Q: It seems so simple and straightforward: Healthcare security is not just about getting the latest computers and technology. The policies and compliance culture also prove integral, but these are often underemphasized by healthcare entities. Talk about how Kaiser fosters a culture of compliance in regards to privacy and security.

A: At Kaiser Permanente, compliance is everyone's job. Our code of conduct, compliance policies and compliance training curriculum make this expectation clear and it is the foundation of Kaiser Permanente's compliance culture. Through these and other initiatives, we promote a culture of compliance that emphasizes the importance of maintaining the privacy and security of our members’ information and an environment where individuals can feel safe to raise compliance concerns.

Q: Kaiser Permanente has reported a few HIPAA breaches in recent years, not unlike the majority of healthcare organizations. What is Kaiser Permanente’s process of responding to a threat or breach?

A: Kaiser Permanente is committed to safeguarding member and patient protected health information. Our first and foremost priority is the protection of member data by stopping any threat or breach.

After containing the issue, we then perform analysis to determine the root cause, add security measures to ensure it doesn’t happen again, and inform those that need to be informed.

In addition, we have a comprehensive risk and security strategy that includes policies; mandatory annual training of all staff and physicians; ongoing education via communication channels such as websites; as well as advanced surveillance and security monitoring mechanisms.

Q: Regarding your work, what keeps you up at night? What’s top of mind for you right now?

A: Because the industry and government regulators have not developed criteria to secure connected clinical devices, the proliferation of these clinical devices connecting to hospital networks is an area that every healthcare provider must be assessing. Securing and monitoring these connected clinical devices and associated bio-device networks is critical. As with most companies today, the threat of advanced persistent threats and organized crime is also top of mind.

Q: Lastly, how do you connect the clinical end with the compliance side of things? For instance, how do you get staff and employees on the same page with privacy and security?

A: Today, many healthcare providers use electronic medical records, which allow the industry to take a much more proactive approach to monitoring security and privacy. For example, most electronic medical record systems include the ability to monitor appropriate or inappropriate access to specific patient records, which is a benefit we never had with paper medical records.

Key to compliance is training, training, training, and then more training. Just as critical to protecting our electronic medical record is also privacy and security education and training for employees. Employees must understand their role in protecting sensitive data.