A National Minimum Health Log Standard; SAMILOG

Abstract

Aim: Health data is considered highly sensitive, and the protection of health data is an ethical and legal responsibility. Healthcare organizations use various security measures and techniques to adopt a secure electronic health records system, including keeping log data. HIS developers kept the log records according to their needs by making the necessary coding for the "change-delete" triggers. Therefore, the need to develop a common standard for keeping diaries in health information systems was felt. This standard was considered a guide for software developers. This standard was named SAMILOG (Minimum Log Standards in Health). In this study, the development process of SAMILOG is explained. Method: Focus group meetings were held with seven developer companies. Several scenarios of unauthorized access or data breaches in a health information system were created. The participants discussed each scenario and evaluated the best methods for keeping logs and which data should kept log in each case. Previously, a standard called VEM was developed to assist data migration, when HIS software of a hospital changes. The data field names of VEM standard were also used in this new standard. Results: In SAMILOG 1.0, it was defined which of the data elements in each VEM set should be logged, it required an update for SAMILOG as the VEM was updated. Conclusion: SAMILOG v1.0 was announced in 2016. In case of a security breach related to the past in the health data of public hospitals in Turkey, primarily the data logged within the scope of SAMILOG are examined.

Keywords

• Computer security
• health information systems
• privacy
• electronic health records

References

1. European Union, Directive 95/46/EC of the European Parliament and of the Council on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data. (1995). Available at: https://www.refworld.org/docid/3ddcc1c74.html Accessed 16 May 2023.
2. Das, R., Baykara, M., & Tuna, G. (2017). Cryptolog: A new approach to provide log security for digital forensics. IU-Journal of Electrical & Electronics Engineering, 17(2), 3453-3462.
3. Gostin, L. O., Levit, L. A., & Nass, S. J. (Eds.). (2009). Beyond the HIPAA privacy rule: enhancing privacy, improving health through research.
4. Isleyen, F., & Ulgu, M. M. (2020). Data Transfer Model for HIS and Developers Opinions in Turkey. In Digital Personalized Health and Medicine (pp. 557-561). IOS Press.
5. Li, G., Hart, A. ve Gregory, J., (1998). Flocculation and sedimentation of high turbidity water, Water Resources, 25, 9, 1137-1143.
6. ISO. (2013). ISO/IEC 27001:2013(en) Information technology — Security techniques — Information security management systems — Requirements. Last accessed: 09 28, 2022 https://www.iso.org/obp/ui/#iso:std:iso-iec:27001:ed-2:v1:en.
7. Kişisel Verilerin Korunması Kanunu (2016). Resmi Gazete (Sayı: 29677) https://www.mevzuat.gov.tr/mevzuat?MevzuatNo=6698&MevzuatTur=1&MevzuatTertip=5. Accessed on 23rd Jan 2022.
8. Kişisel Sağlık Verileri Hakkında Yönetmelik. (2019). Resmi Gazete (Sayı: 30808) https://www.resmigazete.gov.tr/eskiler/2019/06/20190621-3.htm Accessed on 23rd Jan 2022.

9. Krueger, R.A. & Casey, M.A. (2015) Focus Groups: A Practical Guide for Applied Research. 5th Ed. Thousand Oakes: Sage Publications.
10. Kuo, K. M., Talley, P. C., & Lin, D. Y. M. (2021). Hospital Staff’s Adherence to Information Security Policy: A Quest for the Antecedents of Deterrence Variables. INQUIRY: The Journal of Health Care Organization, Provision, and Financing, 58, 00469580211029599.
11. Malin, B., & Airoldi, E. (2007). Confidentiality preserving audits of electronic medical record access. Studies in health technology and informatics, 129(1), 320.
12. Moore, I. N., Snyder, S. L., Miller, C., Qui An, A., Blackford, J. U., Zhou, C., & Hickson, G. B. (2007). Confidentiality and Privacy in Health Care from the Patient's Perspective: Does HIPPA Help?. Health Matrix, 17, 215.
13. Oh, S. R., Seo, Y. D., Lee, E., & Kim, Y. G. (2021). A comprehensive survey on security and privacy for electronic health data. International Journal of Environmental Research and Public Health, 18(18), 9668.
14. Ross, R. S. (2018). Risk management framework for information systems and organizations: A system life cycle approach for security and privacy.
15. Sameera V, Bindra A, Rath GP. Human errors and their prevention in healthcare. J Anaesthesiol Clin Pharmacol. 2021 Jul-Sep;37(3):328-335. doi: 10.4103/joacp.JOACP_364_19. Epub 2021 Oct 12. PMID: 34759539; PMCID: PMC8562433.
16. Tariq, R. A., & Hackert, P. B. (2018). Patient confidentiality. Available from: https://www.ncbi.nlm.nih.gov/books/NBK519540/