- Those in charge of information technology within healthcare organizations can’t fall into the trap of concentrating on one area of need when it comes to security, which can prove to be difficult when specific incidents pop up. Instead, they must adopt a global philosophy where they’re concerned about any type of communication that involves patient data.
Scott Raymond, Executive Director of Information Services at Orange Coast Memorial, a 220 bed community hospital, told HealthITSecurity.com that his organization has a number of security initiatives revolved around that type of comprehensive mindset. Many of these initiatives are standard, such as email tracking, PC encryption and USB port locking. But Raymond said that Orange Coast is beginning to work toward the future as well and has begun to virtualize all clinical work stations
The thing that keeps me up at night at my campus is the potential of unsecure data getting out of here. We’re doing a big VDI pilot and implementation across the enterprise and we’re going to start with those clinical work stations. Instead of spending the money and effort to secure the data that’s on the end node, we’re just going to have end nodes that have no hard drive.
Raymond and Orange Coast also need to see to it that internal communication remains secure and efficient as part of its all-inclusive security outlook. As healthcare organizations’ data becomes more integrated through technology, securing all forms of communication is imperative. While Orange Coast uses the communication functions within Epic EHR, called the In Basket, to automate results review and communication between physicians.
Raymond said that the organization had looked at secure texting and secure paging for a long time, but the saturation of the secure communications market, as he said there were more than 300 such companies at HIMSS14 this year, makes it difficult to find the best product.
I think the differentiator is that organizations want a communications platform. If the physician isn’t part of the organization, it’s very hard to tell them to put a texting application on their phone and that we’re going to put them in a directory that would allow anyone to call or text them. They would never do that because they want to protect their workflow and like to put up barriers of communication to help do that.
Those needs factored into Orange Coast’s decision to implement PerfectServe, which it uses as a physician communication platform and allows physicians to receive messages on any type of device. For example, a nurse wanting to reach a physician would call the PerfectServe extension without knowing the doctor’s number to get ahold of them. Essentially, Raymond explained, a physician can protect his privacy while allowing the hospital to get in touch with them quickly if needed.
On PerfectServe’s end, Terry Edwards, president and CEO of PerfectServe, explained that it keeps up with federal privacy and security requirements to secure their clients’ as well as its own environment.
The HIPAA Omnibus Rule gave teeth to the regulations and caused us to go back and redraft new business associate agreements (BAAs) for each of our accounts. This includes 85 hospital accounts as well as our other accounts. We actually had to hire a compliance officer and look at our own controls as well as our own SOC 1 and SOC 2 audits to ensure that we’re operating properly.