In my role as leader of West Monroe’s Performance Services practice, I advise clients on how they can improve their infrastructure, application, and security management practices. Increasingly, those conversations focus on improving overall security posture. We believe a strong security program begins with the business strategy – understanding the risks the business faces as it relates to information security – but far too often organizations are focused on tool implementations and “checking the box” for compliance and audit purposes.
The Privacy Rule of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) includes strict expectations on the protection and privacy of Protected Health Information (“PHI”). As a result of this rule and its related penalties, healthcare plans, providers, and their Business Associates have spent significant dollars on improving their information security programs in order to better protect patient information. As electronic health records become the norm, the level of investment required to protect PHI has increased even more.
Due to the HIPAA Privacy Rule, most healthcare related organizations include privacy and security training for their employees on an annual basis. Unfortunately, like many compliance trainings, employees often treat this training as another unnecessary requirement because of course they would never disclose health information about a patient and they see the investments being made by their information security teams. What those training do not do is help employees understand the “why” of information security – they leave out the business risk and the impact when there are security breaches.
Recently, I took my son to his weekly swimming lesson. The facility we go to has a nice waiting area for the parents with coffee, Wi-Fi, and a view of the pool so we can see the kids swim. Many of the parents, myself included, were working on their laptops and devices during the swimming lesson. I was particularly distracted by the parent in front of me as she was clearly in the healthcare field finishing her charting for the day by updating an electronic medical record system. With no privacy filter on her Apple MacBook, patient demographic and diagnostic were in clear view to me. While the dozen or so records I saw her process were not likely to generate a material Health and Human Services fine for her employer, it was a clear violation of the Privacy Rule as Protected Health Information was being disclosed.
No doubt, this healthcare worker had received HIPAA Privacy Training and that training included the potential fines that could be result in a privacy violation. While those fines are increasingly becoming significant, the fines are not the real business risk for the organization. This business risk is their reputation when their staff are observed not treating patient privacy with the upmost care. I spent the rest of the swimming lesson looking to see if I could find an identifier for her employer on asset tag on the laptop, business card luggage tag, etc. I wanted to know which of our local healthcare providers made electronic medical records available for their staff to use outside their facility without ensuring the staff understood their obligations to protect that information. Certainly, a laptop privacy filter would have made seeing the records more difficult and one may have been issued by the IT department, but for me, choosing to update medical records at a public location with people sitting in very close proximity made me question the judgement of the provider and her commitment to protecting the Protected Health Information of her patients. And as a patient, if I question a provider’s judgement, then I might be tempted to move my records and business to another provider.
The bottom line is, the loss of patients is the business risk that needs to be conveyed in training rather than potential fines from the government. The fines will not impact the providers’ employees – the inability to serve the patients they care about is the impact that will change the motivation and create a thoughtful commitment to protecting patient information instead of a reluctant adherence to an information security program.
As you set the strategy for your information security program make sure you do not lose sight of the why and convey that why to your teams so they can understand the impact these decisions they make and actions they take can have on the business and on the customers they serve.