Navigating Ethical Frontiers in Healthcare Technologies

Digitalization of the medical data involves the use of modern technology to centralise the records and documents of the patient’s medical history into a virtual database. Clinical summary records from different healthcare providers are stored and shared to facilitate the future use from other providers. Health Wearable Technology (HWT) used by patients such as insulin monitors and cardiac event monitors can be integrated into such database for tracking and analysing important health information (Al-Azwani, 2016). More countries are adopting the Electronic Health Record (EHR) into their nationwide medical initiative due to its advantages. Firstly, it gives a more up-to-date, complete and accurate data of the patient. This helps the healthcare providers to have a more coordinated care with other providers. Hence, this reduces possible medical errors in their diagnosis and treatment. Secondly, EHR also enables easier accessibility from anywhere at any given time, thus enabling healthcare providers to be more efficient and productive. Lastly, it gives an opportunity for patients to participate in their own healthcare by giving them more autonomy over it (ONC, 2019). However, EHRs still poses as a concern as it comes with its own disadvantages that raises potential and existing ethical dilemmas.

Key Market Players

There are 3 main key players in the use of this technology.

1. Government
2. Patients
3. Healthcare Providers

The government has an important role in EHR. In some countries, EHRs are a system that is implemented nationwide. Singapore for example, have the National Health Record (NEHR), owned by the Ministry of Health. It is managed by the Integrated Health Information System (IHiS), an organisation which is largely responsible for architecting the EHR system in the country. This allows patients and healthcare providers to use the system more efficiently as there is an overall governing body that standardize the protocol of the system. Even so, without such function in the government body, they also play a part in passing down laws and regulations that can meet the new challenges that is faced with the use of EHRs in healthcare organisations.

Patients are a key player as they are the receiving end of the service provided by EHRs. Their satisfaction is determined by the quality of the EHRs. Malpractice such as the loss of data or lack of medical records accuracy can cause vital treatment errors. A poor system can have detrimental repercussions to their healthcare (Ozair, 2015). Healthcare providers are the main users of the EHRs. The functioning of the system and how well it is used is largely based on them. The physicians and other healthcare staff are responsible over the security and the accuracy of the patient’s data. Unlike countries like Singapore, it is harder for bigger countries like the US and China to have a nationwide EHR system. Hence, for this report, we will assume that in these countries, the healthcare vendors source out for their own EHRs from vendors. In the US for example, companies such as EPIC and CERNER are vendors used by medium and large medical organisations. Therefore, the usability of EHR is dependent on these healthcare providers as they dictate the workflow and the interface of the system.

Laws & Regulations

Different countries have different set of rules regarding the ethical use of EHR. In Singapore, there is the Healthcare Service Act. This bill gives an explicit detail on how NEHR can be used by Singapore’s healthcare providers. For example, it states that the only ones that can have access to the medical information are the healthcare professionals that are directly involved in the patients care. There are also guidelines on assessing the information for other purposes including research. Anyone guilty of assessing without consent is liable to $100000 fine and/or 2 years imprisonment (MOH, 2018).

In the US, they have the Health Insurance Portability and Accountability Act (HIPAA) Security Rule and the Privacy Rule which establishes national standards to protect individuals' electronic personal health information used by the healthcare providers. Like the laws in Singapore, it ensures the confidentiality and integrity of the patient’s data. However, there are general rules that specify that the system operators of the EHR must maintain reasonable and appropriate administrative, technical and physical safeguards to the database. This is depending on their own software infrastructure capabilities (HHS, 2013).

Current Ethical issues arising from this technology

Despite the benefits it brings, implementing EHR system does have its disadvantages. Firstly, there is a possible risk of security breaches through cybercrime and hacking of data. The system may not be robust enough to prevent hackers from stealing confidential health records (Ozair, 2015). Necessary steps into strengthening the software might be overlooked. This includes limiting the network access through operating wireless routers in encrypted mode and using updated anti-virus. Firewalls, particularly a hardware firewalls between local area and the Internet is neglected. Furthermore, the common practices amongst the staff might disregard the security of the computer system. Practices such as, pasting passwords on computers using sticky notes and even leaving machines unattended and unprotected. There is a lack of culture in which everyone takes cybersecurity as seriously as they should (Seaborg, 2019). Hence, this gives rise to an issue of virtue ethics where incompetence and irresponsibility is demonstrated.

Secondly, there can also be a breach of privacy and confidentiality. Healthcare providers may accidentally or purposefully disclose information to other organisations that the patients are not aware of (Gallagher, 2018). Without any agreement from the patient, this disclosure brings forth the lack of rights ethics and can even cause legal issues. The limitations of the EHRs are not exhaustively listed. The 2 disadvantages enable us to look at the problem based on an ethical standpoint. The next part will highlight on the ethical dilemmas of this new growing technology through real case studies.

Analysis of Ethical Issues using Case Studies

Case Study 1:

From 27 June to 4 July 2018, personal information of 1.5 million patients under the SingHealth NEHR were hacked and stolen by cyber criminals. The EHR under IHiS found 3 managers who were responsible for the cyber-attack. A Citrix Team Lead was guilty of having introduced a server setup that was unnecessary and brings significant risks to the system despite his technical abilities. A Security Incident Response Manager (SIRM) was guilty of passiveness to react even after repeated hacking alert which led to missed opportunities to mitigate the attack. Both were sacked due to their negligence. A Cluster Information Security Officer (CISO) was also found guilty by failing to follow the incident reporting procedure and his lack of aptitude. This leads to his demotion. IHiS officer, Chai Sze Chun was commended for taking initiative to go beyond his duty to investigate on the suspicious system activity and report to his direct supervisor. However, he did not bring it up to the authorities from the security management department. After the incident, IHiS worked with the Cyber Security Agency (CSA) to implement new measures for improvements (IHiS, 2018).

Now we will use the Ethics Line Drawing and the Ethics Flowchart to assess the ethical issues.

Ethics Line Drawing, from point-of-view of the IHiS managers:

NP: Ignoring the report from IHiS officers and staff. Fail to proceed with any form of existing security incident reporting framework. No further action for improvement.

PP: Escalate the report from IHiS officers and staff. Immediate reaction to cease the hacking. Proceed with the existing security incident reporting framework. Implement technical measures recommended by CSA to prevent such events from happening. Educate all the staff on the importance of the incident reporting framework and the tell-tale signs of a possible cyber-attack. Review with other EHR organisations on the recent attack to find better risk management procedure and share technical findings of the cyber-attack.

P1: Ignoring the report from the IHiS officers and staff. Fail to proceed with any form of existing security incident reporting framework. Implemented measures after the incident including imposing Internet surfing separation, resetting user and systems accounts, and installing additional system monitoring controls.

SC1: Escalate the report from IHiS officers and staff. Immediate reaction to cease the hacking. Proceed with the existing security incident reporting framework.

SC2: Ignoring the report from the IHiS officers and staff. Fail to proceed with any form of existing security incident reporting framework. Implement a new framework for the organisation.

Solution and Limitation

In this case, the key player is the government as IHiS is a subsidiary organisation of the government and holds on to the medical information for the country’s population. Therefore, it is critical to ensure that the security of its databases to prevent any cyber-attacks such as the one mentioned in the case study. This case is also applicable to healthcare providers as they are the operators of EHR systems. The two main concerns for the system are, the need for consistent development to the technical side of and improving on the competency of the people in the organisation to detect and act on cyber-attacks. Cyber security is never static, in fact, key security risk is always changing with the advancement of technology. Keeping up to date with the latest firewall and other anti-hacking technology is important. However, cyber security awareness is as vital and must be instilled in the employees of the organisation. 95% of cybersecurity breaches are caused by human error (IBM, 2014). There is no point having an expensive system without an embedded culture of cyber security awareness and enforcement. By addressing these concerns, risks of security breaches can be reduced and ethical dilemmas specifically under the concept of virtue ethics can be mitigated. Nonetheless, its effectiveness is up to the proactiveness of the individuals in the organisation.

Case Study 2:

On 13 June 2013, Shasta Regional Medical Center (SRMC) agreed to a settlement of $275000 for violating the HIPAA Privacy Rule. Two senior SRMC leaders were found guilty to have provided details of medical procedures performed on a specific patient to the media. On December 13, 2011, SRMC sent a letter, through its parent company, to California Watch, responding to a story concerning Medicare fraud. The letter described the specific patient’s medical treatment and provided specifics about her lab results. SRMC did not have a written authorization from the patient to disclose this information to this news outlet. This unauthorized disclosure of health information to the media was a direct violation of the Privacy Rule (HIPAA, 2013).

Ethics Decision Flow-Chart, from point-of-view of healthcare provider:

Solution and Limitation

Adherence to the existing rules and regulation is important to ensure that the patients have the rights over their own medical information. There must be ethics training for all personnel involved in digital health activities and hold them accountable for the ethical treatment of data. However, in some cases, giving patients full autonomy over their own data can have its disadvantage when there is a need to use this information for research. Researchers must abide to their duty ethics to respect patient’s privacy and confidentiality. In these cases, they might end up only having data from persons who have consented and de-identified data. Therefore, this undermines the quality and limits the quantity of data available for research (Mann, 2016).

Conclusion

The three technologies evaluated aims to improve the well-being of the society by tackling challenges in the medical field. However, they pose various disadvantages that give rise to ethical dilemmas. Firstly, technology on genetic modification for designer babies creates an ethical concern with regards to the testing process which uses human embryos. Furthermore, there will be a moral issue of a possible segregation between the rich and the poor due to this technology. Secondly, stem cell research presents an ethical problem due to the research procedure that involves destroying embryos. Lastly, the use of EHR highlights on the issue of ethics in cybersecurity and rights to privacy and confidentiality. These ethical challenges need to be outlined and controlled by all the parties that are involved. However, technology is always changing. Ultimately, we have to be adaptable in our approach to regulate and tackle new ethical issues in emerging technologies.