- LAS VEGAS - When it comes to patient privacy, a passive approach to the auditing process is not going to be enough. Covered entities need to take initiative and ensure that they are doing everything in their power to proactively find potential weaknesses and fix them, rather than waiting for an issue to occur.
That is the mindset taken by South Carolina-based Beaufort Memorial Hospital, and VP of Information Systems and CIO Ed Ricks, MHA, explained to HealthITSecurity.com that changing an organization’s culture is also a key step that must be taken.
“We’re about a 200-bed community hospital and big enough to have all the challenges that everybody else has, but small enough that resources are a challenge for us sometimes, as far as staffing and things like that,” Ricks stated.
He added that before implementing tools from Iatric Systems to assist in the auditing process, Beaufort had a more passive approach. For example, investigations would only take place when there was cause. Now, the hospital tries to do random investigations monthly.
“It was hard to do because we were relying on the audit tools built into our EMR, and we had multiple EMRs. It was more complicated than it had to be.”
Beaufort can no make more intelligent searches when it comes to auditing who has accessed patient records, he said. It’s also beneficial in that the hospital can built a specific type of audit, in addition to having canned approaches.
For example, Beaufort created a policy that employees can’t access their own record even if they have that credential in the system.
Moving from a reactive approach to healthcare auditing to a proactive approach was definitely an important step for Beaufort, according to Ricks, trying to be ahead of the curve in terms of data security.
“We always wanted to be HIPAA compliant, and just making sure we’re doing all the right things to protect health information,” he said. “It’s just a matter of having a truly active program around that I think we finally have that figured out.”
Ricks added that the hospital also hired its first security director in the last year and a half, which was also an important step forward.
How patient trust ties into patient privacy
Spending a proper amount of time on employee awareness and training is also critical, Ricks explained.
“People just don’t always understand what you can do, what you should do, what the risks are. This is far more proactive. I feel really good. We’ve got a real program in place to [follow regulations].”
Ricks admitted that the employee training process is not always easy when it comes to learning a new process, but that Beaufort is making process. It is a culture change, he said, but it’s a shift that is happening for the right reasons.
Rob Rhodes, CPHIMS, CHCIO, CISSP, HCISPP, Iatric Systems VP of Application Software agreed, adding that there is an expectation from patients today for healthcare providers to protect their privacy.
“And if you do have breaches, it’s extremely important for patients. It really boils down to trust in the age of quality care,” Rhodes explained.
It is more difficult to adhere to quality care if patients are not willing to share all of their information with an organization because they are hesitant over the security of their data.
Protecting that patient trust is one of healthcare’s top concerns, Rhodes maintained.
“We do have to have both the technology tools, as well as the human tools – the culture change – to make those things happen,” he said. “We really can’t afford to continue to have as many breaches as we had.”
If healthcare does not get better at protecting patient privacy, Rhodes admitted that he is very concerned that it is going to become more difficult creating and maintaining that patient trust. Individuals might think that they can’t afford to sh are their information with their healthcare provider, he said.
“They might think that even if I trust [my provider], from a standpoint of them being somebody I like and I feel like has my best interest, I don’t know if I can trust them because everybody’s susceptible.”
Risk management should also be a key focus area for healthcare providers, according to Rhodes, especially with the increase in data and automated systems.
“We’ve got to get better, a lot better at using the technology to really weed out and focus our security folks on asking, ‘Where is our highest risk? Where are the things really standing out as potential violations?’ And then, adjusting your programs based on that risk.”
Learning from past healthcare data breaches
The large-scale healthcare data breaches that took place in 2015 are definitely scary, Ricks explained. Potentially losing that relationship with patients due to data security problems is concerning as well.
“That relationship is big in our community,” he said. “If you lose that confidence and trust I think that it’s really difficult to recover from. So I recognize that those things that you read about, it could happen to us. It could happen to anybody.”
Ricks reiterated the importance of employee training and proper risk management as tools to help create a comprehensive approach to data security. It’s challenging, “but the more proactive you can be, the better for sure.”
Phishing scams and ransomware attacks are also issues that Beaufort is aware of, he said. The hospital has even partnered with a vendor to prepare against potential phishing attacks, by helping employees learn to recognize potential scams.
Overall, Ricks said that it’s not always easy to implement new systems, from a training perspective as well as a cost perspective. However, creating efficiencies will be beneficial to patient privacy.
“If you can work on compliance and create efficiency at the same time, I see it as a win-win.”