“It all comes back to trust.”
In healthcare, nothing is more important. Patients need to trust that providers will deliver the best possible care, and providers need to trust that leadership will do everything possible to safeguard data. Without that foundation, establishing real relationships becomes extremely difficult.
“People value their healthcare providers,” said Jim Brady, PhD, VP of Information Security & Infrastructure and CISO at Fairview Health Services. “They want to trust their physicians and nurses. And so, if we’re not able to demonstrate that we can protect their data, that’s a problem.”
For all leaders, especially in IT, security, and privacy, the ultimate goal is to provide “a high level of confidence that treatment is private and in accordance with rules and policies,” noted his colleague, Krista Fink (Privacy Officer & System Director for Information Privacy and Investigations, Fairview Health), during a recent discussion.
Doing so, however, has becoming increasingly complicated. The more data that are funneled into the hospital from different sources, the higher the chances that information is accessed inappropriately. And, given the rate at which cybersecurity breaches have occurred during the past few years, it’s become clear that a proactive, consistent approach to identifying possible breaches and taking action to stop them — or at least limit the damage — is essential.
“You have to have discussions around enterprise risk,” she noted. “What are the standards? How do we want to make this happen? What are we going to do if it doesn’t happen? It’s one thing to have a high-level standard that says, ‘we will maintain confidentiality,’ but how you do it is another story.”
For Fairview, a critical part of the strategy is using Protenus’ platform to monitor behaviors and identify patterns that might indicate unauthorized access. Doing so manually “is just not possible,” said Brady. “We need the technology.”
“Opportunity to automate”
That, however, is only one piece of the puzzle, according to the panelists. During the discussion, they talked about the importance of ongoing education and training, securing leadership buy-in, and having the right processes in place to prevent and manage incidents. And it’s no longer just about compliance with HIPAA, but also the Office of Civil Rights, which will require a great deal of information in the event of a breach, according to Fink. “They’ll come in and ask to see your annual risk assessment — which should be a continuous risk assessment,” she noted. “They’ll want to know where are the gaps, what’s your plan to address them, and what’s the progress,” and it needs to be documented. From there, they’ll determine whether there was negligence, and, if warranted, issue a fine.
More importantly, OCR wants assurances that organizations are engaging in ongoing risk analysis and continuously striving to improve. Protenus’ platform can help ascertain when records are potentially being accessed improperly, while also identifying other systemic issues. “It’s a great opportunity to automate at a higher scale using artificial intelligence,” said Nick Culbertson, the company’s co-founder and CEO.
And although “having the ability to use behavioral analysis and prediction to get in front of things that are too difficult to do manually,” is certainly appealing, it must be approached the right way. “You want to take a step back and be strategic about the overall breadth of risk, rather than just trying to play whack-a-mole,” Culbertson noted.
Rather, it needs to be part of a larger strategy around security and patient safety, according to the panelists, who shared advice based on their own experiences.
- Understand the why. “Healthcare delivery is very complex. Multiple people are providing care, registering patients and doing coding and billing, which means a lot of people have authorization,” said Fink. Her team’s prevention efforts center on educating leadership committees about who can access records, who is accessing records, and why they’re doing it. “We use examples so they can remind their teams what they can or can’t do, so that they understand.”
- Training isn’t static. A critical component, she added, is ensuring that training doesn’t stop after new-hire orientation. “We train throughout the year, through outreach, newsletters and staff huddles.” On top of that, “we learn from each incident. When we find suspicious activity, we work with leaders to incorporate those learnings.”
- Establish clear boundaries. One of the challenges is assigning the appropriate sanctions when records are viewed improperly. At Fairview, the chief medical officer addressed physicians directly to say, ‘These are our standards. We’re not blurring the lines,’ said Fink. “That’s what it took to get a really solid policy around how we’re going to enforce rules around access.”
- The right punishment. Determining those consequences requires collaboration across leadership to agree on appropriate standards. “A lot of organizations have a hard and fast rule that if you look up the records of a family member, be it in a benevolent or malicious way, it results in termination,” said Culbertson. But with nursing shortages already creating staffing challenges, it may not be the best solution — particularly if it turns out to be benign. A more effective course is to provide education, which can help reduce the volume of violations in the long-term while preventing both repeat and first-time offenses, he added. “You’re spreading awareness, you’re increasing education, and you’re reminding individuals of their responsibility, without putting more burden on other parts of the organization.”
- Partner up. Although much of the responsibility may fall on privacy or security, safeguarding patient records must be viewed as an organization-wide goal, according to Fink. “We have to partner closely with human resources on the enforcement piece — what the policy says, how we make it actionable from an HR standpoint, and what’s the corrective action.” As CISO, Brady works closely with the compliance, audit, and legal teams, as well as privacy. “We’re all tightly integrated and we talk a lot,” he said.
- Show, don’t tell. Individuals don’t always admit to wrongdoing, noted Culbertson, claiming that inappropriate access occurred when they walked away from a workstation, or that the password was stolen. By leveraging audit logs, “you can show them there was only a half-second between activities,” he said. “By having that ability to sit down with them, have that conversation and show them the information, you can confidently talk about what happened.”
- Leverage AI. Sometimes, however, it can be difficult to differentiate between bad actors who are trying to harvest valuable information, and non-malicious employees who fail to adhere to policies or use proper discretion. This is where AI can play a critical role, said Culbertson. “Hospital workflows are extremely complicated, and so it can be difficult. Artificial intelligence can help to see the big picture and tie information together using subtle patterns.” Even more importantly, AI can pick up on early warning signs that may indicate the need for HIPAA training — or a simple reminder of the obligations that come with accessing PHI.
The importance of those conversations, according to Brady, can’t be overstated. “If there’s no accountability and no guardrail, people are more likely to stray,” he noted. “We know that people occasionally get tempted to look at records that aren’t theirs.” By pairing a solution that has the ability to intelligently monitor access to the EHR with continuous education, organizations can help teams do the right thing.
“When there are controls in place, it helps them to be on their best behavior,” Brady said. “And that improves our ability to respect and handle patient information.”
Finally, it’s critical to make sure the right messaging is in place. “At the end of the day, that record belongs to the patient,” he added. “Everybody needs to understand that it’s not about making your job harder by adding a bunch of extra clicks or having to log in. It’s about valuing our communities and our patients.”
To view the archive of this webinar — Keys to Keeping Compliant, Reducing Risk & Protecting Patient Privacy (Sponsored by Protenus) — please click here.