The transformation of HIPAA from a toothless herbivore into a fierce meat-eater began with a few high-profile prosecutions that concluded in significant fines. Since that time, the government has been working to add ever more claws to this growing beast. The most recent of those has been an accounting of disclosures NPRM, which seeks to define exactly what type of information a patient is entitled to regarding access to their EHR after their hospital stay. The NPRM created a firestorm of response, largely critical, due to the onus it would place on IT and compliance departments. But more than this one rule, healthcare organizations can see the writing on the wall, with CIOs understanding that security needs to be shored up, quickly and efficiently. To gauge what others are doing with respect to staff education on the dos and don’ts of security, Albany Medical Center EVP/CIO Buddy Hickman issued a survey to his fellow CHIMErs. To learn more about his motivation for issuing the survey, the results, and how he plans to turn lessons-learned into policies, healthsystemCIO.com caught up with the New York-based CIO.
- Breaking down the survey results
- Do you add another class? “I’m very sensitive to the number of things that we have going on in the medical center that require workforce members to be trained and aware of.”
- Best practice in governance
I think it’s a matter of culture in terms of how far you take enforcement with the workforce members. But it’s at least comforting to see that organizations believe the reward and reinforcement system should consider how important this is, and that, yes, workforce members are reinforced to get through this training process in a very serious way.
The question I have is do we lay in yet another class, whether it’s annual or semi-annual, that provides deeper content? I’m very sensitive to the number of things that we have going on in the medical center that require our workforce members to be trained up and constantly aware.
I brought in a four-inch binder and said, “Okay, in 2004, when they did the security controls review, this would have represented the work papers. Today, five of those represent the work papers.”
So, if you were to ask me — from a security and assurance standpoint, considering actual recovery and uptime availability and all the things that fit in that bucket — are you comfortable? My answer is, I’m as comfortable as I can be.
Guerra: Let’s go through your survey. Question one, you asked about specific actions organizations had put into place regarding educating the workforce about HIPAA and IT security. The number one answer there, 76 percent, said they were integrating it to an existing training program. Do you think that’s sufficient?
Hickman: Well, I would consider this a foundational question because, in part, we wanted to see how formal or informal organizations were being. And, in this case, you can see that 77 percent, 76.6 percent, are doing something formal. You’ve got 5.4 percent doing something ad hoc. And you’ve got 18 percent who are not doing anything formal yet. And I’d be concerned if I were in that last category based upon where the standards have to be now. In fact, it’s our view that if you really understand the regs, in terms of what’s coming, you need to be active on this topic and doing something formal. The question is: how far do you go?
Guerra: Some are bringing in third-party resources to help with training — will you go down that road?
Hickman: We’ll probably look to see what content is already available. We’ve created two forms of training. One is in our annual competency training, which every workforce member has to take — that is a matter of compliance and employment.
We have a number of security awareness questions. That’s one level of dive, so to speak. And then we have a deeper dive where we offer, probably quarterly, a didactic classroom-based IT security course that our workforce members can take optionally. Now, as an enticement, we’ll usually have some content there that’s helpful for people to know with even some home computing in their home networks, and so on, so that people say, “Okay, I’ll get something out of this even.” But we don’t require people to do that.
In that presentation though, or that didactic classroom approach, we’ve got a very deep slide deck. And it covers a lot of ground, Anthony. We’re looking at that to say, “What are other people doing with it?” We’re looking at what modules might be bought in from purveyors of web-based tools. We’re also asking some of our colleagues out there what their decks look like, what do they have in it, so that we can do some cross comparison.
We think it is a combination of the two. We think we do need the computer-based annual competency awareness required sort of thing. We think we need to complement that with deeper dive. We’re sorting through things right now, such as how much content are we going to put in the annual competency-based review or are we going to add an additional module that says you also have to do this one. Because we’re believing that it’s important enough that we can’t stop where we’re at today. We’re going to have to raise the bar given the expectations. Not only to deal with the regs, but it’s simply the right thing to do. Folks do need to understand the right sorts of things to be doing when they’re using computing tools.
Guerra: Question two of your survey: which of the following do you use to promote security awareness? You gave six choices. Training classes, 82 percent, email messages, 62 percent, and then we have a second tier between 15 and 30 percent of screensavers, posters and Windows popup messages. Lastly we have mouse pad. What did you think about the results?
Hickman: You know, I’m not surprised. I think doing things with screensavers and other passive things like when the computer is not in use is a good idea, but we’re finding folks want to use that same technique for clinical content messages or other things that might be relevant to the workforce, such as hand hygiene reminders. So, in the end, all of these means are competing for our workforce member’s time and attention.
So I’m not surprised with this distribution, and the distribution falls in line with where our energies are. You just wonder what the right thing to do is. In the end, I know that doing something classroom-based is very important. Email messages seem to be a really big approach for folks. But you and I both know that the delete key is really easy to hit when you look at the subject and the source, and so on, without actually opening the email to see what’s in there.
We have to be careful about the noise factor as well. Eventually, you know, you do get diminishing returns if every time you turn around, you’ve got a flashing screen that reminds you of something.
Guerra: Right. Definitely. As you mentioned, you have finite resources, and so, you have to really pick and choose for what you’re going to use here and just because we have this percentages of what they’re using, we don’t know the effectiveness. So, 23 percent are using posters. But, you know, how do we know if those are effective, right?
Guerra: The next question asks: Do you require all workforce members to attend HIPAA Security Training? The overwhelming majority say yes, 85 percent. Again, 15 percent say no.
Hickman: Right. If you look at the next two questions, you get more context. Most, 96.7 percent, do training annually. It sounds like others are embedding it in the required annual competency review process that’s associated with touching so many other compliance things, such as licensing requirements, and so on.
As far as the training medium, computer-based training seems to be the most common thing. You had 84.4 percent. And then question six is about sanctions against workforce members who do not attend — 81.7 percent say they do use sanctions. The idea is that employees have to do this — that it becomes a requirement for being in the workforce.
Some others said if you don’t deal with this and take care of the security part of the training, we actually remove your account privileges, in which you can’t have access to a computer until you’ve become compliant. It was clear from the comments that other HR actions might take place, such as counseling and, eventually, suspension.
I think it’s a matter of culture in terms of how far you take enforcement with the workforce members. But it’s at least comforting to see that organizations believe that the reward and reinforcement system should consider how important this is, and that, yes, workforce members are reinforced to get through this training process in a very serious way. We’re studying down what else we want to do.
In our case, we do a quarterly leadership meeting that includes all the management stuff across our medical center, which is a couple of hospitals and a big practice in a medical college. We’ll have 300 people in a big auditorium being addressed by our present CEO, Jim Barba, and addressing other things that are important for that quarter’s messaging to the workforce. We’ll have an IT security item on that agenda at the upcoming meeting as an awareness aside. And it’ll be very tight in terms of the amount of time that we take on the floor. But we’ll be emphasizing certain matters of awareness and the kinds of things that are happening out there and why it’s important. We’ll emphasize that people need to take these messages to the workforce and also get people through the training processes.
Guerra: So, 97 percent are doing annual training. Do you think that’s enough?
Hickman: I think once a year is going to be very important since we’re making it part of that annual process that’s associated with all these other things. The question I have is do we lay in yet another class, whether it’s annual or semi-annual, that provides deeper content? I’m very sensitive to the number of things that we have going on in the medical center that require our workforce members to be trained up and constantly aware.
IT security is not the only thing. It’s very, very important. But there are a lot of things that meet that same level of importance. So, for me as an IT professional to say, “We have to do it this way,” is unfair — that is why we have a leadership team comprised of the folks that I mentioned, with various competencies and a real understanding of all the competing matters. That’s why we sit down together and find ourselves negotiating to reach the right answers for the organization and our workforce.
Guerra: Question seven: who’s responsible for ensuring HIPAA security training? Interesting results here — human resources came in at 17 percent. But it’s almost a split in the lead between organizational training and development at 44 percent and IT security at 40 percent.
Hickman: My interpretation was kind of simple on that. It might be a question of administration of the training. In other words, who is it going to hand off to, and is that content comingled with a lot of other things. It would be common to have that owned by organizational training and development if you have such a function. Some folks might not have that. They might have one HR process that takes care of a lot of things.
And then for those organizations that are interpreting this more strictly in terms of who’s really building that content and making sure it’s the right stuff, and sometimes even teaching it, that’s why IT security is mentioned. So, the fact that today it seems to be spread out, that to me is more a factor of interpreting the question, not so much indicative of a turf issue.
Guerra: Well, let’s go in the governance issue a little bit. You mentioned your IT oversight committee — tell me how you have governance set up and if you’ve made any adjustments recently.
Hickman: So we put together an IT security oversight committee a little over a year ago. I mentioned who the constituents are on that group. We’ll look at all matters of policy and standards quarterly. We’ll do reviews of a number of items to see what the outcomes were. We’ll look at and talk about the IT security-related incidents that have occurred, whether there have been investigations. Perhaps we’ll even have a little bit of discussion around the discovery matters if there’s litigation there, but it’s a little sensitive given some of the attorney/client privilege matters that would be present.
What I’m finding is that the audit and compliance committee of our board is much more interested in this topic, as they should be. Issues around PHI are becoming much more regulated, compliance has to be involved in terms of measuring it and understanding it. There needs to be a reporting process for the organization. From five years ago to now, there’s definitely a difference.
Our auditors, I’ve mentioned this when I was speaking to our auditing compliance committee of the board, are much more engaged. I brought in a four-inch binder and said, “Okay, in 2004, when they did the security controls review, this would have represented the work papers. Today, five of those represent the work papers.” So the level of scrutiny and understanding of what’s going on is appropriately to a higher standard as well.
The technologies that are available to us for deployment certainly are much more capable than they were a few years back. What’s now crucial is our ability to make choices around the rest of IT security versus others things that are critical to our mission. So, if you were to ask me — from a security and assurance standpoint, considering actual recovery and uptime availability and all the things that fit in that bucket — are you comfortable? My answer is, I’m as comfortable as I can be. Do I sleep at night? Well, a few hours, yes, because there are things that keep us all up at night, not just CIO types but the guys who are in the hospital, the guys who are at the practice, the college and so on. We all are making all kinds of choices all the time that are risk-reward decisions, and hopeful that we’re picking all the right things.
So governance is much more attuned. We have more management committee activity than we have had before. And we’ll continue to see that be the trend for the time to come.
Guerra: If you have the optimal governance in place, you’ve at least got a shot at success, but if you don’t, you’ve got no chance.
Hickman: Yes. And it’s great when you’ve got a board, like we do, where the leaders come from businesses that have an appreciation and understanding of these things too. I mean, we’ve got a lot of folks from financial institutions where the same sorts of controls that are being discussed now in healthcare are already commonplace. I can stand talk about data center tiering and N+1 Infrastructure and their heads are nodding because these guys know what I’m talking about. They get it.
Guerra: Anything else you’re going to do differently based on the survey results?
Hickman: The results themselves were probably more validating to us than anything else. We’ll continue reaching out to some select organizations to see what they’re doing. I’m sure, within the next couple of months, we’ll have a position as to what we do next.