How to solve a hard problem in health IT
Published 11:27, 29 April 10
I examined the problem of how to log every single view of every record in the ultimate hot desking environment – the hospital ward, in my last post.
This constraint of managing the audit trail is a difficult one. What we are trying to prevent is people accessing data they shouldn’t. This is a valid goal and is to be applauded, but let’s look at it in more detail.
Previously, in the world of paper records, we had little to no idea who was looking at what, but we knew that they could only be looking at current patients (as the rest would be archived and not easily accessible) and that only one person would be looking at them at a time – meaning the risk of information leakage was low and the impact of any leak was also low (at least until that person reached a photocopier..).
In the new digital environment, we have a situation where people share logins because it is otherwise impossible to do their jobs, and they can look at any patient in the hospital (and possibly further afield).
We therefore have a situation currently which is the worst of all possible worlds. Rather than having no information on what’s going on, we have a false audit trail – specifically a false audit trail backed up by two-factor authentication! - so false information, high risk and very high impact.
The way to fix this is to accept some risk but manage the impact. Politically this sounds bad, but from the practical point of view, this is the only way to effectively make it work.
Simple, shared use terminals can make this possible. Put current data which is designed to be shared by clinicians on these terminals. Remove the logins, but put the machines in a physically secured area (not a cage, but perhaps a part of the ward that patients cannot get to).
Do not allow central patient lookup, but do allow lookups by controlling clinician so if they need to find something, it is possible, perhaps then with a simple password. By all means also have the full access, but keep it elsewhere.
This solution is simple, manages the risk and provides the access that clinicians crave. It is not perfect, but it does give the right people the correct access to data that enables them to save patients’ lives.
The alternative is at best naïve and at worst dangerous. Let’s have some common sense and stop pretending that consultants who have never been on a ward can continue to design information systems for our NHS.