Healthcare Executive - September/October 2013 - 22

Protecting Patient Medical Data
found that 94 percent had experienced
a data breach in the previous two
years, and that 45 percent had experienced more than five data breaches
during the same period. Lost devices,
human error, third-party problems
and criminal attacks headed the list of
causes. Based on this data, the study
estimates security breaches could be
costing providers $7 billion annually.
No dollar amount can be placed on
the human costs.
It’s an area providers are scrambling to
get their arms around. Joy Pritts, chief
privacy officer of the Office of the
National Coordinator for Health
Information Technology, HHS, says
the healthcare sector’s performance is “a
mixed bag” in this regard. “Some providers are doing an excellent job, and
others are not even very familiar with
the requirements to protect health
information,” she says. “It’s a difficult
sector because there’s such a wide range
of size and complexity of organizations.
Compliance varies greatly.”
Providers at the high end of the spectrum have CEOs and C-suites that
put patient privacy and security front
and center and give IT professionals,
employees and clinicians the support

they need to follow suit, according to
Pritts. “They treat health information
with as much dignity as they treat the
patient,” she says. They uphold privacy
and security as cultural values, not
merely motions that must be gone
through to comply with HIPAA requirements. The message comes from the top.
That message can, at times, include
making an example of violators,
observes Gordon. “You have to put
your money where your mouth is. If
people are not doing what they are
supposed to do, they have to be reprimanded or even fired. Sometimes
that’s what you have to do to create a
culture that says you’re serious.”
Avoiding the tendency to think of privacy and security as information technology add-ons is another must,
according to Pritts. The siloed mentality is bad for patients and bad for business. The organizations faring the best
see IT and privacy and security as virtually one and the same.
That means they also think of IT
investments as privacy and security
investments, Pritts says. The
approach takes foresight. “It’s easy to
see the return on investment when

you’re getting medical alerts that can
save lives,” she says. “It’s not so easy
to identify the benefits of privacy and
security. When they’re working, you
don’t hear about it.”
Too often, these benefits only become
clear when the organization experiences its first data breach. The topperforming providers have the vision
to think preemptively.
That anticipatory mindset incorporates ongoing efforts to make privacy
and security a part of everyday work
life—to foster behaviors and attitudes
that are as fundamental and engrained
as routine handwashing. “It’s not one
person’s or one department’s job, it’s
everyone’s,” says Gordon. “This is part
of who you are if you work in a healthcare setting, and it starts the moment
you come on board.”
Tactics that can be helpful in this
regard, according to Pritts, include
rotating privacy and security audits to
spot problems, including passwords on
sticky notes and computers left unattended while displaying sensitive information; compliance with privacy and
security rules; completion of education
and training as metrics in performance

“ hehealthcareindustrymustaddresssignificantchallengesaroundprivacy
T
andsecurity,encryptionincluded,beforeitcanachievethatwidespreadhealth
informationexchange.”
Lynne Thomas Gordon, FACHE, FAHIMA
AmericanHealthInformationManagementAssociation

Healthcare Executive
SEPT/OCT 2013

Healthcare Executive - September/October 2013

Table of Contents for the Digital Edition of Healthcare Executive - September/October 2013