Encryption is also deployed enterprise-wide by the folks at Mayo Clinic. In addition to encrypting Mayo-issued laptops, tablets, flash drives, etc, any outgoing email unless it's going to a Mayo.edu address must be encrypted if it contains protected health information, said Barbara McCarthy, health information management services and privacy officer of Mayo Clinic in Florida. 

 

Mayo also has a data loss protection application, McCarthy pointed out, which monitors outgoing emails and screens them for certain characteristics indicating disclosure of protected health information. If a disclosure occurs, a Mayo enterprise compliance officer addresses the issue in a direct email to the particular user who sent the information. The site privacy officer is copied along with other key stakeholders. "It's a tough email that goes out," said McCarthy, essentially saying, "Get it back, and don't do it again."

 

As Mayo Clinic's Mark Parkulo, MD, added: sure, encryption is huge and very much necessary, but an organization also has to concern itself with the policies and procedures portion of privacy and security – the employee education piece of the puzzle.

"Some of it is a real education issue," said Parkulo, vice chair of Mayo Clinic's Meaningful Use Coordinating Group, in an interview with Healthcare IT News. "A number of providers and other people don't understand that typical unencrypted email; you're not even sure exactly what locations it's going to, whether it could be intercepted or not."

 

These realities mean Mayo has to host "a lot" of education for providers throughout the year. 

 

In terms of what this education looks like, Parkulo said first Mayo has standard education for employee orientation. On top of that, "then we try to get out multiple times per year, especially if there are issues through email, through grand rounds, through our websites." Sometimes even through the CEO of Mayo Clinic. "We try to get to people as many ways as possible."

 

As McCarthy explained, Mayo has launched an effort at the enterprise level to converge on its HIPAA policy. "This is an all-out effort to get everything standardized across the enterprise with site-specific procedures," she said. "It's really been a great opportunity to refresh folks on what's really been in place."

 

Kaiser's Doggett agreed: getting to all those people is the important thing. "Compliance is everyone's job," he said. "Our code of conduct, compliance policies, and compliance training curriculum make this expectation clear."

 

But be sure to go beyond the mere policies, Sessions cautioned. Healthcare "probably has more policies than they know what to do with," she said. "As far as the written policy, that's great. Connecting to the end users particularly on the security side I think is more difficult."

 

On top of the privacy piece of the puzzle, there's also the security standpoint to consider – and it's far from one-dimensional. 

 

Phil Lerner, chief information security officer of Beth Israel Deaconess Medical Center in Boston, said he has many competing priorities. "Continuous monitoring is a large priority of mine, so having a 360-degree view into whatever the technology may be," he told us. Then, there's supply chain security, "always digital forensics, mobile device forensics, incident response."

 

With threats like the recent Heartbleed vulnerability and cyberattacks only on the upswing – some 40 percent of healthcare organizations have reported a criminal data attack this year, according to Ponemon data – security proves absolutely critical for organizations. 

 

"What's newer at least in the few years as part of continuous monitoring is definitely threat feed analysis," added Lerner. 

 

As the experiences of industry professionals have demonstrated, healthcare privacy and information security is not done in a vacuum. Past incidences show us the industry has time and again said, 'Come and trust us with your most personal information, but don't expect us to have a firewall to protect it; don't expect us not accidentally to post it publicly online or encrypt it or monitor employees who are inappropriately accessing the data.'

 

Past cases have illustrated it's not just a matter of professional obligation and responsibility. It's a matter of cost, reputation and the integrity of the patient-provider relationship. IT is waist deep in it all, for better or for worse. Now, here's to the better.