Guest post by James Bindseil, president and CEO, Globalscape.
Health IT has reached a pivotal crossroad: On one end, consumers’ expectations for more timely care and instant access to health files and records continue to skyrocket; on the other, security and compliance risks are more complex and threatening than ever before.
This leaves health providers in a precarious position: should they prioritize security and compliance, or productivity and care?
In a perfect world, the answer would be all four. Unfortunately, today’s health IT landscape — which is going through a rapid and significant transformation to keep up with evolving compliance mandates, new demands around access to patient files, changing government policies, sophisticated security threats and new technologies — is far from perfect.
One of the most pressing issues lies within the policies and technologies provided by today’s IT teams. In fact, in many instances, the policies and tools implemented by IT to keep patient data safe and secure often end up having the opposite effect: they make it incredibly difficult for providers to deliver fast and efficient care in a secure, compliant manner.
For example, let’s imagine a day-in-the-life of a hospital care provider, who faces immense pressure to deliver top-notch care to as many people, and in as little time, as possible. On day one, an off-duty doctor is called at home to provide his take on the best care plan for a specific patient. How will he review the pertinent information while working remotely? In another scenario, the doctor is running from patient to patient, and is unable to take the necessary time to record his actions. Taking the work home on a USB drive seems like the best option. The next day, the hospital needs to quickly share files with the patients’ previous provider to care for an urgent medical issue.
When the IT environment isn’t user friendly, the overbearing strain on the healthcare provider’s time often forces them to choose the path of least resistance, meaning foregoing established patient security protocols for more convenient, familiar and insecure options, including mobile devices, personal email, USB drives and third-party file sharing tools. This is especially true for today’s on-the-go healthcare worker. Doctors routinely check records, share information with other medical professionals and take calls while outside of their organizations’ protected network.
In most cases, the provider knows that sending and accessing information through these channels falls outside of compliance and could put the patient information at risk. But, when it comes down to providing fast and timely care, or following IT policies, for most providers, the choice is an easy one: Providing timely, high-quality service wins every time.
And while it’s hard to argue with this conclusion, where does that leave security and compliance? The answer is, not in a very good place. To understand the magnitude of the issue, consider that 70 percent of healthcare data breaches in California during 2013, according to the just-released October 2014 California Data Breach Report, can be attributed to “lost or stolen hardware or portable media containing unencrypted data.”
The onus is on IT teams to ensure that the tools they provide meet the information-sharing and access needs of the practitioners they serve. If doctors and nurses have to jump through hoops to send files securely, IT can’t blame them for taking the path of least resistance.
Another glaring issue – which is often deprioritized because of a “that’s obvious” attitude – is employee education. Sure, IT knows the boundaries of security and compliance, but it’s not safe to assume that most doctors and nurses know the ins and outs of HIPAA, and which of their information-sharing habits IT would be considered safe and compliant.
In fact, earlier this year, Globalscape surveyed 500 corporate employees about their file-sharing habits and found that IT departments are struggling to create effective information-sharing policies and educate their employees. In fact, according to the survey, only 47 percent of employees think the companies they work for have policies for sending sensitive files. Almost a third said that there were no policies in place, and 22 percent weren’t sure. Policy enforcement was also poor: of the employees at companies that have policies for sending sensitive files, 54 percent still use personal email, and 62 percent still use remote devices.
While those numbers aren’t specific to healthcare, they are incredibly eye-opening. How could a corporate employee not know that sending sensitive information over personal email could be risky? The problem, of course, is that evaluating the issue in this perspective is only looking at it through the eyes of IT. While courses in compliance and patient privacy are required in most medical education programs, technology and regulations are constantly evolving and, as a result, blur the lines established by HIPAA and individual organizations.
Healthcare IT teams must take the time to teach and educate practitioners about the risks of a data breach and how to safely handle sensitive patient data. Or even better, they can implement security controls that those practitioners are familiar with. If the security controls already worked the way practitioners do, extra education and training may not even be required. Education, training and using tools that are familiar to end users can be the triple threat in combating data breaches and risky sharing behaviors.
While these aren’t new issues for IT, they are still very real and will absolutely continue to plague healthcare providers in 2015. As the year winds down, the time is now to begin assessing how well your IT infrastructure caters to the information-sharing and access needs of today’s healthcare practitioners. Uncovering issues now – and putting plans in place to remedy the situation – could have long-lasting security and compliance ramifications in the years ahead.