Security: healthcare's fixer-upper

The alarming state of affairs, how the industry's slack security is bad for business and what some are doing to step it up
By Erin McCann
10:36 AM
Mayo also has a data loss protection application, McCarthy pointed out, which monitors outgoing emails and screens them for certain characteristics indicating disclosure of protected health information. If a disclosure occurs, a Mayo enterprise compliance officer addresses the issue in a direct email to the particular user who sent the information. The site privacy officer is copied along with other key stakeholders. "It's a tough email that goes out," said McCarthy, essentially saying, "Get it back, and don't do it again."
 
As Mayo Clinic's Mark Parkulo, MD, added: sure, encryption is huge and very much necessary, but an organization also has to concern itself with the policies and procedures portion of privacy and security – the employee education piece of the puzzle. "Some of it is a real education issue," said Parkulo, vice chair of Mayo Clinic's Meaningful Use Coordinating Group, in an interview with Healthcare IT News. "A number of providers and other people don't understand that typical unencrypted email; you're not even sure exactly what locations it's going to, whether it could be intercepted or not."
 
These realities mean Mayo has to host "a lot" of education for providers throughout the year. 
 
In terms of what this education looks like, Parkulo said first Mayo has standard education for employee orientation. On top of that, "then we try to get out multiple times per year, especially if there are issues through email, through grand rounds, through our websites." Sometimes even through the CEO of Mayo Clinic. "We try to get to people as many ways as possible."
 
As McCarthy explained, Mayo has launched an effort at the enterprise level to converge on its HIPAA policy. "This is an all-out effort to get everything standardized across the enterprise with site-specific procedures," she said. "It's really been a great opportunity to refresh folks on what's really been in place."
 
Kaiser's Doggett agreed: getting to all those people is the important thing. "Compliance is everyone's job," he said. "Our code of conduct, compliance policies, and compliance training curriculum make this expectation clear."
 
But be sure to go beyond the mere policies, Sessions cautioned. "(Healthcare) probably has more policies than they know what to do with," she said. "As far as the written policy, that's great. Connecting to the end users particularly on the security side I think is more difficult."
 
On top of the privacy piece of the puzzle, there's also the security standpoint to consider – and it's far from one-dimensional. 
 
Phil Lerner, chief information security officer of Beth Israel Deaconess Medical Center in Boston, said he has many competing priorities. "Continuous monitoring is a large priority of mine, so having a 360-degree view into whatever the technology may be," he told us. Then, there's supply chain security, "always digital forensics, mobile device forensics, incident response."
 
With threats like the Heartbleed vulnerability and cyberattacks on the industry only on the upswing – some 40 percent of healthcare organizations have reported a criminal data attack this year, according to Ponemon data – data security proves absolutely critical for organizations. 
 
"What's newer at least in the few years as part of continuous monitoring is definitely threat feed analysis," added Lerner. 
 
As the experiences of industry professionals have demonstrated, healthcare privacy and information security is not done in a vacuum. Whatever information technology departments or privacy officers do with the data from a technical and administrative standpoint, there also exist the corresponding clinical implications. It's simple cause and effect. Compromise the most personal of data, and you compromise the relationship between provider and patient. 
 
Past incidences show us the industry has time and again said, 'Come and trust us with your most personal information, but don't expect us to have a firewall to protect it; don't expect us not accidentally to post it publicly online or encrypt it or monitor employees who are inappropriately accessing the data.' They've said, 'we care – but not a whole lot.' Healthcare privacy and security needs a shakeup, an overhaul, a revamp of policies and system security. 
 
It's not just a matter of professional obligation and responsibility. It's a matter of cost, reputation and the integrity of the patient-provider relationship. IT is waist deep in it all, for better or for worse. Now, here's to the better.

 

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.