"We have been having a campaign to get people to stop thinking of privacy and security as a barrier, and to start thinking of it as something that is beneficial to their business," says Joy Pritts, the ONC's chief privacy officer.
She'd like to see more hospitals to include investments in privacy and security at the start of any new IT project, citing several recent studies that suggest early investment in privacy and security safeguards can help organizations successfully avoid larger fines or penalties down the road.
However, she has found that at many hospitals, the need for security infrastructure from the start is too often ignored. "We have talked to a lot of the chief information security officers, and many of them do not feel supported by the people at the top in the expenditures that are required to build in security upfront," she says. "But the fact is that if you don't build it upfront, you'll either have to add it in later, which is more expensive, or you can have a breach, and then not only are you talking about financial costs, but also costs to your reputation and costs to your patients."
Part of this initial investment should be a review of existing IT infrastructure and security processes and the development of a security plan to ensure data is adequately protected before the introduction of a new product or technology, says Ms. Pritts,
For example, a growing number of hospitals have looked to mobile technology to provide workflow solutions for physicians. According to a recent HIMSS survey, 83 percent of hospitals said their physicians use mobile technology in the course of providing patient care. However, just 59 percent of respondents said their organization has a mobile security policy in place.
Incorporating this technology without privacy and security plans in place can lead to significant consequences, says Ms. Pritts. She says a significant number of HIPAA-related fines have been paid to HHS' Office for Civil Rights by hospitals and health systems that have failed to monitor things like mobile access to the hospital's networks. "You need to look at it and how it is going to impact your system," she says.
While many hospitals and health systems have work to do when it comes to data privacy and security, Ms. Pritts knows of several "bright spots" that have incorporated the ONC's recommendations and industry best practice into their policies and procedures. "There are some that can say, 'We care for the patient's information in the same way we care for the patient,'" she says.
A couple high-performing hospitals have begun mini-security audits within their organization as a way of continuously accessing compliance. "They'll go around to different departments and say, 'Spot audit!'" says Ms. Pritts.
The audits are meant to be a fun, interdepartmental competition, allowing employees to good-naturedly rib each other about leaving network passwords on sticky notes. "It's done as a challenge for everyone to raise their standards rather than be pointing fingers at someone who's doing something bad," she says.
Another innovative approach Ms. Pritts has seen is to have daily huddles, transferring the huddle concept used by care teams on the clinical side to help increase compliance with security policies. The huddles allow information security leaders to address issues that have arisen, or highlight areas where staff should pay special attention to privacy. "The huddles help everyone be aware of what issues they are dealing with, and what they should be doing," she says.
The organizations with the most successful privacy and security practices also often include pragmatism in their policies, says Ms. Pritts. Allowing physicians to use mobile devices at work does make a hospital vulnerable to a whole new host of privacy and security issues. However, forbidding them to do so is quickly becoming impractical, as more physicians use these devices in their day-to-day lives, she says. This makes it even more important for a hospital to conduct a through assessment of their privacy and security practices in anticipation of new challenges.
As the ONC's campaign to improve hospitals' security practices continues, Ms. Pritts hopes hospitals will focus not solely on looming HIPAA fines but also on the benefits of keeping hospital data safe. "It's good for your business, and it's good for your patients," she says.
More Articles on Data Privacy:
Potential Data Breaches Most Significant Barrier to mHealth Adoption, Survey Finds
Los Angeles County Patients' Personal Data Stolen From County Contractor
County Pays $215k to Settle Data Breach Claims With HHS