Central Queensland University
Faculty of Health, Engineering and Science
ECU Security Research Institute/eHealth Research Group
Information security is a necessary requirement of information sharing within an electronic health system because without it confidentiality, availability, or integrity controls are absent. Research shows that the application of security in this setting is subject to workarounds partly because of resistance to security controls from clinicians who feel that their voice is excluded from the security design process. Heeks' explored the nature of health system design and referred to the distance between system designer and practitioner as the 'design-reality gap'. To reduce this gap, systems designers typically deploy usercentred, participatory approaches to design. They use various forms of consultation and engagement to ensure that the needs of users are responded to within the design and that users understand the design process and constraints. Whilst there is evidence to suggest that the overall electronic health records (EHR) system design has increasingly used elements of a participatory, human-centred design approach, the security elements of design are still technology-focused. This discussion paper characterises the problem, outlines the principles of Heeks' Information, Technology, Processes, Objectives, Skills, Management Systems, Other Resources (ITPOSMO) framework, and then uses this framework to evaluate security dimensions of both the UK and Australian EHR programmes. The resulting proposal for a 'communities of practice' approach as an alternative start-point to healthcare systems security design, provides a basis for reconceptualising the integration of security practices into EHR systems. In the increasingly distributed and complex environment of healthcare delivery, this new approach can help to address the fundamental challenges experienced in healthcare security practice today.