No shock that protecting any customer’s data is increasingly keeping IT leadership awake at night. Healthcare being perhaps the penultimate example, organizations constantly wrestle with balancing availability of data with security concerns. Yet healthcare presents inherent challenges that go well beyond the realm of the traditional IT purview.
How big is the problem?
Healthcare organizations, as Health Portability and Accountability Act (HIPAA) covered entities, are required to report breaches of patient health information (PHI) to the U.S. Department of Health & Human Services. Breaches are posted on the HHS Office of Civil Rights (OCR) Breach Portal or “Wall of Shame” as it is more commonly known. In 2018 alone, breaches affecting over 11 million individuals in the US were posted to the WOS and just under half (213 incidents, affecting 4.6 million individuals) had reasons other than “Hacking/IT”. So, while hacking is an effective way to collect illegal data, it is by far, not the only threat these organizations face.
What makes healthcare unique?
Factors influencing the unique challenge in healthcare include high provider turnover, frequent process change, and the growing amount of confidential data. To complicate matters, this information needs to be shared across organizations for the benefit of patients daily.
For example, envision the patient journey from a hospital setting to a rehabilitation facility. During the inpatient stay the patient sees multiple physicians, who come from separate organizations, and clinical staff. Clinical data must be readily available. Upon transitioning to the outpatient facility, records must be shared to ensure seamless patient care. Once care is complete a summary of services is sent to the payer and financial remittance back to each organization. Lastly, communication with the patient requires care plans, Explanation of Benefits (EOBs), and medical bills.
In each step confidential information must be shared, and limiting access is problematic. Providers need data to identify patients and make treatment decisions, and payors require data to pay for care. This results in an entire industry where sharing information is critical, the human factor is high, and the stakes of a breech are potentially disastrous. For leadership, this means crafting a plan of action that includes technology, process, and human behavior pillars.
What can organizations do to address this?
Healthcare organizations will continue to invest in industry standard security tools and technologies to protect their digital assets, but the security model can’t end with deploying technology. A better security model also needs to address people and process, and all organizations should develop or review their security policies & processes to include:
· Regular reviews of ePHI security via a security risk analysis.
· An action plan (and regular follow-up) to address identified vulnerabilities.
· Consistent monitoring, auditing, and updating security technology and policies.
· An employee training program (bi-annual training with monthly updates at a minimum).
While creating the security model, it is vital to engage key stakeholders, specifically physicians and clinical staff. Understanding how these groups use information in collaboration with other organizations builds credibility and helps ensure they understand the value of data security and their role in the overall security architecture to avoid the inevitable “work-arounds” that occur when security is too cumbersome.
Why the sense of urgency?
Ultimately, every provider IT department’s goal is to maximize the benefits of data availability (quality care, patient safety, better outcomes) while minimizing the risk of a breach in security. But healthcare organizations have an added imperative as exemplified by the oaths taken by physicians, most popular is the Hippocratic Oath. Regardless of the version, a ubiquitous theme is the privacy of patients for “their problems are not disclosed to me that the world may know”. The responsibility of the organization to uphold these values no longer ends with the doctors and nurses, information technology has become a critical piece of this equation. As consumers demand more and more electronic access to their healthcare providers the risk of a data breach will continue to grow and unless properly addressed and managed, IT leaders will continue to lose sleep over the risk of patient data being exposed.
Brian Hadfield is an experienced management consultant professional with deep expertise in technology, business strategy, operations, process improvement, user experience and program management. Brian combines his technical knowledge with strong business acumen to help clients build clear operational plans leading to measurable results.
Forum Solutions is a management consulting company that works with Seattle’s business and nonprofit leaders to build and implement effective strategies for transformative growth and sustainable results. Forum offers clients the right skills for every job: strategic expertise, lean execution and agile resourcing – improving businesses at any level – from the executive suite to the individual contributor.