- Almost 20 years after HIPAA was enacted, the healthcare industry is facing unprecedented risks to patient privacy and security, and it’s only going to get worse. To take control, providers need to act now and manage security and compliance risks as they begin to address clinical and financial risks. In short, they need to make data control a fundamental part of their population health strategy as the industry shifts to integrated care.
There are a number of factors behind the increased risk: With the influx of mobile devices, the move to cloud computing, inconsistent encryption policies and over-taxed staff, health data breaches are occurring at an alarming rate. Last year, more than seven million patient health records were breached, and the annual cost of data breaches to the healthcare industry has been estimated at $5.6 billion.
To complicate matters, many hospitals and health systems think they’re in good shape, but in fact aren’t fully prepared to manage the risk. According to the PwC Global State of Information Security Survey 2014, 74 percent of healthcare provider respondents believe their security activities are effective. However, PwC found that provider security strategies “have not kept pace” while information security risks have dramatically evolved. In the same vein, while two critical challenges providers face are access control and identity management, as well as access and information use monitoring, some 80 percent of hospitals with 200 beds or more do not have a full provisioning system that would address these issues.
The Perfect Storm
As if these factors weren’t enough, we’re seeing a perfect storm develop as the industry transitions to integrated, accountable, patient-centric care.
First, we’re seeing exploding volumes of medical information (estimated to be doubling every five years), including substantial growth in patient-generated health data. In addition, to improve care coordination and quality, extended care teams are now looking to share health data across physical boundaries as patients transition from hospital to clinic to home. On top of this, we’re seeing a highly dynamic and growing workforce, fueled by accelerated industry consolidation (M&A), partnerships, alliances among providers and physician groups, etc. As more and more data is shared by a constantly changing workforce across boundaries, the risk of unauthorized access and use of confidential patient data grows exponentially.
And finally, recent legislation has raised the bar for security and privacy while significantly increasing penalties for non-compliance with regulations such as the HIPAA Omnibus Rule. This regulation tiers penalties for disclosure of protected health information, with privacy breaches subject to penalties of up to $1.5 million per violation.
Providers aren’t just facing the need to put in place more stringent security or encryption policies/programs to reduce risk and comply with regulations. With the shift to integrated care, they’re also facing the pressure to deliver immediate access to the right data at the right time to the right people to improve care quality and outcomes. This has resulted in a precarious balancing act, to say the least.
Taking Control of Data
As providers transition to value-based, patient-centric, integrated care models, it’s critical to manage security and privacy risk alongside managing clinical and financial risk. The key is not to wait until a data breach occurs. At that point, it’s too late and providers may face severe consequences to their reputations, not to mention the financial costs and loss of patient trust.
For organizations sharing data across boundaries to enable population health management (e.g., data aggregation, care coordination, care management, and patient engagement), this is also the time to put in place the IT tools to control the data and pursue one holistic population health strategy for integrated care, for better quality, improved outcomes and reduced costs.
The logical place to begin is with identity and access management, which is one of the most critical components of data control but, according to PwC, not even in the top five spending categories for healthcare providers.
Identity and access management capabilities are critical to meeting three challenges of better security and patient care: they enable rapid access to the right patient data at the point of care, improving care quality and patient safety; they improve clinician efficiency – enabling doctors and nurses to spend more time with patients and less with technology; and they provide controls to protect patient data, as well as achieve compliance with security and privacy regulations.
Data Control in New Era of Population Health
In the new era of population health, providers should consider incorporating the following areas of identity and access management to better protect themselves:
Clinical Access Governance provides role-based access control, with reporting and analytics to guard patient information. As clinicians’ roles change, their access to clinical applications and data adapts accordingly, minimizing the risk of over-granting access rights. More important, upon a clinician’s termination from the organization, access can be fully removed, eliminating the potential for risk vulnerabilities like orphaned accounts.
User Provisioning automatically controls access to applications, enabling clinicians to get where the need to go faster. It can also streamline clinicians’ onboarding processes, reducing the potential for errors. Without this capability, it often takes several weeks to provision a new user’s access into multiple clinical applications.
Context Management automatically selects the right patient record in each application, enabling secure and efficient access and helping to ensure patient safety.
Centralized Auditing captures a comprehensive audit trail showing which patient records have been accessed by whom, when and from where.
Password Management enables uniform enforcement of secure password policies to enhance security.
These healthcare trends will become even more profound as providers continue to work in more complex environments with hundreds of applications and growing volume of sensitive data while managing thousands or even tens of thousands of employees, many of whom are working within multiple departments and/or locations. It’s imperative that providers with population health strategies review their security risks now and make data control a fundamental part of their strategy before trouble is realized. The alternatives – suffering damage to reputations, incurring financial losses and losing patients’ trust – may be catastrophic.
Jim Campbell is vice president of Caradigm’s Identity and Access Management business, responsible for driving the development, implementation and support of Caradigm Provisioning, Single Sign-On and Context Management solutions for hospitals and health systems.