Navigating compliance vs. productivity in healthcare IT security
In recent years—and especially surrounding the launch of the Affordable Care Act (ACA) and Healthcare.gov—the healthcare industry has focused more and more on compliance (some would even argue that compliance has taken precedent over patient care). Yet many healthcare professionals are still unaware of what is and is not within the boundaries of regulatory requirements.
What does the Health Insurance Portability and Accountability Act (HIPAA) actually say? Does your organization apply to its requirements? While these may be somewhat easy questions for IT professionals, surprisingly, many frontline workers can't answer them. General awareness around information security isn’t much better, either.
The more important question to ponder: Has your IT staff created an environment that caters to information security, compliance, and patient care?
Security and compliance vs. productivity and care
Despite a glaring lack of general awareness, the core issues that hamper security and compliance initiatives run much deeper than a lack of education.
The real problem lies with healthcare IT departments, which often make it incredibly difficult—if not impossible—for providers to deliver fast and efficient care in a secure, compliant manner. Often, IT policies and technology become a roadblock, forcing doctors and nurses to make a pretty tough decision to bypass IT policies to deliver care faster and more efficiently, or work within the boundaries of security and compliance, but risk delaying patient care. For most care providers, the choice is an easy one: Providing quick, high-quality care wins every single time.
Of course, it’s hard to argue that prioritizing patient care is wrong, but in doing so, many healthcare professionals are turning to insecure, third-party tools to get the job done. While this can speed up day-to-day work, it puts confidential patient information at risk, and represents a major breach in compliance.
Cost of breaches, compliance rise
According to the Ponemon Institute’s “2013 Cost of a Data Breach Study,” 94 percent of surveyed healthcare organizations had experienced a data breach within the past two years. In the first quarter of 2013 alone, more than 875,000 records were exposed via breaches. The study also shows that the cost of data breaches is on the rise—up to a potential $1.5 million per record lost after the HIPAA Omnibus rule went into effect this September.
Bridging the gap between IT and health professionals is an absolute necessity to keep security breaches to a minimum. Here are five ways IT can better collaborate with care providers to eliminate data breaches and prioritize patient security.
1.Walk in your colleagues’ shoes
Expectations around information sharing have transformed dramatically in the past couple of years. Are your IT policies and file-sharing technologies evolving with them?
Doctors, nurses, and other healthcare professionals are under immense pressure to deliver top-notch service to more people than they can typically handle. When the technology at their disposal isn’t user friendly, the overbearing strain on their time forces them to choose the path of least resistance, which often means foregoing established patient security protocols for more convenient and familiar options, including insecure, personal email, mobile devices, and third-party sites like Dropbox. This is especially true when contacting patients while working remotely at home or on the road.
IT cannot (and should not) prevent health professionals from providing excellent, around-the-clock care, but it is their responsibility to ensure the privacy of every patient under all circumstances. Most third-party tools present major risks, but can you really blame your employees for using them if you’re not providing them with a better means to move and access information?
2.Eliminate destructive habits
A portion of that responsibility is limiting the insecure and non-compliant tools available to medical professionals. When employees are in a time crunch, it is tempting to fall back on technology that is more familiar and user friendly than what is available internally.
In October, Google agreed to sign a Business Associate Agreement, effectively labeling their widely used tools as HIPAA compliant. The change is a long time coming, and competitors, including Microsoft, have also agreed to make the leap. Google Drive, Google Calendar, and Gmail are now accepted tools with which medical professionals can store and move patient data.
While this may be a crossroads of prominent consumer applications meeting enterprise needs, Google’s move is far from a quick fix.
Google’s platforms may be HIPAA compliant, but, as it is with any tool, compliance is dependent on the user. Using Gmail to share information with another system on the same network is considered secure—however, any clinician that accesses that account with a mobile phone has stepped out-of-bounds. As always, it all comes back to education. Google's agreement to make their tools HIPAA compliant could encourage misuse by employees that are not fully aware of the implications.
3.Provide secure, encrypted, productivity-enabling tools
If your department takes action to prohibit the use of certain ways of doing business, be sure you’re providing a reasonable alternative solution that meets your end users' day-to-day business needs.
It is IT’s responsibility to equip its staff with secure and easy-to-use tools that protect data in motion. These tools need to meet all regulatory requirements, including the most recent changes to HIPAA and ACA.
Most importantly, though, any new tool or policy must meet the new information-sharing needs of today’s care providers. Doctors routinely check records, share information with other medical professionals, and take calls while outside of the protected network. If IT’s offerings don’t enable this level of remote productivity, adoption of the new tool or policy will be a major issue.
4.Educate employees around security risks
IT knows the boundaries of security and compliance. It is critical to educate the workforce around the organization’s policies as well as overarching regulatory requirements set at a federal level.
Although courses in compliance and patient privacy are required in most medical education programs, technology is constantly evolving and, as a result, blurs the lines established by HIPAA and individual organizations.
Teach your staff about familiar tools that should be avoided when handling sensitive patient data, and the inherent risk of data breaches. Do they understand the consequences faced in the event of a breach? The cost? Breaches are multi-faceted issues, affecting the organization, its partners (for and non-profit), and most importantly the patient whose information is being put at risk.
5.Drive adoption
Health providers can tell you what they need most when working with patients onsite or remotely, but they do not (usually) understand IT. Collaborate with them on which tools are most appropriate for their day-to-day circumstances, and develop safeguard policies to protect patient data.
While integrating new tools and policies, review them frequently to iron out any kinks. Eventually, you will develop a system that employees respect and that successfully maintains compliance while exchanging sensitive data.
As a best practice, monitor technology usage rates once each quarter. If you haven’t measured adoption in a while, you might be surprised by what you’ll find, but uncovering any issues today will save you significant time, money, and headaches in the future.
About the Author:
James Bindseil is the president of Globalscape, which is a developer of secure information exchange solutions. Bindseil has over 20 years of experience in the technology industry, including senior leadership roles at Fujitsu, Symantec, and AXENT Technologies.