic Patient Record (EPR) is a patient-centered record with information
from multiple institutions.
The Electronic Health Record (EHR) adds general health-related information to the
EPR that is not necessarily related to a disease.
Table 2.1 outlines the significant differences between an EMR and EHR.
Table 2.1 EMR and EHR Comparison (Garets and Davis, 2006)
Electronic Medical Record (EMR) Electronic Health Record (EHR)
Is the legal record of a Care DeliveryOrganization (CDO)
A subset of information from the variousCDOs where patient has had treatments or
consultations
Record is owned by the CDO Record is owned by the patient or any other
stakeholders
These systems are being sold by the
enterprise vendors and installed by
hospitals, health systems, clinics, etc.
These systems are installed amongst a group
of organization under the Regional Health
Information Organization (RHIO) be itcommunity, state, or regional emergence
today or even nationwide in the future
The system allows patient accessing to someresults information through a portal but it is
not interactive
The system provides interactive access forpatients as well as the ability for the patient
to append information.
7/25/2019 Jothi EMR Chapter2 LiteratureReview 07072009 MC
13/46
33
2.4 CAPABILITIES OF EMR
Capabilities of EMR can be evaluated based on its advantages and disadvantages to the
healthcare industry.
2.4.1 Advantages of EMR
The primary benefit of using electronic records is the ability to manage the access for
authorized and authenticated users. EMR allow providers to access health information from
various locations and to share that information more easily with other potential users.
Multiple users may access the information simultaneously. Ease of access to this
information should reduce adverse outcomes, such as missed diagnoses, unnecessary
repetition of dangerous procedures, unintended drug interactions, or use of contraindicated
treatments. The added value of a complete and up-to-date medical record made
immediately available to medical caregivers seems undeniable.
Benefits of a real time, centralized, paperless record include reducing the need for costly
reproductions of laboratory findings and diagnostic reports which in many healthcare
facilities are still being typed, copied, and physically carried to the hospital floor, clinic
office, or medical records room to be placed in the patients chart. Loss of reports or delays
of hours and, in some cases, days, are common until this information reaches the chart and
the providers who must integrate it into a meaningful mosaic in order to provide
appropriate care.
7/25/2019 Jothi EMR Chapter2 LiteratureReview 07072009 MC
14/46
34
What once required multiple steps of retrieving the chart ,searching for missing or misfiled
data, transcribing orders, filling out multiple lab diagnostic test, and pharmacy requisitions,
or writing progress notes hours after having actually examined the patient are now all
completed immediately and routed to their appropriate destinations with far fewer errors of
transcription, loss of information or patient misidentification. Moreover, charting is
completed and orders are dispatched, therefore when the doctor wants to explain something
to the patient and family, he or she simply touches an interactive icon on the monitor screen
to switch to multimedia mode, where videotapes of operative and treatment procedures or a
replay of the patient's actual diagnostic test done earlier in the day can be displayed as
per the physicians instructions or information.
With electronic record keeping systems, data can be collected to facilitate care co-
ordination, quality assurance activities, assess practice patterns and treatment outcomesand
conduct medical research. From the patients point of view, this should help to produce
higher quality care. Other potential advantages of EMR includes the integration of clinical
decision support systems to reduce the use of more expensive or less effective procedures
and treatments by prompting these clinicians about alternative options when they enter
orders in the system. This would then prevent the phenomenon of clinical cascade, where
clinicians can be informed that they are ordering screening tests or treatments related to
medical conditions that are likely to have an extremely low-prevalence to their patients.
Furthermore, it allows the clinicians to avoid adverse outcomes by monitoring care and
alerting providers to contraindicated treatments and at the same time improving the ability
to defend in malpractice suits due to more complete and legible records of the treatments
7/25/2019 Jothi EMR Chapter2 LiteratureReview 07072009 MC
15/46
35
actually provided. In the world of having a fully integrated EMR, the hospital or clinics
billing and accounts receivable departments might no longer require additional resources of
staff and space than most of their clinical units combined.
While as yet unproved, there is a strong likelihood that using a fully integrated electronic
medical record as the informational matrix of a collaborative treatment approach would
produce more cost-effective care through the efficient use of clinical, as well as
administrative, staff and services. Whether such systems would measurably improve the
quality of care delivered remains a challenge to be measured and proved scientifically
(Silverman, 1998).
2.4.2 Disadvantages of EMR
Even though EMR offers opportunities for improving security, the access can be limited to
just that portion of the record that is pertinent for the user. In a recent poll almost half of
those being surveyed stated that they were very concerned about their personal privacy
and one-third stated that they were very concerned about the possible negative
consequences of EMR. Such concerns are growing as more sensitive information, such as
HIV status, psychiatric records, and genetic information are stored in the medical records.
In order to address these concerns, one would require both a better understanding of the
vulnerabilities of health information in an electronic form and the various mechanisms that
are made available for protecting such information.
7/25/2019 Jothi EMR Chapter2 LiteratureReview 07072009 MC
16/46
36
2.5 EMR ADOPTION MODEL
The EMR Adoption Model identifies and scores hospitals using an eight-step scale that
charts the path to a fully paperless environment. It was created to identify the levels of
EMR capabilities ranging from an environment at Stage 0, with few to no clinical
applications, through to Stage 7, a paperless EMR environment where data can be easily
exchanged between the care provider settings.
Healthcare Information and Management Systems Society (HIMSS) Analytics, being the
authoritative source on EMR Adoption trends, devised the EMR Adoption Model to track
EMR progress at hospitals and health systems (HIMSS Analytics, 2008).
0.0%
6 ( ),
( & ), 0.1%
5 0.5%
4 , ( ) 3.0%
3 ( ), (
), 1.0%
2
, , ,
3.%
1 , , 1.%
0 20.%
Figure 2.3 EMR Adoption ModelSource: HIMSS Analytics, 2007
7/25/2019 Jothi EMR Chapter2 LiteratureReview 07072009 MC
17/46
37
2.5.1 EMR ADOPTION IN UNITED STATES OF AMERICA (USA)
The adoption of the EMR has increased slightly over the years from 105,000 physicians in
2003 to approximately 130,000 physicians in 2005, according to the research (Monegain,
2005). However, the adoption rate of EMR in the United States sees a lower growth
compared to other nations like Australia, United Kingdom, New Zealand and Netherlands.
Although US leads in the healthcare spending and its healthcare system is touted as one of
the best in the world the adoption rate of EMR is only at 28%. The 2006 study by
Commonwealth Fund also reports that Netherlands has the higher adoption rate at 98%
followed by New Zealand (92%), United Kingdom (89%) and Australia (89%).
This statistics agrees to the survey results by American Hospital Association which shows
only 11% of community hospitals in the US have fully implemented EMR systems. The
result also indicates 57% of the community hospitals have implemented partial EMR
systems while another 32% have not implemented at all. However these rates are
contractive to the HIMSS Analytics, 2007 report which shows 20.7% on Stage-0, 79.3% in
between Stage 1-6 (partial implementation) and non of the hospitals in Stage-7.
2.5.2 EMR ADOPTION IN ASIA
According to Madhav Ragam of IBM Asia Pacific, Electronic Medical Records (EMRs)
have already gained importance in the western world with governments taking up
initiatives to implement them across the nations. Comparatively, in Asia, especially in
countries like India and China, there is a long way to go before the benefits of EMRs can
be realized. Japan shares the same scenario where the recent survey on 1574 hospitals with
7/25/2019 Jothi EMR Chapter2 LiteratureReview 07072009 MC
18/46
38
300 or more beds, and a random selection of 1000 hospitals with less than 300 beds and
another 4000 clinics in 2007 reveals EMR adoption rate is only at 10% for hospitals and
10.1% for clinics. The study also recommends for communication between EMR systems
should further be standardized to secure functional and semantic interoperability in Japan
(Yasunaga et al., 2008). However in Singapore, according to Chng Wong Yin of
Singhealth, the national public healthcare provider, they have successfully implemented
EMR systems in all of their 3 hospitals, 4 national centers and 8 polyclinics. Singhealths
patients now have the flexibility of moving conveniently between their hospitals and
polyclinics to seek care and treatment. As of 2004 it was reported a total of 2,500
workstations have been installed with EMR software and an estimated 6,200 users were
trained on the handling of EMR systems.
2.6 HEALTHCARE IN MALAYSIA
Healthcare in Malaysia has undergone some radical transformations. The earliest pre-
colonial medical cases were confined mostly to those traditional remedies that are evident
today in Malay, Chinese, Indian and other ethnic groups. However, with the birth of
colonialism, more modern and westernized medical practices were slowly introduced to the
country (Alianz, 2008). In line with Vision 2020, Malaysia is to develop the most advanced
health system in the world by harnessing the power of information and multimedia
communications technology. The countrys vision of healthcare is as follows: (Hashim,
2005)
7/25/2019 Jothi EMR Chapter2 LiteratureReview 07072009 MC
19/46
39
Malaysia is to be a nation of healthy individuals, families and communities
through a health system that is equitable, affordable, efficient, technologically
appropriate, and environmentally adaptable and consumer friendly, with
emphasis on quality, innovation, health promotion and respect for human
dignity and community participation
Malaysia is in an enviable position of being able to control its healthcare cost spending to
less than 3% of Gross Domestic Product (GDP) and yet enjoys health indicators of most
developed nations. The average healthcare costs of most developed countries amounted to
10%-12% of GDP and in the US, healthcare cost accounted for 15% of GDP. World Health
Organization guidelines recommend that health services spending should be around 5% of
GDP. Having achieved this enviable status, the Ministry of Health will want to ensure that
healthcare cost in Malaysia remains cost effective in the future and that high quality
healthcare service is available to everyone. The Telehealth project is one of the main
avenues to achieve this (Hashim, 2005).
2.6.1 EVOLUTION OF HEALTHCARE IN MALAYSIA
Under the 7th Malaysian Plan, there was substantial investment in information technology
and a large public building program for health facilities, in order to increase access for the
low-income population, particularly in rural areas. The Ministry of Health has good
telemedicine and telehealth capacity with a Telemedicine Act enacted in 1997. During the
7th Malaysia Plan (1996-2000), a fully computerized Total Hospital Information System
(THIS) was completed and operated in two hospitals. THIS was further expanded in the 8th
Malaysia Plan (2001-2005). The application of five telehealth projects, namely the Lifetime
Health Plan (LHP), the Lifetime Health Records (LHR), Continuing Medical Education
7/25/2019 Jothi EMR Chapter2 LiteratureReview 07072009 MC
20/46
40
(CME), Mass Customized Personalized Health Information and Education (MCPHIE) and
Teleconsultation will be expanded nationwide. In the 9th Malaysia Plan, among the major
outcomes would be the development of electronic reporting system for the generation of
health information management system statistics and reports and the establishment of the
National Health data warehouse to contain all domain repositories and registries. (WHO,
2006)
The Health Director-General Tan Sri Datuk Dr Hj Mohd Ismail Merican commented in the
Star Special July 2006 edition on Ministry of Health (MOH), As you know one of the
strategic plans for the 9MP is to achieve better healthcare through the consolidation of
services. This will mean focusing on quality in the delivery of health services and not just
quantity, (Loei, 2006). One of the many actions taken by MOH to increase the quality of
healthcare in Malaysia is through the Telehealth project. Making a success of telehealth is
part of the goals of the Ninth Malaysia Plan (9MP), which has allocated RM10.28 billion
for health sector development. According to the Plan, sharing of information through the
Lifetime Health Record (LHR) and Lifetime Health Plan (LHP) services within telehealth
services will be given emphasis. Both services were piloted in Seberang Perai, Penang.
(Peterson, 2007)
2.6.2 THE MALAYSIA TELEHEALTH PROJECT
Telehealth refers to the integration of information, telecommunication, human-machine
interface technologies and health technologies to deliver healthcare, to promote the health
status of the people and to create health awareness. The integrated Telehealth Project, as
7/25/2019 Jothi EMR Chapter2 LiteratureReview 07072009 MC
21/46
41
designed and customized to suit the Malaysian circumstances, consist of an integrated
system made up of four major components: (Harum, 2004)
Customized / Personalized Health Information and Education,
Continuing Medical Education (CME)
Teleconsultation
Lifetime Health Plan (LHP)
Within these four pilot projects, Electronic Medical Record (EMR) plays an important role
in providing patients medical histories. To date, some components in the Telehealth
projects are already accessible on the web but yet to be implemented. (Haslina and
Sharifah, 2005)
The Malaysian Telehealth Application will, on completion, provide every resident of the
country an electronic Lifetime Health Record (LHR) and Lifetime Health Plan (LHP). He
or she will also hold a smartcard that will contain a subset of the data in the Lifetime Health
Record. These will be the means by which Malaysians will receive "seamless continuous
quality care" across a range of health facilities and healthcare providers and by which
Malaysia's health goal as a nation of "healthy individuals, families and communities" is
achieved. The challenges to security and privacy in providing access to an electronic
Lifetime Health Record at private and government health facilities and to the electronic
Lifetime Health Plan at homes of consumers require not only technical mechanisms but
also national policies and practices addressing threats while facilitating access to health
data during health encounters in different care settings.
7/25/2019 Jothi EMR Chapter2 LiteratureReview 07072009 MC
22/46
42
2.7 SECURITY, PRIVACY AND CONFIDENTIALITY OF EMR
Security and privacy and confidentiality of electronic medical records are the major concerns in
healthcare informatics. These aspects are distinct but inextricably linked (Terry, 2007). The
distinction can be expressed as follows, security is the protection of information from people
and privacy is the protection of people from information. Jo Luck in his Australian Health
Informatics Guideline mentioned the major security concerns are the impacts on the hospital
security events which will affect:
Availability of data and services: the extent to which the ability of the
organization to provide a service will be affected by the loss or degradation of a
given information processing or communication facility or the loss of a given set
of data.
Authentication and integrity of data: the extent to which the ability of the
organization to provide a service will be affected by the accidental corruption of a
given set of data or the malicious corruption of the given set of data or the
acceptance of a given set of data which did not originate from its purported
source
Confidentiality of data: the extent to which the ability of the organization to
provide a service will be affected by the disclosure of the given set of data to an
unauthorized person.
2.7.1 SECURITY CONCERNS OF EMR
The notion of confidentiality in healthcare has a strong professional tradition that has
suffered progressive erosion due to reimbursement schemes, managed care and other
7/25/2019 Jothi EMR Chapter2 LiteratureReview 07072009 MC
23/46
43
healthcare organizational structures, and the perceptions and culture of professionals within
modern healthcare systems.
Privacy, security and confidentially are terms closely linked concepts in the discussion of
health information systems. Confidentiality is defined as information to be made available
only to the authorized users and it is seen as one of the important goals in information
systems. Confidentiality also refers to the ethical principal associated with the professional
and in the context of this research the communication between the doctor and patient is
confidential between these parties and should not be revealed to other parties (Wikipedia,
2007). Privacy on the other hand refers to an individuals right to control access to and
disclosure of their personal information. Health information privacy gives the owner of the
information to have the rights to control the dissemination and use of information about the
individual.
Security refers to measures taken to safeguard personal information from unauthorized
access, use or disclosure. Some distinguish between data security and system security. Data
security results from measures that effectively protect data and computer programs from
threats such as unauthorized access and disclosure, impermissible alteration, unauthorized
copying and theft (Luck, n.a).
2.7.2 THREAT TYPES OF EMR
Mainly there are two major types of threats to electronic health information in any
healthcare organization. The two types namely are threats from inside intruder and threats
7/25/2019 Jothi EMR Chapter2 LiteratureReview 07072009 MC
24/46
44
from outside intruders. The differences among these threats are based on the motive of the
intruder, the resources the intruder has and what is the benefit or effect the intruder causes
the stakeholder.
2.7.2.1 Insider Threats
The root cause of the category of insider threats is more often caused by the employees of
the healthcare organization. Conversation in public places such as elevators or coffee
corner among the care providers could leak private information about patients to
unauthorized personals. Not only conversation gives opportunity for information leak, the
laboratory test result left on screens and tables of the practitioners does contribute towards
information leaking. These activities seem to be the daily innocent mistakes causing
accidental disclosures of private health information. The next type of threat from the
employees is using the access privilege given to access confidential information. This
situation arises when there is a curiosity to know more about the patient highly sensitive
information such as medical report, diagnosis and more. The third type of intrusion by the
insider is accessing the information to earn profits. Figure 2.4 illustrates different forms of
insider threats to the health information in a healthcare organization.
2.7.2.2 Outsider Threats
The outsider threats are concern about the unauthorized data access by individuals who do
not have any access to the system in any possible way. This is the pure technical threat - an
attacker with no authorization and no physical access. An example is the intruder who
breaks into a system from an external network and extracts patient records. This threat is
7/25/2019 Jothi EMR Chapter2 LiteratureReview 07072009 MC
25/46
45
dangerous when patient records are accessed regularly through an external network. It is
clear that most providers are moving toward the use of networking and distributed
computing technologies as they move towards electronic medical records. Therefore this
type of threat will cause mass disclosure of confidential information.
Figure 2.4: The different types of insider threats to informationSource: Vericept
2.8 CASE STUDIES ON SECURITY BREACHES IN EMR SYSTEMS
The increasing adoption of EMR is fundamental to the transformation of the healthcare
system. The information created, accessed and stored in these systems, and their ability to
integrate with health information networks and data exchanges, introduces complex
7/25/2019 Jothi EMR Chapter2 LiteratureReview 07072009 MC
26/46
46
security issues. This, coupled with the rising number of information security breaches, has
raised concerns regarding their vulnerability.
To address those issues, the board of eHealth Vulnerability Reporting Program undertook
two case studies in 2006 in the United States. The summaries of the two case studies are
described in the next sections (eHVRP, 2007):
2.8.1 Case Study #1
The first case study was done for duration of fifteen (15) months, from May 2006 to
August 2007. It aimed to assess the security risks associated with EMR systems.
Methodologies used in this study were:
Evaluate current industry information security practices
Assess level of risk related to EMR systems
Benchmark healthcare information security practices against other industries
Produce a set of recommendations relating to activities beneficial to
protecting information systems in the healthcare industry
A total of 850 EMR solution provider organizations, and penetration testing of seven EMR
systems were surveyed, including:
One (1) eRx (Electronic Prescription System)
One (1) inpatient EMR system (custom developed)
Five (5) CCHIT (Certification Commission for Healthcare Information
Technology) certified ambulatory EMR Systems
7/25/2019 Jothi EMR Chapter2 LiteratureReview 07072009 MC
27/46
47
Some of the research questions in this survey were:
1. Can EHR vulnerabilities be exploited to gain control of application or access
to data for modification or retrieval?
The Significance of findings were:
a. Vulnerabilities can be exploited
b. Skill level required to exploit is low
Figure 2.5: Level of vulnerability exploitation
Source: eHVRP Industry Review, 2007
2. Do EMR applications have vulnerabilities consistent with other complex
applications?
The significance of findings were:
a. Significant difference between best and worst
b. Relatively easy test to perform
c.
Validates common assumptions
7/25/2019 Jothi EMR Chapter2 LiteratureReview 07072009 MC
28/46
48
Figure 2.6: Level of vulnerability severitySource: eHVRP Industry Review, 2007
3. Does security software effectively reduce time of exposure?
The significance of finding was:
a.
Risk of vulnerability exploitation can be dramatically reduced
when vulnerabilities are known and appropriate security controls
are in place
Figure 2.7: Vulnerability durationSource: eHVRP Industry Review, 2007
The study also recommends eHealth system vendors and healthcare organizations to:
Regularly perform application security tests, document results and incorporate
these activities in their SDLC
7/25/2019 Jothi EMR Chapter2 LiteratureReview 07072009 MC
29/46
49
Recommend and implement compensating controls
Vendor recommended system hardening
Timely review and deployment of vendor approved patches
Effective security controls such as IDS/IPS, and application firewalls to protect
systems until patches are available
Security policies/rules to protect against known and unknown vulnerabilities
Solution approaches that address the needs from the large and technologically
sophisticated to the small and less technologically sophisticated healthcare
organization
2.8.2 Case Study #2
Another study by the same organization, during the same period of duration, was held at
medical centre with the below criteria:
More than 500 medical practitioners
Serving more than 500,000 patients in a large metropolitan city
Recognized as a top performing medical group
Implemented EMR system in 2004 that considered as a critical system.
Downtime would have significant impact on business operations
And the major findings of this survey were listed as:
1. Initial survey response/dialogue indicated no knowledge of EMR specific
vulnerabilities or application specific intrusion protection or application level
7/25/2019 Jothi EMR Chapter2 LiteratureReview 07072009 MC
30/46
50
security systems implemented. Other network perimeter defenses where
implemented.
2. Performed vulnerability and penetration testing of EMR applications using
automated tools and manual techniques.
3. Identified security vulnerabilities and demonstrated exploits including:
o Ability to remotely gain full access to the system and view any
health record or information
o Ability to remotely modify any data such as drug dosage
o
Ability to remotely delete any specific record or all records
o Ability to generate orders, such as for medications operations
4. Established requirements for security technology
Practical to deploy
Cost effective
Minimal impact on operations
5. Evaluated host intrusion prevention systems (IPS) as a compensating control
6. Initial results support premise that solutions are available that meet the
requirements (cost of ownership, operational impact and level of protection)
Some of the research questions in this survey were:
1.
How many defects does a typical application contain?
The significance of finding was:
a.
Likely many, for the following reasons:
7/25/2019 Jothi EMR Chapter2 LiteratureReview 07072009 MC
31/46
51
i. Applications are complex and rely on upwards of a 100
million lines of code when the Operating System, database
and application code are taken in account.
ii.
Studies have shown that 1 to 1 vulnerabilities exist for
every 1,000 lines of code irrespective of type of application
or industry.
2. How exploitable are they, can they really be used to cause damage?
The significance of finding was:
a.
It varies depending on certain factors including criticality of
the vulnerability, the level of access to the system required to
exploit, effort and sophistication of the attack, controls in
place among others.
b. As part of the program, penetration testing demonstrated how
new vulnerabilities could be found and successful exploits
created in only a matter of days. Additionally security
statistics show how widely exploitable systems are, the rate at
which vulnerabilities are being found and the areas that
attacks are targeting.
60% of customer-facing web applications have an
exploitable vulnerability.
4,375 vulnerabilities in the first 9 months of 2006.
Web flaws are the most common.
75% of attacks take place at the application layer.
7/25/2019 Jothi EMR Chapter2 LiteratureReview 07072009 MC
32/46
52
3. We have a firewall isnt that sufficient?
The significance of finding was:
a. No, perimeter firewalls are important network security controls that can
limit where an application attack can originate, but do not deal with the
application flaw itself
Figure 2.8: Level of protection against attacksSource: eHVRP Industry Review, 2007
4. Isnt it impractical and cost prohibitive for system purchasers to address
software vulnerabilities?
The significance of finding was:
a.
No, an entire security industry has evolved to help organizations cope
with vulnerabilities in application software. Organizations need to
establish their risk tolerance and implement appropriate controls to
ensure compliance. These controls have been identified as best practice
and are commonly used in many industries.
7/25/2019 Jothi EMR Chapter2 LiteratureReview 07072009 MC
33/46
53
2.9 TECHNICAL REVIEW OF SMARTCARD TECHNOLOGY
Smartcards are used in information technologies as portable integrated devices with data
storage and data processing capabilities. As in many other fields, smartcard use in healthcare
systems became popular due to their increased capacity and performances. (Yanjiang, 2002)
Their efficient use with easy and fast data access facilities leads to implementation particularly
widespread in security systems. Smartcards role in the healthcare sector is obviously
constrained by the technical capabilities that are available at any point in time.
The smartcard is defined as a credit card with a brain on it, the brain being a small
embedded computer chip. (Rinaldo, 1997) Some types of smartcard may have a
microprocessor embedded, while others may only have a non-volatile memory content
included. In general, smartcard is an integrated circuit card (ICC), which is a portable,
tamper-resistant computer with a programmable data store. In either type of smartcard, the
storage capacity of its memory content is much larger than that in magnetic stripe cards.
The total storage capacity of a magnetic stripe card is 204 bytes while the typical storage
capacity of a smartcard ranges from 256 bytes to 64K bytes. In other words, the memory
content of a large capacity smartcard can hold the data content of more than thousands of
magnetic stripe cards.
Due to the high security level of smartcards and its standalone capability, it is extremely
difficult to tamper the card, or otherwise put unauthorized information on the card. Because
it is hard to get the data without authorization, and because it easy to carry, a smartcard is
uniquely appropriate for secure and convenient data storage. Without permission of the
7/25/2019 Jothi EMR Chapter2 LiteratureReview 07072009 MC
34/46
54
card holder, data could not be captured or modified. Therefore, smartcard could further
enhance the data privacy of user. Microsoft considers smartcard as an extension of a
personal computer and the key component of the public-key infrastructure in Microsoft
Windows 98 and 2000. (Clercq, n.a)
Thus smartcards are particularly suited to applications that require data security as well as
data integrity. Data security ensures that a data value or computation contained on the card
can only be accessed by authorized parties. Data integrity guarantees that the value of the
data stored on the card is defined at all times and is not corrupted. Some of the potential
benefits of smartcards are (Rogerson, 1998):
Smartcard is a secure mean of authenticating the identity of reader device
It is a portable and secure store of data available to all
Access can be made available in geographical locations where online
communication is not possible
Reduced fraud
2.10 SMARTCARD IN HEALTHCARE
The capacity of a card is the major determining factor in limiting the information that can
be stored on it. While it is possible to store less than the maximum capacity of the card, it is
obviously never possible to store more. A few kilobytes of capacity are generally accepted
as being sufficient to store basic identification details such as name of the card holder in the
healthcare context, domain-specific but generally applicable information such as details of
7/25/2019 Jothi EMR Chapter2 LiteratureReview 07072009 MC
35/46
55
allergies, medication and other emergency data. While the smartcard is being used as a key
to unlock an access control mechanism, encryption keys large enough to resist extensive
brute force attempts to break them can also be stored. Episode specific data could also be
designed to fit into a few kilobytes.
However, the limits of capacity are rapidly reached when one talks about the sort of
information that would constitute a patient's medical history over an extended period of
time, or a shorter period of time with multiple or severe conditions. In particular, X-ray or
similar medical images stored with sufficient resolution and color depth useful, typically
occupy at least 8-16Kbytes (64-128Kbits) of memory, even with suitable compression. The
space required to hold just one image exceeds the capacity of the latest EEPROM cards.
FRAM cards could also be considered for this purpose, but even then the number of images
that could be stored is limited.
2.10.1 HEALTHCARD APPLICATIONS OF SMARTCARD
Due to the level of security provided for data storage, IC cards offer a new perspective for
healthcare applications. Medical applications of smartcards can be used for storing
information including personal data, insurance policy, emergency medical information,
hospital admission data and recent medical records. Numerous national hospitals in France,
Germany and even Hong Kong have already started to implement this kind of healthcare
card.
With the microcontroller on-board, smartcards could be used for managing the levels of
information authorized for different users similar to a workflow control system. Doctors
7/25/2019 Jothi EMR Chapter2 LiteratureReview 07072009 MC
36/46
56
would be able to access the medical record from the patients card, while pharmacists could
make use of the prescription information stored on the card for preparing the medical
treatment. Emergency data kept on the patients card, which includes the cardholders
identity, persons to contact in case of accident and special illness details, can be used for
saving the patients life. In some countries, medical insurance is required for hospital
payment. With the insurance records stored in the patients card, the administrative
procedures are simplified.
2.10.2 WHAT MAKES SMARTCARDS IMPORTANT IN HEALTHCARE?
Smartcards have two key attributes: they can carry a substantial quantity of data in a
compact and computer readable form, and they can carry it securely. The second attribute is
crucial to the role that smartcards will play in healthcare, in which security of data and
confidentiality are generally recognized as being pillars of ethical practice.
Computing environments that have many users routinely experience problems in three
areas: authenticating the identity of individual users, ensuring confidentiality of data in
storage, and securing data against interception or alteration while in transmission.
2.10.3 USING SMARTCARD TECHNOLOGY TO OVERCOME SECURITY
BREACHES IN EMR
The privacy, security and confidentiality of patient health records have been the sensitive
topic debated in the medical sector. This is due to the rapid use of information technology
within the health sector. Broad use of internet, large databases and health information
systems create further anxiety among medical practitioners and a patient thus calls for
7/25/2019 Jothi EMR Chapter2 LiteratureReview 07072009 MC
37/46
57
immediate check on how patient health information is maintained by the healthcare
institutions. Information on how these data are handled is important to ensure policies and
procedures are well established to handle vulnerabilities these systems entail.
Existence of electronic medical records (EMRs) increased the accessibility and sharing of
health information among authorized individuals. Although this is a visible and the most
important benefit, however this technology has created a hidden high risk of losing
information to unauthorized individuals (eHVRP, 2007). When individual personal health
information is disclosed, it creates significant economic and social harm. Transmission of
confidential information over the various types of system infrastructure further erodes the
individual privacy and concerns are growing as critical information such as psychiatric
records, HIV status and genetic information is stored in these electronic medical records.
The dilemma of obtaining, using and sharing healthcare information to provide care while
not breaching patient privacy, is therefore a serious concern (Smith, 1999).
To address these concerns, a clear understanding of what are the type of threats exist in the
adopted health information systems needs to be analyzed. Each implementation of health
information systems provided by the vendors will normally be equipped with at least the
minimal security level such as user authentication. Although the increase of research in the
security field, had of course introduced various methods to improve the security level for
the data stored in these systems, the applicability of security technologies is still
questionable. This section will analyze in detail the research outcome by eHVRP surveys
7/25/2019 Jothi EMR Chapter2 LiteratureReview 07072009 MC
38/46
58
and will identity if smartcard technology can be used in EMR systems to overcome those
security breaches.
2.10.3.1Use Of Smartcards In Preventing Security Breaches In Case Study #1
Security Breaches in Case Study #1How The Use of Smartcard Technology could
have overcome the issue?
Skill level required by an attacker to
exploit vulnerabilities is low
Smartcard systems can be implemented in different
ways. No two smartcard systems are similar. Use
of proprietary smartcard operating system, key
management system or file architecture could
decrease the level of breakability of an EMR
system. Attackers may require having high level of
skills to break into smartcard systems.
Application and Database were
exploited
Smartcard could provide a mean of secure access
control to any systems. Using smartcard with a
PIN entry for a system access will disallow people
without an authorization card to gain access to any
application.
Smartcards with extensive storage capacity could
hold a patients decryption key to their database
records. Database records that encrypted with a
patients key will be unusable even if there was
exploitation.
Attacker accessed remotely Physical presence of a user to insert smartcard and
exchanging keys to gain access will disallowremote access by attackers. Without a smartcard
inserted, the system will not respond or the
database will not decrypt patients health record.
7/25/2019 Jothi EMR Chapter2 LiteratureReview 07072009 MC
39/46
59
Security software effectively reduce
time of exposure
Smartcard technology can be used as a software
firewall to a system. Authenticating operating
system environment and accessing file architecture
can be used as a method of software firewall.
Smartcard also can hold Public/Private Key
Infrastructure (PKI) for further security option.
2.10.3.2Use Of Smartcards In Preventing Security Breaches In Case Study #2
Security Breaches in Case Study #2How The Use of Smartcard Technology could
have overcome the issue?
Remotely gain full access to the
system
Smartcard systems can be implemented in
different ways. No two smartcard systems are
similar. Use of proprietary smartcard operating
system, key management system or file
architecture could decrease the level of
breakability of an EMR system. Attackers may
require having high level of skills to know-howto break into smartcard systems.
remotely add/modify/delete any/all
records
Remote access will be prevented using
smartcards. Physical presence of the user will be
required.
security technology that practical to
deploy
Smartcard technology is practical to deploy.
Globally well-accepted technology in many
sectors.
security technology that cost effective
to deploy
Over the years, price of smartcards and
application development and integration have
dropped tremendously. Smartcard implementation
even very cost-effective is patients and users pay
for their own card.
7/25/2019 Jothi EMR Chapter2 LiteratureReview 07072009 MC
40/46
60
Applications are complex and rely on
more than millions of lines of code
Smartcard application development requires
embedded programming where software
programs can be directly written to the card.
Using well-defined APIs and ISO standard
protocols, application can be programmed with
minimum number of codes.
60% of customer-facing web
applications have an exploitable
vulnerability
Smartcard systems do not highly dependent on
internet as patient information stored within the
card memory. This reduces the requirement for
the system to be online all the time.
75% of attacks take place at the
application layer
Protecting application layers are made easy with
smartcard technology. Implementing PKI and
Key Management System can provide sufficient
security measures on application layer. Two or
more tier smartcard authentication can provide
robust security to the system
Firewall do not deal with the
application flaw itself
Apart from controlling network access,
smartcards do provide application level protection
when design in a respective way.
2.11 AN ANALYSIS OF PREVIOUS HEALTHCARE SMARTCARD
IMPLEMENTATIONS
Research shows that smartcard in healthcare has a long history. Many smartcard based
applications have been developed and adopted in many parts of the world, especially in
Europe. These implementations however are mainly linked on other applications such as
health insurance and access control.
7/25/2019 Jothi EMR Chapter2 LiteratureReview 07072009 MC
41/46
61
In the this region, Taiwan has a successful implementation of patient health card, which
gives the patients to carry the health records in their wallet and at the same time use the
card for insurance claims and medical bill payment. A recent study by European-based
HBS Consulting is outlined in Table 2.2.
Table 2.2 Different smartcard implementation and descriptionSource: HBS Consulting, (2004)
Market Card Description
Germany Health Insurance Card Current system launched in 1993. 80million chip cards have been issued. New
system using more sophisticated
smartcard due to be launched in 2006
France Sesam-Vitale Version 1 issued in 1998. Version 2
scheduled to be launched in 2006, pending
agreement with health workers
Belgium SIS Introduced in 2000, card has been issued
to 10.5 million residents. Card specifies
eligibility for service. Carries no medicaldata.
Slovenia Health Insurance Card Slovenia has issued 2 million cards since
1999. New applications added in past 2
years, such as organ donor registration and
information on patients eyeglasses,hearing aids and other medical devices
Austria e-card Contract for 8 million smartcard awardedin this year to Giesecke & Devrient.
Rollout set for 2005. Will also to be usedto access government services online.
Europe E111 card Standard card for accessing health
services throughout Europe wasintroduced last month without a chip.
Plans call for introduction of a smartcard
in 2008.
7/25/2019 Jothi EMR Chapter2 LiteratureReview 07072009 MC
42/46
62
HBS Consulting in 2003 also conducted a functional versus benefit study on the major
health card programs in the world. Although most implementations are identification and
medical insurance related, some of them are also incorporating patient health information
on the card. Table 2.3 highlights the major health card programs, their functions and the
benefits.
Table 2.3 Implementation of smartcard and its benefitsSource: HBS Consulting, (2003)
Country Function BenefitBelgium Entitlement card Patient acts as identification and speeds
reimbursement.
Insurers reduce cost
France Insurance card Patient speeds reimbursement
Insurers reduces costs and simplifies
processes
France Health professional
card
Health professional provides security and
systems and information access
Germany Insurance card Patient identification
Insurers process simplification
Germany Health professionalcard
Health professional provides security,identification and systems and information
access improves communications
Netherlands Medication alarm Patient helps management of chronic disease
Netherlands Drug monitoring Health Professional eases care of drug addicts
Slovenia Data storage,
identification,access
to systems
Patient identification to health professional
and to system via self service kiosks
Taiwan Data storage,
identification,
accessto systems, fraud
detection
Patient gains control over medical data
Health system payment providers fraud and
cost reduction
7/25/2019 Jothi EMR Chapter2 LiteratureReview 07072009 MC
43/46
63
2.12 CURRENT RESEARCHES IN EMR SMARTCARD
There are few researches on electronic medical records currently undertaken by various
organizations, academic staffs and student around the world. In this section some of the
current researches that have direct approach using smartcards are conceptually presented
and evaluated.
A research titled Model-Based Design and Implementation of Secure, Interoperable EHR
Systems is being done by team of researchers from Germany, headed by Bernd Blobel. In
this research, Bernd highlighted that for establishing efficient and high quality care for
patients, health networks with an EMR as core application must be designed for enabling
trustworthy interoperability between different healthcare organizations. This
interoperability, according to Bernd, has to be provided at knowledge level meeting legal,
ethical, and organizational requirements in a flexible and portable way including with the
use of mobile devices such as smartcard (Blobel, 2003). This research uses smartcards to
perform strong mutual authentication prior to the security infrastructure components are
downloaded and installed to transfer data input and output. The SSL (Secure Socket Layer)
protocol deployed to initiate secure sessions is provided by the Java Secure Socket
Extension API. The applets and servlets for establishing the local clients and the open
remote database access facilities communicate using the XML standard set including XML
Digital Signature which has been incorporated in to a smartcard. In this research, smartcard
is used as a medium for authenticating medical practitioners to download EMR records via
SSL.
7/25/2019 Jothi EMR Chapter2 LiteratureReview 07072009 MC
44/46
64
In another attempt by Alvin in 2003, in a research titled Integrating smart card access to
Web-based medical information systems, he examines the application of smartcards in the
development of distributed medical information systems. Agreeing to the technical
capabilities of smartcard such as mobility and security features, he noted that smartcard is
an ideal medium for storing the critical medical records of a patient. However, his finding
shows the lack of interoperability and support for distributed operations have limited the
development and usage of smart cards in a networked environment. Alvins report also
highlights the benefits of combining the World Wide Web and smart card technologies to
support the development of highly robust health information system, while leveraging on
the rich benefits of the Web technology (Alvin, 2003). In particular, this research describes
an approach of using the WebCard service model as a common interface to communicate
and access the medical records residing in a smartcard that seamlessly integrates to existing
web infrastructure. Although this research has many similarities with Bernds approach in
terms of the use of smartcard as the access control device, his way of handling smartcards
in the system is varies. WebCard uses Java OpenCard Framework to enable the servlet
features and utilizes the internet as the communication medium.
In summary, most of these current researches are evolving around open-source, Java
OpenCard Framework and web-based approaches. Although these approaches benefit the
healthcare industry in whole, proprietary systems provide better security options especially
in isolating the sensitive medical records from potential hackers. A close-loop approach is
comparatively better way to go about in healthcare smartcard implementation to restrict
anonymous attackers from breaching the security walls. Open source systems, on the other
7/25/2019 Jothi EMR Chapter2 LiteratureReview 07072009 MC
45/46
65
hand, by their very nature, are open to scrutiny. Often, this scrutiny can apply not only to
the systems source code, but also to the system design processes. For an environment that
requires high level of security, privacy and confidentiality open source still not the solution
(Jason, 2004).
2.13 SUMMARY OF RELATED LITERATURE
The above reviews on the electronic medical record, smartcard technology, existing
implementations and related current researches suggest for improvements in the way
smartcards being used in the healthcare industry. The lack of strong application
development in healthcare leads to a situation where the smartcards are only being used as
a tool for inter-industry data carrier and identification, as shown in Table 2.5.
Thus, the significance of this research is to show how to utilize the real technical
capabilities of smartcards in holding a patients medical records without compromising its
security, privacy and confidentiality. Based on the derived methods of securing medical
record in multiple levels, the patients will have their own medical record in the wallet,
secured and protected. The technical capabilities of smartcard in research are evaluated
from the storage capability, processing capability and security capability.
Research reviews discussed in this chapter have proved the emergence of technology has
contributed in a positive and negative manner. The initial idea put forward by the
information technology has of course proved to be in the positive in many ways. Visible
7/25/2019 Jothi EMR Chapter2 LiteratureReview 07072009 MC
46/46
benefits of information technology in medical sector are the decreasing of paper records,
efficiency of clerical operations in a hospital environment and most importantly easy access
of information by different stakeholders in this environment. EMR was accepted as it was
viewed as a way to reduce file storage cost and also ease of maintenance of the health
record. Rate of instant and easy access to the patient records is currently the yardstick to
prove the delivery of quality healthcare by a healthcare institution. However recent
research shows the increasing concerns by patients of the security and confidentiality of
their health records. This could be due to the health systems deployed in a network or web
environment. Smartcard technology was brought in to address the issue of mobility and
security of patient records.
This literature review also has pointed the architecture of the smartcard and how it supports
the security and mobility. Countries adopting the smartcard EMR systems have studied the
ways of adopting and implementing the smartcard technology, however these researches
are normally construed towards the security of authentication in general, policy
implementation or ways of handling unauthorized access to the card. The isolation of these
research outcomes more than often were not integrated therefore the implementation of
security was often implemented in the smartcard level or the application level. Due to this,
privacy of data is not guaranteed and this gives opportunity to hackers of health
information through the layers where security is not implemented.
Top Related