In partnership with CHIME, healthsystemCIO.com has developed a blogger series featuring insights from hospital and health system CIOs and other key IT leaders representing organizations from around the country. The blogs, which will be featured on our site on a biweekly basis, will focus on the major issues affecting CIOs, including the health IT workforce shortage, mobile device management, and federal regulations. The first entry in the series comes from Todd Richardson, CIO at Deaconess Health System, a six-hospital organization located in Evansville, Ind.
As healthcare CIOs, we all have a lot in common with regard to the work that we get involved with. And while we are all saddled with the loathsome burden of ensuring that our hospital and departmental Policies and Procedures are intact, it seems that every organization approaches these documents in a different manner.
There seem to be two prevailing camps when it comes to P&P development, those being: 1) ‘We need P&P to cover every specific issue that could arise,’ and 2) ‘Let’s keep them to a minimum and at a high-level to cover broad issues.’ I find myself squarely in camp #2 and will attempt to demystify this topic and put some logical framework around it.
Policy is often a word that is thrown at every document in our fold, when many of these should really be standard operating procedures (SOPs) or guidelines. So first off, we need to establish what sort of documents actually fall into the category of policy. We have the obligatory information security policies that we are required to have under HIPAA (Access Control, Data Protection, Acceptable Use, Workstation Security, Workforce/HR Security and Sanction Policies). After these, things get a little murky and tend to take on the culture of the organization.
If written well, the information security policies and your HR department’s policy on ‘Standards of Conduct’ can cover the various scenarios typically addressed in specific policies. As an example, do we really need a policy on ‘Mobile Devices’? Not if the Acceptable Use, Workstation Security and Standards of Conduct policies are written correctly. How about a policy on ‘Social Media’? This topic should be covered by the Standards of Conduct and Acceptable Use. And when I say covered, I don’t mean spelled out explicitly, but under a broader heading.
Topics such as ‘How to obtain IT equipment,’ ‘How to report a problem,’ etc. are best put into SOPs and published for consumers of IT. Specifics such as how we protect our devices from Malware, what OS we use on our PCs, or the makes and models of our devices would fall into the ‘Guidelines’ category, as these will change more frequently and shouldn’t be bogged down in the ‘policy approval process’ that can be rather arduous to get through, not to mention time consuming.
From my own experience, every organization has virtually hundreds of policies with no good way for employees to find them or know what they are. And what’s the result? They don’t get followed. If we are going to make meaningful progress with regard to operating within the framework of our systems, we’ve got to keep it simple and straightforward.
While I have little control or influence on the ‘non-IT’ policies, I’ve taken up the cause to clean up our IT policies as they come up for review. I started with updating our Acceptable Use Policy (AUP) to create the foundation and then began retiring other policies that I felt were covered under the AUP. Changing the mindset takes time and a gentle approach while consistently delivering the message.