The impact of informatics

Computerisation and health care: some worries behind the promises

Roderick Neame, managing director ^a,  Eike-Henner Kluge, head ^b. 

^a Health Information Consulting, Homestall House, Faversham, Kent ME13 8UT, ^b Department of Philosophy, University of Victoria, Victoria, BC, Canada

Correspondence to: R Neame roddyneame{at}health-info.co.uk

Most clinical facilities are looking towards achieving seamless integration of services based on a clinical "intranet" and deployment of full electronic records. These developments open a wealth of opportunities and promise benefits; however, they bring with them several important concerns and risks, at the root of which are security issues.¹

Computerised and hard copy information differ in two fundamental ways. One difference relates to perception: hard copy is something we are all familiar with and feel that we understand. By contrast, information that is stored in electronic form is mysterious and therefore a source of anxiety. Understandably, therefore, professionals and the public alike are more concerned about the security of electronic records, especially not knowing where they are stored or who controls them. The various well publicised failures of computerised systems have contributed to this unease.

The second striking difference is that electronically stored data can be manipulated in ways that are impossible with hard copy. For example searching, sorting into categories, matching, and linking one set of data with another and even with other databases is relatively easy with electronic records but difficult with hard copy. Furthermore, these functions can be performed remotely without the user ever being in physical contact with the stored materials.

The contribution of computers to health care will be limited by the extent to which users and the community of patients come to trust them to manipulate data and support decisions while protecting their privacy.

	Roles, assumptions, and expectations

Top Roles, assumptions, and... Managing the risks Conclusion and summary References

One of the governing assumptions underlying the introduction of computerised information systems is that their use will facilitate and improve the delivery of health care.² New systems must meet these demands without overstepping the mark.

Patients
The role of patients in this context is to be the informed and consenting recipients of the care that is recommended and provided by doctors and institutions. Patients assume that their providers are appropriately qualified or certified and in control of any equipment used (including computers); that their personalised data will be accessible only to those who are directly or indirectly engaged in their care; and that identifiable personal information will be withheld from those who do not have a legitimate and patient centred need to know.

Care service providers
The advent of computerised information systems has added a new dimension to the relationship between doctors and patients. On the one hand, the versatile nature of computerised information systems promises valuable support for decision making and improved delivery of services. On the other hand, the use of computerised systems intensifies concerns over privacy and confidentiality, raises new concerns over technological glitches and communications problems affecting the availability of appropriate records, and creates a potential nightmare concerning the quality and integrity (or safety) of the records themselves.

Institutions
The role of healthcare institutions is defined not only by their relationship with patients and professionals but also by the fact that they are corporate entities with their own information needs. The former mandates concerns for confidentiality, integrity, quality, and availability: specifically, so far as patients are concerned, institutions assume an obligation to ensure that computer systems are safe and that patients' records will be available only to duly authorised professionals, and in a timely and qualitatively acceptable fashion. But at the same time the community and corporate nature of healthcare institutions requires them to access and use some information relating to healthcare encounters in order to discharge their obligations to third parties (such as government) and to function effectively and efficiently as corporate entities. This generates a new domain of concern arising out of the fear that institutions may stray beyond what is strictly necessary.

	Managing the risks

Top Roles, assumptions, and... Managing the risks Conclusion and summary References

Accepting the benefit of technology is easy; offsetting it against the risk is harder. Suggestions that the law may assist in the management of these risks is an illusion. The law, whether based on statute or driven by cases, has always trailed reality, often by a considerable margin. The key perspective is that once systems have failed or security has been breached, the damage has been done and there is no way of undoing it. For example, once information has become improperly disclosed it cannot become unknown again. Therefore, instead of detection and punishment of those responsible for security failures or breaches the goal must be to prevent them arising.

Unfortunately, few healthcare providers or institutions seem to have faced up to these issues. Regulatory bodies seem equally at fault for they, too, have failed to lay down clear expectations in respect of uses and abuses of computerised systems. And many governments seem committed to ensuring that information privacy can readily be breached in order to satisfy the overriding consideration of the fight against crime.

Ultimately the risk in health care is borne by the patient, and as this reality becomes more widely understood patients are beginning to develop strategies for dealing with it. Recent developments have made it possible to empower patients to manage some of these issues themselves without the need for third parties to act as their agents. Patients increasingly search the world wide web to check whether their provider is doing everything that appears beneficial in their situation. Already various web services are offering to hold personal health records confidentially for their customers (for example, www.drkoop.com) to use and share as they see fit. Growing public concern over computerisation is also likely to drive other public trends.

	Conclusion and summary

Top Roles, assumptions, and... Managing the risks Conclusion and summary References

Computer technology is complex and it is difficult to assess the risks to which data within a system are subjected without having considerable expertise; often that assessment cannot readily be made even by the suppliers of a system, and there is little independent expert evaluation of software or systems. This must become a feature of accreditation for practices and institutions that use electronic patient data handling systems.

The ability to handle information systems increasingly constitutes an essential professional skill for clinicians. Competency in using these systems should be included as part of accreditation to practise and continue to be assessed in practice.

Patients are beginning to comprehend the risks they run, and some are showing a voracious appetite for information and enthusiasm for monitoring the performance of their care providers. Web based information systems and services are developing fast to meet this patient driven need, which will progressively affect the nature of the doctor-patient relationship.

	Footnotes

Competing interests: None declared.

	References

Top Roles, assumptions, and... Managing the risks Conclusion and summary References

1.	SEISMED Consortium. Data Security for Health Care. , Vol 2 Amsterdam: IOS Press, 1996.
2.	Kluge EHW. Health information, the fair information principles and ethics. Methods of Information in Medicine 1994; 33: 336-346[Medline].