SECURITY ISSUES IN CLINICAL INFORMATICS
Arunkumar Reddy Marepally
easypatientrecords@gmail.com
School of Computing, Information
Technology and Engineering
University of East London,
Docklands Campus, University Way,
London E16 2RD
ACKNOWLEDGEMENTS
Professor Dr. Kaori Sasaki, Imperial College, “Public Understanding of Computer Databases
in Health Care”.
University of Cambridge for the Security Seminar Series held at Cambridge.
Wellcome Trust for helpful information on informatics.
KEYWORDS:
Informatics, Clinical Informatics,
Electronic Patient Records, Technology,
Security Issues, Privacy, Authentication,
Information Blocking Mechanisms.
ABSTRACT
The role of Informatics in Clinical
Institutions, Health Organisations and
Hospitals have been towards impressive
growth in adopting Technologies which
help in making clinical decisions, improve
care, implementing health information
systems and clinical management.
Internet, Technologies, Software
implementations are few terminologies
which describe the health organisations in
the present conditions. Transforming the
paper based medical records to electronic
was an earlier task and now transforming
the Electronic Patient Records into
divisions like summary and detailed
records are new in Health organisations in
NHS.
As Internet is the major source of
communication and interaction between
physicians, patients and healthcare
providers the data or the information
stored is not private. More deliberation
should be towards Security requirements
such as Dynamic Authorization – this step
1
Chris Imafidon
chris12@uel.ac.uk
School of Computing, Information
Technology and Engineering
University of East London,
Docklands Campus, University Way,
London E16 2RD
Formerly, Head of Management of
Technology Unit, Queen Mary, University of
London.
Guest Seminar Lecturer at University of
Cambridge.
Guest Lecturer at University of Oxford.
makes decisions based on runtime
parameters and not on just role of the user,
Multi Factor Authentication – more than
two types of authentication procedures
should be made mandatory to the staff,
healthcare providers and companies to
actually view a patient’s health
information and Access Control
mechanisms – which enables
administrators to actually filter the
authorization permissions of the user.
This paper reports on the Security
Issues related to privacy of the data and
implementing privacy maintaining settings
like authentication and blocking of the
information according to the patient’s
point of view are introduced. These
Privacy Blocking and Authentication
settings are introduced in
Easypatientrecords which is exclusively
designed to help understand the need for
privacy control and will be very helpful
for Summary Care Records. The reason
NHS and National Programme for IT
(NPfIT) should consider and implement
these in Summary Care Records is because
the SCR is accessible by clinical staff,
emergency staff and also by the patient.
The present SCR is missing the privacy
locks and authentication (password
recognition page) which are introduced
through this paper.

1. INTRODUCTION
The creation and usage of Electronic
Patient Record System in any health
organisations will bring new benefits and
helps in increasing the efficiency of the
quality of care to the patients. The
improvement in cost effectiveness, error
reduction and wastage of data depends on
how good the Software is installed and
how effectively the people using these
systems have knowledge about the
Information Technology, because a
genuine Electronic Patient Record system
can deliver better prospects to the patient.
The present Electronic Patient
Record service in NHS is called the NHS
Care Record Service which is the plan of
National Programme for IT in England.
These Electronic Patient Records are in
existence since long time and new
implementations like NCRS is the
expansion of electronic patient data,
information about GP, health tips and
adding new software and replacing new
hardware. The major creation of Detailed
Care Records came into existence and
later divided as Summary Care Records
for emergency purposes.
Security and Privacy are the major
drawback when dealing with information
on web. Detailed explanations of Security
Issues, Authentication in Healthcare and
Accessing control are the major points that
are discussed here in the paper.
This paper explores about
Technologies adopted by NHS such as
Websites, Search engines, Telemedicine
and Mail Services; apart from the
technologies the paper also includes
information about Security, Privacy,
Access Control, Confidentiality and
implementation of Authentication
Mechanisms such as Privacy blocking
Settings that are similar to Social
Networking Privacy Settings.
2. INFORMATICS
Computers have become Universal in
every possible offices, which includes the
healthcare organisations and Hospitals. In
the past or may be even few years ago it
2
was rare to find a computer on a
physicians desk. But now with the
increase of information about patient
electronically the use of computer is
beyond just storing or retrieving
information. Computers are used beyond
analysing and reporting of data but the
systems can create automated surveillance
for health infections. [Diekema, 2010]
Informatics deals with problem solving in
many major areas and also acts as a
medium between IT and many other
modes of studies like Biology, arts,
telecommunications. Each mode then
transforms and leads to bio informatics,
arts leading to development of multimedia
animations and web designing and so on.
Solving a problem is made easy in any
field when computing is involved because
computing gives the foundation for
science, business industries and better
prospects to the society. [MacKie-Mason
2010]
Informatics utilises information
technology practically to any field, while
considering its consequences on
individuals, organizations and society.
Informatics uses computational techniques
as a tool to solve problems in other fields,
to communicate and to express new
innovative ideas. [Dennis Groth 2010]
The Figure 1 below gives a basic idea
about how a problem is solved by
analysing the systems and how humans
interact with them. The seven steps
involved here not only investigate but also
improves the data. [Hughes 2007]
Fig1: 7 Steps in Soft Systems
Methodology. [Hughes, 2007]

2.1 CLINICAL INFORMATICS
Clinical Informatics has been described as
a field that meets two mutually related but
which has distinct needs [Hersh, 2002],
Patient-centric and Knowledge-centric
[Sarkar, 2010]. The innovations in Clinical
Informatics are needed to improve
patient’s healthcare through basic concepts
like availability and integration of
information at the time of care [Costa,
Fitzgerald, et al 2009]
Health Informatics is defined as the
knowledge, skills and tools which
facilitate information to be collected,
managed, used and shared to support in
delivering the healthcare and promoting
health. [Department of Health, 2010]
Clinical Informatics have the
potential to transform the health care by
implementing, designing and evaluating
the information and communicating
systems that improves patient care and
helps in strengthen the Physician-Patient
relationship. Clinical Informatics deals
with clinical information and
understanding of informatics concepts,
procedures and tools to assess information,
evaluate and refine clinical processes,
develop, implement clinical systems,
participate in management and continuous
improvement of clinical information
systems. [Gardner 2009]
2.2 FUTURE OF CLINICAL
INFORMATICS IN NHS -
QUALITY, INNOVATION,
PRODUCTIVITY AND
PREVENTION (QIPP)
According to the Clinical Informatics
plans in near future 2010-2011 NHS has
some priorities of Quality, Innovation,
Productivity and Prevention (QIPP) and
are related
 To support the permissions of
patients and physicians, to
motivate developments in health
services and to increase the
productivity, the main focus is on
making use of the technologies
which will help the patient to
3
communicate with the health
services and to connect people.
 To use the new innovations and
emerging technologies and the
design of the systems should be
more understandable and
transform the existing
technologies.
 Increasing convenience to use the
technologies.
 Clinical Informatics plans to
integrate planning and
performance. [1] [Department of
Health]
3. TECHNOLOGY
Technology in healthcare industry has a
major impact on physicians, practitioners
as they deal with IT systems not only for
administrative use and clinical purposes
but also major surgeries which involves
highest level of computerisation skills.
One of the simple uses of technology is to
convert the paper based record of a patient
into electronic data and also scanning
older notes, prescriptions into electronic
information. [Bates, 2002]
3.1 TECHNOLOGY IN
HEALTHCARE
Technology is one source through which
the healthcare organisations can improve
efficiency, improve patient’s safety and
other benefits, but also can create hazard if
the clinical staff are not trained. [Wildt,
Verzijden, et al, 2007] [Murphy, Bjartell,
et al, 2009]
3.1.1 NPfIT: NATIONAL
PROGRAMME FOR
INFORMATION TECHNOLOGY
Department of Health published a report
called Delivering 21st century IT support
for NHS: National strategic programme,
which in turn is a prototype for National
Programme for Information Technology
(NPfIT). [Department of Health, 2002]
[2]
Department of Health initiated National
programme for IT to provide secure
electronic patient records in primary and
secondary care. It also integrates different
kinds of systems like prescription service
software, appointment software and many
more to health sectors. It is estimated
approximately around £12.4 billion for 10
years till 2014. [Department of Health,
2002] [3] [Greenhalgh, Stramer, et al,
2010]
3.1.2 HEALTH SPACE AND
SUMMARY CARE RECORD
SERVICE
NHS has adopted the technologies such as
Health space and Summery Care Records
to ensure that patient gets updated with
latest technologies, software throughout
the medication. [4][Greenhalgh, 2010]
Health Space is an online website
providing services like booking an
appointment, knowledge about health and
lifestyle, calendar and address book
through which the patients can store their
appointments and track them. Summery
care records service is linked to Health
space initially to know about services the
SCR is planned to provide. All these
services are available only when the
patient registers into the site.
Fig: My HealthSpace account overview.
Source: HealthSpace (2010) [internet]
available from[
https://www.healthspace.nhs.uk/]
(accessed on 5 Sept, 2010)
3.1.3 SUMMARY CARE RECORDS
4
The Summary Care Records is a service
introduced to ensure that all the NHS
patients health information is recorded
electronically and only the summery of a
particular patient is been drawn from a
patient’s GP held record. These SCR are
meant to be accessed by only authorised
clinical staff. [Greenhalgh, Stramer,
Bratan, Byrne, Russell, Hinder, Potts,
2010]
According to the survey report submitted
by UCL, there are approximately 150K
SCR’s which were created by mid 2008
and there referred to basic, level-1 or
release-1 SCR as these records had basic
information of a patient. Level-2 has some
more updates to the services.
Type of SCR Information in SCR
Level 1 or Release-1 Medication, Allergies
and Adverse Reactions.
Level 2 or Release-2 A&E reports, discharge
summaries, outpatient
letters, lab reports.
Fig: Viewing SCR
3.2 TELEMEDICINE
The adoption of Telemedicine is gradually
increasing in healthcare industry.
Telemedicine can be offering different
services depending on the health
department. The services may vary like
patient to physician interaction, physician
to physician interaction for improving the
quality of healthcare and finally it can be
offering services like telephone helpline
for patient in emergency or who seek an
advice. [Rohm, Rohm Jr, 2007] [Wootton,
1996]
3.2.1 NHS DIRECT – NATIONALLY
DIRECTED SERVICE
NHS Direct is a national health care
service through telephone and website.
The main role of NHS direct is to provide
high quality health care through health
advice, information and reassurance.
Initially NHS Direct was a service through
telephone advice and can me accessed by
calling 08454647 and it is now offering
services through Website and Digital TV
(self service) and still can contact a health
professional through the service. [5]
[Department of Health, 2006]
3.2.2 NON EMERGENCY SERVICE
- 111
The new 3-digit number 111 is a non
emergency telephone helpline which
intends to advice high quality healthcare to
patients which is a 24 hours service. This
service is to provide immediate medical
assistance and if there is an emergency
situation, an ambulance without any
further assessment. [6] [Department of
Health, 2010]
There has been a wide discussion
about replacing NHS Direct by 111 which
is indeed is replacing the NHS Direct
08454647 number to memorable number
111. [7]
3.3 SEARCH ENGINES
3.3.1 NHS EVIDENCE
Among the latest technologies search
engines is also one of the internet source
which provide information and NHS
Evidence is one among the Search engines
which gives free access to all clinical and
non-clinical information. Information
includes evidence, guidance and govt
policy. The purpose of NHS Evidence is
for anyone in health and social care who
takes decisions regarding treatments and
use of resources including GP’s, Nurses,
Consultants, Health professionals,
researchers and students.[8]
4. ELECTRONIC PATIENT
RECORDS
4.1 INTRODUCTION
The development of any healthcare
department depends on how the health
systems are linked, created to Electronic
Patient Record (EPR) systems. As there
are numerous benefits when EPR
technologies are adopted because the
5
single EPR software can store, transfer
and retrieve patient clinical information
electronically which in turn has the ability
to reduce clinical errors and improve the
quality of healthcare. The EPR systems
are adopted and used to increase
efficiency, reduce error rates and can be
accessible for the patients, allowing them
to have more control on their own
healthcare. [9] [10] [11] [12]
4.2.1 USES OF EPR
The main use of Electronic Patient Record
is to improve the patient care and in
context to a patient they will expect that
the records maintained electronically are
accurate and used confidentially. If the
records are shared between the healthcare
team and hospitals the primary aim should
be to improve the patient’s healthcare. The
patient’s concern when the records are
linked to expert systems that there is
minimum chance of treatment errors and
maximum chance of best treatment.
[Walport, 2010]
4.2.2 ADVANTAGES AND
BENEFITS OF SCR IN NHS
SCR (Summary Care Records) is good
approach in medical history as more
information is available for medical care.
Having a patient record electronically is
helpful mainly in case of emergency
situations which will help the healthcare
providers to save time and medicate the
patient immediately. An electronic patient
record can be helpful in giving the patient
correct medication according to the
information provided in the EPR. Useful
for elderly people who might forget what
the present and previous medication was
and also to the people who are deaf.
[Greenhalgh, Wood, et al 2008]
The benefits of Electronic health
record have some basic points like time
saving, availability, error reductions,
information sharing and clinical decision
making. [Gunter, Terry, 2005]
The summery care record helps the
healthcare providers to treat the patient
quicker at the time of emergency as SCR
have basic emergency information that if
an accident reported in Birmingham, the
local accident and emergency department
can have the access to the patient’s records
in London to check for the allergies, blood
type and present medication. [Walport,
2010]
4.3 LEGAL, ETHICAL ISSUES
Legal and Ethical issues depend on
different aspects of dealing information
such as Negligence; is related to ethical
issue which occurs when there is Misuse
of data, wrong prescription, wrong use of
the systems, treatment according to race,
religion and under negligence there are
legal issue like fraud, abuse and trust.
[Johnson, Whearry, 2010]
5. SECURITY ISSUES IN CLINICAL
INFORMATICS
5.1 SECURITY
Security concerns in electronic healthcare
has been a major issue because vast
amount of information is available online
and a typical e-healthcare system has
many components such as electronic
health record, clinical information, lab
information, pictures, videos, prescription
services and smart card details and these
systems are vulnerable to security issues.
[Tsai, 2010]
The development of Internet and adoption
of information technologies has been a
major priority in leading industries
including healthcare. As the information is
available in many social networking sites
[Tsai, Han, et al, 2009], blogs [Chen, Tsai,
et al, 2007] and medical records there has
been a great demand for information to
store and retrieve.
Electronic health record systems using
updated technologies have added
convenience to patient’s daily lives.
Earlier patient and hospitals used to
maintain paper based records and now the
doctors can access their patient
information with just a click. Now the
challenge of implementing these software
systems is to protect the patient
information. Major role of the hospitals
6
and healthcare staff will be in protecting
patient’s privacy and the confidentiality
[Flores, Win, et al, 2009] of the electronic
records because the consequences are
great if the medical record is leaked to
outsiders, the information can be used
against patient at the time of employment,
when setting up an insurance policy or to
public. [Tsai, 2010]
Fig: Security Requirements in Electronic
Healthcare System.
[Dritsas, Gymnopoulos, et al. 2006]
The above figure gives the description
about identifying the security requirements
as patient records which are accessed
through networks are public in nature and
the communication between the networks
is not private. Initially the application
should identify the user depending on the
authentication mechanism and then the
tracking the users who are authenticated
are protected. The software developers
who are working on the implementation of
software in healthcare organisation should
concentrate on secured authentication and
management mechanisms because these
aspects are affecting the healthcare
industry as the information (patient’s data)
is very sensitive. [Dritsas, Gymnopoulos,
et al. 2006]
5.2 AUTHENTICATION
Global access to electronic patient records
is necessary to the future of healthcare but
strictly following legal, ethical and social
rules and responsibilities to protect the
patient’s data privacy. One of the methods
to promise a patient’s confidentiality and
integrity is by implementing
authentication mechanisms and access
control procedures to prevent unauthorized
entry to the sensitive information.
[Barrows, Clayton, 1996]
Extending a business operation
over the web is a modern day operation
and healthcare is one among them.
Healthcare people include hospitals,
physicians, insurance companies, drug
manufacturing companies and healthcare
trusts are implementing technologies and
updating software to interact with the
patients which is an added advantage to
the patient. [Hu, Weaver, 2004]
Various authentication techniques in
healthcare include form basic user id and
password to all new bio metric techniques.
Firstly the bio metric methods
(something the patient is) include finger
prints, signature, voice-recognition and iris
scan. [13] [Hu, Weaver, 2004]
Another widely used authentication
technique is the smart cards (something
the patient posses) which are still in
process in NHS. The main functionality of
the smart card is similar to that of a bank
card with chip and pin. [NHS-Connecting
for Health]
Public Key Infrastructure (PKI) is
a cryptographic mechanism which can be
used for encrypting and decrypting data to
ensure information security. [Dwivedi,
Bali, et al, 2003]
The process of Digital signatures
involves a PKI signing of an individual is
private and can be used to hash and the
message has to be verified by the sender’s
public key which ensures authentication of
the data as well as keeping the information
private. [Kelly, McKenzie, 2002]
5.3 CONFIDENTIALITY
NHS has defined the confidentiality
services to patient in four main ways they
are protecting patient information,
informing the patient about information
usage, giving the patients a choice whether
their information has to be disclosed and
to support these three services there should
be a fourth service to improve the patients
clinical data. [13] [Department of Health]
British Medical Association has defined
the patient’s confidentiality as the
principle of keeping the information
secure and secret when the information is
7
exchanged in any kind of medium. [Kelly,
McKenzie, 2002]
5.4 PRIVACY AND ACCESS
The ideology behind access and control of
Electronic Patient Records is each clinical
record has to be marked with access
control list which has group of people who
had opened and edited the record.
Controlling of the records is done when
the responsible person is marked in the
access control list. [Xiao, Hu, et al, 2009]
Privacy to the electronic patient
records is most concerned to many
healthcare institutions and the issues about
privacy arises when most of the healthcare
institutions do not provide access for the
patient’s to their own data and although
there is technical usefulness [Van
Wingerde, Schindler, et al, 1996] the
healthcare providers show interest towards
sharing data with the competitors.
[Kohane, Van Wingerde, et al, 1996] With
the same behaviour of most of the
healthcare professionals the patients are
becoming more anxious about the privacy
of their medical records. [Westin, 1996]
Privacy is a major concern as IT systems
are implemented in healthcare institutions
and then Electronic Patient Records are
web-based and with this the fear of
security to the information in the records
arises. As the information of a patient is
shared using wireless internet to transmit
to multiple locations. [Rash, 2005]
5.5 PROTECTION USING MULTI
FACTOR AUTHENTICATION
According to UK Council for Health
Informatics Professions (UKCHIP) the
issue of data privacy, wastage and
protection of these issues is the
responsibility if Informatics providers and
they should look into aspects like Security
and backup of the data. Not only
implementing the software but also
checking the data quality when inputting
the record and those using the systems
should handle them safely. [14]
[UKCHIP]
Using smart cards and the chip
and pin services are the 2FA (Two Factor
Authentication) can be implemented to
make the communication even more
secured. One of the authentication
mechanisms is the Public Key
Infrastructure (PKI) and the concept
regarding PKI were developed a long time
in early 70’s and the usage of PKI in
healthcare was recently adopted in early
2000. This PKI technology was first
adopted by financial industry and later by
the health organisations. [Hemmings,
2000]
A PKI is an authentication
mechanism which can be encrypted and
decrypted using two keys, one for
encryption and another for decryption. The
use of PKI in any kind of companies is to
achieve high level of security to the access
of information. The creation and usage of
these keys and digital certificates are
maintained and provided by registering
authorities which are responsible to issue
public and private keys to each certificate
holder. [Etheridge, 2001]
Implementation of PKI authentication
with the smartcards is the recent progress
in securing the patient information. The
central registry which issues the keys and
maintains the authentication mechanisms
is the Health Access System which also
acts as a Middleware between the users
and the applications. In this system when
the user logs in remotely they have to
provide Two Factor Authentication
Mechanisms such as entering their smart
card and entering the key, by doing this
process then the user has an access to the
application. The central registry which is
the HAS will store the Smart Card number
when the user log in for the first time and
then gives them an acknowledgment by
providing a Key. After this process then
the user undergoes the Two Factor
Authentication by giving both Smart Card
and PKI details. This ensures high security
for the unauthorized access and
maintaining the confidentiality of the
patient information. [15]
IMPLEMENTATION OF
AUTHENTICATION AND
PRIVACY MECHANISMS
6. IMPLEMENTATION OF
SECURITY WALLS TO
ELECTRONIC PATIENT
8
RECORDS-WORKING
PROCEDURES
The design of security walls is divided
into two main categories first is the web
page which is the major security wall after
the user enters his/her user id and
password and will not be redirected to the
user account but faces a security password
recognition page and Secondly after
logging into the account the user can
manage the account by selecting the
blocking mechanism which is widely
followed in major social networking
websites.
6.1 WORKING PROCEDURES OF
AUTHENTICATION PAGE
The web page developed here is about
authentication techniques a user uses at
home from their personal computers. In
general accessing online website involves
authentication techniques passwords,
unique number and text seals.
This section gives a detailed
description of basic password technique
and making it hard for the hackers to
access and break the password.
Initially the process starts from
selecting a password which is hard for any
other person to remember except the
owner. Secondly setting up few security
questions in case the user forgets the id
and password the security questions can
fetch a new password to the personal
email which is setup while registering.
This process is a routine procedure for any
online website offering to store your
personal information.
Now the next authentication that is been
proposed here is Password Recognition. In
this process of password recognition the
user has to remember their own password
because the next stage after entering user
id and password is this recognition step.
Here the user will be asked to select
random character number from the
password. This is one of the authentication
mechanisms in online banking. Every time
the user enters his user id and password
the second step of password recognition
displays random character selection and
these character numbers are different
every time the user logins.
 according to the sensitivity of the
information.
Health Information-Allergies-No Blocking
Personal Information-Email-Block Lab
Technician.
Personal Information-NI Number-Block
Password Mix the Vibgyor007 Lab Technician, Doctor.
password
with letters, Type Who Infor Block Blocki
numbers and of ? matio ng
symbols. Infor n setting
Sign in User id – Pwd = matio s
xyzabc vibgyor007 n
Allerg Doct Allerg This This
ies ors ic to infor inform
Penici matio ation
Password Char 3=? Nurs llin n is can be
recognition Char 8=? e import blocke
Table: Password Recognition Process. ant at d
Lab the accord
techn time ing to
ician of the
emerg EPR
Ever ency. syste
yone ms
usage.
Other
Addre YP12 Not so Block
ss and EP6 import lab
postco ant to techni
de a lab cian
techni
cian.
Table: Blocking settings to a Patients
Information.

The web page below describes the

Fig: Password Recognition.
6.1 WORKING PROCEDURES OF
AUTHENTICATION PAGE
The web page designed here is about
Privacy Blocking setting which we
commonly see and use in social
networking sites like Facebook and
Twitter. The idea behind this web page is
to give the patient (might have a social
networking account) an Electronic Patient
Record which has similar privacy blocking
settings as in social networking sites.
Here in this page a patient can
manage their own information and block
importance of information to be blocked
and the privacy settings can be applied to
each and every part of the information like
Allergies, Reactions, Blood type, previous
doctor, Present doctor, Present illness,
Tests, Planning, Visits, Prescriptions and
more health information. Not only the
health information is blocked but also
personal data has to be blocked such as
Address, Contact numbers, Mobile
numbers, NI number, NHS Number, Post
code and Email.

9

Fig: Privacy Blocking to the Patient
Information.
When the above Blocking page is
compared to NHS Summary Care Records
page below, Privacy Blocking Settings or
Privacy Locks are missing.
Fig: NHS Summary Care Record Patient
Information
In the above figure we can see the NHS
Summary care Record page where the
patient or the clinical staffs fill the
personal and health information of the
patient and also information about
registered GP. Here as we can see the
difference between Figure SCR and the
Figure Privacy Blocking page is that the
SCR has no Privacy Locks or any other
Sealed Envelopes where as the privacy
10
blocking page that is introduced has the
Blocking Locks.
7. CRITICAL EVALUATION AND
LESSONS LEARNT
7.1 FINDINGS
Implementation of technologies and
delivering information through web is a
major source of communication in almost
every different kind of institutions.
The initial findings on clinical
informatics helped to understand that
Electronic Patient Records is one of the
clinical informatics aspect which is and
issue since a very long time. The main
aspects that lead to issues are the privacy
and confidentiality of the data and
implementation of the software
technologies in current health
organisations.
Software installations have been a
major drawback in NHS till the midst of
2010. The software called Lorenzo is a
patient administration system which
involves duties like patient booking,
managing patient records and referrals.
This software is developed by one of the
US leading outsourcing company
Computer Science Corporation (CSC) and
Australian software supplier isoft which
indeed failed to install the software on
time and with all these IT failures the
Clinical Informatics group which is the
NPfIT should concentrate on elements
such as “How the Software is installed”,
“how accessible is it to the clinical staff”,
“Is the Software installed with all the
security requirements”.
Use of Passwords and Security
measures to clinical data has been a
critical issue with the NHS in the year
2009. There were approximately 140
Security breaches to the data which were
related to - confidentiality aspects like
leaving the data unattended and some data
was left in encrypted discs, Security
aspects such as downloading the patient
database on to an Unsecured laptop(was
later stolen) which included thousands of
medical records. Another major security
breach was a memory stick which had
thousands of patient medical records was
lost even though the data is encrypted the
password was attached as a note in the to their profile unless the user crosses the
device. “Security Wall” which will ask the user
According to Mick Gorill[Assistant their password but not as it is. There will
Information Commissioner in charge of be a random character check for example
enforcement, 2009] insurance companies “Enter your Character 5, 8, 9 or 2,4,1 of
hire private detectives to find out the your password” this might stop the user
medical histories. if the user is an Unauthorised person.
So this clearly shows that the Introducing these techniques helped me to
information in medical records is not understand and learn more about:
private, they can be available globally for  Authentication techniques
good and bad cause. The responsibility of and security constraints.
clinical informatics staff who are  Uses of Information
responsible with dealing information or Technology in Healthcare.
data about every patient should know  Electronic Patient Records
some of the rules like Data Protection and the systems used to
Laws, Security Setting of the Software store retrieve and manage
using, authentication safety techniques these records.
like signing out after using patient’s  What actually happening
profile, not to leave computers unattended in NHS and Clinical
after signing in, who to contact if the Informatics and IT
software does not work or hangs up. If Programmes for
these simple steps are followed there is a improving healthcare.
good chance of improving patient’s  Summery Care Records
information security. which are most
controversial aspect
7.2 EVALUATION because of privacy issues
but if considered the
I have introduced two security measures in benefits of SCR it is very
my report which might be a sensible useful at times of
approach when implemented in Electronic emergency.
Patient Records systems. One of it is the  SQL Injection and types
“Privacy Blocking Settings” which is of Queries and tried some
similar to Facebook Privacy Settings. The queries which are
main reason to adopt these settings is exclusively for
clearly because of the number of users educational purpose.
using them is very high. So these Privacy Implementation of security features like
Settings are not new but giving the patient PKI and Smart card Authentication
the same options to his/her Electronic Mechanism and combination of both the
Patient Record is new and if the user has a techniques must be adopted for even more
Facebook account then he/she can identify tight security.
the Privacy Settings and can manage
according the comfort.
7.3 FUTURE WORK
Second is the “Security Wall –
Authentication Technique”, the most  Multifactor Authentication
common authentication when using a techniques to tighten the security.
website is ID and Password or Unique ID  Involvement of patient’s role in
Numbers. What is the common thing that their own Personal Patient Record
happens after signing in? After entering and providing information on
your ID and PWD the website will security through seminars and
automatically approve your details and practical explanation of Privacy
shows the profile, this is what happens to and how to manage the health
most of the websites. records.
But the second method proposed  Approved clinical staff to operate
here is the page after the user enters ID Computers and Software.
and PWD, the user will not be redirected

11
  Computerised physicians which
means when there is a situation
when the doctor has to prescribe a
patient through Electronic
Prescription Service, the
physicians should know basic
typing, use of printing, use of the
particular software on which they
are depending.
 Knowledge and responsibility
towards Data Protection and
Patient Information
Confidentiality.
 Only implementing costly
software is not really the
conclusion about giving quality of
care to patient.
 Aim should be towards on how to
use the software.
 Security concerns should be
towards Secure Storage, Secure
Communication, management and
implementation and Network
Protection.
As discussed in the report about Security
requirements and Multi Factor
Authentication, the implementation of any
software for clinical purpose must be
securely configured. One recent example
is NHS organisation in North London have
implemented Multi Factor Authentication
by integrating two types of security checks
such as PKI and Smart Card which is to
ensure that patient’s electronic data is not
wasted or damaged nor pointed to any
security breaches.
7.4 FINDINGS
After implementing the whole work there
are few things I now know about Clinical
Informatics:
 Not only Electronic Patient
Records are part of Clinical
Informatics there are many other
aspects of Clinical Informatics
such as Electronic Prescription
Service, separate Lab Report
Services and combination of
Information, Technology,
Physician and Patient is also
Clinical Informatics.
 About wrong usage of data such
as providing access to the
information to Insurance
12
companies and Drug
manufacturing companies even
though there are significant
benefits if the data of a patient is
given to an insurance company.
 Lack of computer and software
application knowledge in clinical
staff.
 Lack of knowledge about
importance of security aspects.
 Summary Care Records will be
automatically uploaded on to the
web if there is no response from
the patient.
 About SQL Injections practically.
 Implementation knowledge about
Domain Name Servers and
Registering Domains.
 About Web Hosting.
 Activities about Department of
Health, NHS plans, Primary Care
trusts, National Programme for
Information Technology and
many healthcare providers and the
role of them in Clinical
Informatics.
7.5 CONCLUSION
Across the whole document there are
several chapters which describe the
aspects of Clinical Informatics and one its
application is the Electronic Patient
Records, the main aim of the system is to
provide improved quality of care to
patients.
Accessing the Electronic Patient
Records or sharing the information in the
records is through a public network like
Internet will never be private. So the
background here is the security which in
turn means to protect the CIA triad of the
data, nothing but Confidentiality, Integrity
and Availability of the data; privacy which
means following each and every terms or
rules and regulations set by the health
department on Data Protection. This is
about the information in Electronic Patient
Records, the security and privacy of the
data can be reduced if only Computer
Literate Employees are working with the
systems or by training a clinical staff.
Summary Care Records are part of
Electronic Patient Records which has only
the summary of patient’s health
information which is accessible by
Clinical staff, Physicians and also by the
Patient from his/her personal computer
through logging into Healthspace which
provide access to the patient to view and
amend changes to SCR.
Based on the SCR programme,
keeping in mind the Patient can have
access to their own records the dissertation
practical is designed specially for the
patient’s who are not well familiar with
Computers, filling electronic forms and
these “User Friendly Authentication and
Blocking Settings” can at least reduce the
patient confusion towards which data to be
exposed and which of the information to
be blocked.
Next big thing is the role of
Government in health department,
Healthcare organisation NHS and
Programme for IT department, how many
billions are spent on Software
Implementations and failures, all the
groups here are concerned about patient’s
data privacy. But more concern should be
towards how securely the software is
installed and who is using the Software,
are they trained and Patient Ownership
towards their own data, these aspects will
bring new confidence in patients who wish
to have an SCR. As discussed about Multi
factor Authentication in the paper and
according to the recent updates on
healthcare and NHS, some of the NHS
organisations implemented 2FA (2 Factor
Authentication) which include using of
PKI (Public Infrastructure Key) and Smart
cards for the user who want to access the
information remotely. While
implementing these high quality security
systems the Patients should be given
information, Notice, Demo about the new
technologies that NHS is currently using,
by doing this the patients who are not
interested in Electronic Records will gain
trust and NHS might get good number of
SCR’s as planned.
8. REFERENCES
Diekema, D. (2010). "Practical Healthcare
Epidemiology." Jama 304(3): 354.
13
Yasnoff, W., P. O Carroll, et al. (2000).
"Public health informatics: improving and
transforming public health in the
information age." Journal of Public Health
Management and Practice 6(6): 67-75.
MacKie-Mason, J. and D. Groth (2010).
"Why an informatics degree?".
NBU, D. (2002). "Michael Fourman."
Groth, D. and J. MacKie-Mason (2010).
"Why an informatics degree?"
Communications of the ACM 53(2): 26-
28.
Hughes, P. (2007). "How health-
informatics practitioners in England’s
NHS view their personal and professional
development." Br J Healthcare Comput
Info Manage 24(4): 20-22.
Hersh, W. (2002). "Medical informatics:
improving health care through
information." Jama 288(16): 1955.
Sarkar, I. (2010). "Biomedical informatics
and translational medicine." Journal of
Translational Medicine 8(1): 22.
Costa, B., K. Fitzgerald, et al. (2009).
"Effectiveness of IT-based diabetes
management interventions: a review of the
literature." BMC family practice 10(1): 72.
[1] [Department of Health. (2010), NHS:
Informatics Planning 2010/11.],
[Department of Health. (2009),
Implementing the Next Stage Review
Visions: The Quality and Productivity
Challenge.]
Gardner, R., J. Overhage, et al. (2009).
"Core content for the subspecialty of
clinical informatics." Journal of the
American Medical Informatics
Association 16(2): 153.
[Bates, D. (2002). "The quality case for
information technology in healthcare."
BMC medical informatics and decision
making 2(1): 7.]
[de Wildt, S., R. Verzijden, et al. (2007).
"Lesson of the Week: Information
technology cannot guarantee patient
safety." BMJ: British Medical Journal
334(7598): 851.]
[Murphy, D., A. Bjartell, et al. (2009).
"Downsides of robot-assisted laparoscopic
radical prostatectomy: limitations and
complications." European Urology.]
[2] [Department of Health. (2002),
Delivering 21st Century IT support for the
NHS: national strategic programme, June
2002, p.1] [Accessed July 2010]
[3] [Department of Health. (2002),
Delivering 21st Century IT support for the
NHS: national strategic programme, June
2002, p.1] Accessed July 2010]
[4] [Greenhalgh, T., K. Stramer, et al.
"THE DEVIL’S IN THE DETAIL.",
2010]
[Greenhalgh T, Stramer K, Bratan T,
Byrne E, Russell J, Hinder S, Potts H. The
Devil’s in the Detail: Final report of the
independent evaluation of the Summary
Care Record and HealthSpace
programmes. London: University College
London; 2010.]
[Rohm, B. and C. Rohm Jr "Clinical
Informatics: A New Paradigm for
Advances in BioMedical Informatics.",
2007]
[Wootton, R. (1996). "Telemedicine: a
cautious welcome." British Medical
Journal 313(7069): 1375.]
[5] [Department of Health. (2006), NHS
Direct Commission Framework April
2006-march 2007: Guidance for Primary
care Trusts on Commissioning NHS
Direct Services from April 2006]
[6] [Department of Health. (2010), 111-
The New Number for the Future of Non-
Emergency Health Service]
14
[7] [Department of Health. (2010) “NHS
Direct Services and new NHS 111
number]
[8] [National Institute for Health and
Clinical Excellence,
www.evidence.nhs.uk, last accessed on 5th
September 2010]
[9] [Department of Health. (2010), “Facts
about EPR electronic patient records
essential reading for all clinicians, NHS
Executive, EPR Programme”]
[10] [Great Britain. Parliament. House of
Commons. Health Committee. The
Electronic Patient Record: progress since
2007: Sixth Report of Session 2006-07]
[11] [ISBN: 0215036123, Great Britain.
Parliament. House of Commons. Health
Committee. Barron, Kevin, The electronic
patient record : sixth report of session
2006-07. Vol. 1 : Report, together with
formal minutes.]
[12] [House of Commons papers. Session
2006-07; HC 422-I
http://www.publications.parliament.uk/pa/
cm200607/cmselect/cmhealth/422/422.pdf
]
[Walport, M. (2010). "Do summary care
records have the potential to do more harm
than good? No." British Medical Journal
340(jun16 4): c3022.]
[Greenhalgh, T., G. Wood, et al. (2008).
"Patients' attitudes to the summary care
record and HealthSpace: qualitative
study." British Medical Journal 336(7656):
1290]
[Gunter, T. and N. Terry (2005). "The
emergence of national electronic health
record architectures in the United States
and Australia: models, costs, and
questions." Journal of Medical Internet
Research 7(1).]
[Johnson, P. and S. Whearry (2010). "The
Identification and Resolution of Ethical
Issues in Health Care: Theoretical and
Practical Viewpoints." Online Journal of
Health Ethics 6(1).]
[Tsai, F. (2010). "Security Issues in E-
Healthcare." Journal of Medical and
Biological Engineering 30(4).]
[Tsai, F., W. Han, et al. (2009). "Design
and development of a mobile peer-to-peer
social networking application." Expert
Systems with Applications 36(8): 11077-
11087.],
[Chen, Y., F. Tsai, et al. (2007). Blog
search and mining in the business domain,
ACM.]
[Dritsas, S., L. Gymnopoulos, et al.
(2006). "A knowledge-based approach to
security requirements for e-health
applications." Electronic Journal for E-
Commerce Tools and Applications.]
[Barrows, R. and P. Clayton (1996).
"Privacy, confidentiality, and electronic
medical records." Journal of the American
Medical Informatics Association 3(2):
139.]
[Dwivedi, A., R. Bali, et al. (2003).
Towards a practical healthcare information
security model for healthcare institutions.]
[Hu, J. and A. Weaver (2004). A dynamic,
context-aware security infrastructure for
distributed healthcare applications.]
[13] [Department of Health. (2003),
Confidentiality: NHS Code of Ethics.]
[Kelly, G. and B. McKenzie (2002).
"Security, privacy, and confidentiality
issues on the Internet." Journal of Medical
Internet Research 4(2).]
[Xiao, L., B. Hu, et al. (2009). Towards
Knowledge Sharing and Patient Privacy in
a Clinical Decision Support System.]
[Van Wingerde, F., J. Schindler, et al.
(1996). Using HL7 and the World Wide
Web for unifying patient data from remote
databases, American Medical Informatics
Association.]
15
[Kohane, I., F. Van Wingerde, et al.
(1996). Sharing electronic medical records
across multiple heterogeneous and
competing institutions, American Medical
Informatics Association.]
[Westin, A. (1996). "Harris-Equifax
consumer privacy survey 1991." Atlanta,
GA: Equifax Inc.]
[14] [UKCHIP, 2009. “Independent
Review of NHS and Social Care IT”.
from http://media.ft.com/cms/bfdf9c1e-
85b3-11de-98de-00144feabdc0.pdf]
[Accessed 5 Aug 2010]
[Hemmings, T. (2000). "PKI: up close and
personal." Health management technology
21(9): 20.]
[Etheridge, Y. (2001). "PKI (public key
infrastructure)--how and why it works."
Health management technology 22(1):
20.]
[15] [Search Security (2010, Sept) “NHS
smart card devices enable secure access to
health care apps.” From
http://searchsecurity.techtarget.co.uk/news
/article/0,289142,sid180_gci1519515,00.ht
ml accessed Sept 10, 2010]
9. BRIEF BIOGRAPHY
Arunkumar Reddy Marepally, M.Sc. is
a graduate student of Computing,
Information Technology and
Engineering, University of East
London, Docklands Campus, University
Way, London E16 2RD.
Dr. Chris Imafidon is a Senior Lecturer at
Computing, Information Technology
and Engineering, University of East
London, Docklands Campus, University
Way, London E16 2RD.
Formerly, Head of Management of
Technology Unit, Queen Mary, University
of London.
Guest Seminar Lecturer at University of
Cambridge.
Guest Lecturer at University of Oxford.