If you’re a healthcare IT professional, you’re likely losing sleep when it comes to ensuring regulatory compliance. Having the right processes and tools in place to manage the transfer of information in and out of your organization, both via people and systems, is at the heart of this issue.
To understand the latest issues and trends affecting healthcare IT professionals, we sat down with Tim Dotson, a healthcare IT consultant from Durham, NC who is well versed in the issues facing healthcare IT groups. Tim’s wide-ranging healthcare job experiences include terms as an IT director for large health systems, an informatics pharmacist, and a healthcare IT newsletter editor. He shared his insights and advice around data security and file transfers.
Zak: What are some of the overall issues you are seeing affecting healthcare IT teams?
Tim: Healthcare IT is in the midst of change, some related to government and regulatory requirements, and some just due to the constantly changing nature of healthcare. For example, both healthcare providers and vendors are struggling to get ready for upcoming changes to the ICD-10 Procedure Coding System. At the same time, they’re dealing with ongoing requirements associated with Meaningful Use programs. These programs incent doctors to use technology to assist patients, and to make that happen, changes are needed to IT systems within healthcare organizations as well as how they’re used within organizations. These initiatives are associated with immovable deadlines. And on top of these, those in healthcare IT need to address their hospitals’ own strategic agendas.
To further complicate matters, many healthcare organizations are undergoing consolidation, whether because of mergers or because they are trying to minimize the number of IT systems and vendors they deal with.
Zak: Yet at the same time, HIPAA standards are only getting stricter, and they are not optional.
Tim: Exactly. Hospitals continue to struggle with meeting HIPAA requirements, such as the new HIPAA Omnibus Rule, which among other things makes business associates of covered entities responsible for complying with some aspects of HIPAA, and increases the associated penalties for security breaches.
“Managed File Transfer takes compliance risk off the table, and just as importantly, saves valuable resources from having to manually manage the healthcare file transfer processes.”
Compliance is complicated in an era where everybody is used to storing data on personal devices and cloud-based services such as Google, posting personal and work-related information on Facebook, and sharing information with other organizations. Penalties for being involved in a patient information breach have increased, even if the exposure was unintentional and with no evidence that anyone used the patient information.
Hospitals have to evaluate their exposure, train thousands of employees regularly, and understand how the practices of their business partners could put them at risk. New government concerns have been raised about saving and monitoring computer audit logs, not just for possible privacy violations, but to detect behavior that might indicate healthcare fraud. Breaches, investigations, and audits are almost inevitable, so hospital executives have to prepare their large, complex organizations to avoid exposure and how to respond if one occurs. It’s yet another problem that often lands in the lap of the hospital CIO.
Any ways healthcare professionals can find to deliver compliance with less effort will have a significant payoff to the IT teams. And that’s where Managed File Transfer can come into play – it’s taking compliance risk off the table, and just as importantly, saving valuable resources from having to manually manage the healthcare file transfer process or spending countless hours troubleshooting file transfer related issues.
Zak: Can you share more about what specific pressures healthcare organizations are facing when it comes to HIPAA compliance? Clearly there are some external technology trends outside of the hospitals’ control making compliance more and more of a challenge.
Tim: Many hospitals are dealing with the proliferation of devices and people demanding the ability to use them. The question isn’t whether or not devices like tablets will be used, but how hospitals will support the Bring Your Own Device (BYOD) movement.
Hospitals can’t afford to give everyone a device. But hospitals like to standardize their technology. And they certainly need to make sure data is kept private and secure. Plus healthcare IT groups need to support remote physician offices as more mergers and acquisitions occur.
There’s also a movement toward Big Data. Now hospitals can tie patient encounter data in with information about patients’ activities and characteristics outside of their environment, such as prescriptions taken, exercise and eating habits, etc. By mining this data, they can identify opportunities for improvement and develop new risk models. As healthcare organizations look to analyze all this information, files must be exchanged on a more regular basis, not just at the end of each day.
Of course, this means data security is more of an issue than ever before. Some healthcare organizations are still using unsecured email to send files. And the penalty for data breaches can be huge. Plus, the organization can lose credibility.
Zak: So with that said, how challenging is it to monitor and respond to changing data protection requirements without compromising patient confidentiality?
Tim: This is always a challenge. Security crosses several domains – infrastructure, people, and processes. Hospitals do their best to be mindful of security. But they often don’t realize how vulnerable they are until something unfortunate happens. There are so many opportunities for data to fall into the wrong hands. Every data exchange presents a risk and because there are more demands to move information around, the risk just keeps increasing. And sometimes the data protection requirements are too complicated to keep track of, especially for smaller hospitals. While these organizations have good intentions, they are often at risk because they’re not sure what to prioritize.
Zak: What are considerations or issues around balancing security and efficient file transfer?
Tim: Most times, the challenge is around the reach of communications. Many hospitals employ a large number of staff and it’s tough to get the message out about secure file transfer when you need to communicate with everyone from brain surgeons to housekeeping employees.
Many organizations are turning to automation to get around this problem. For example, they’ll set a rule to secure data in an email if it seems the information could be of a confidential nature.
Like so many things in healthcare IT, there’s not usually an obvious upside to taking these measures. It’s more about avoiding the downside, such as a penalty or negative publicity. But with increased HIPAA requirements and penalties, healthcare IT groups are paying attention to secure file transfer. It’s moved from “nice-to-have” to “must-have”.
Zak: Tim, thank you. This has been extremely insightful. One thing that’s clear from your comments is that healthcare IT professionals have a lot on their plates. For those that haven’t yet explored Managed File Transfer, it’s a way to reduce the time spent achieving HIPAA compliance, while gaining more control and visibility into the file transfer process across systems, processes and people.
To learn more about Managed File Transfer in Healthcare, visit the Healthcare section of our web site discussing Managed File Transfer Solutions for HIPAA Compliance or view one of our case studies for healthcare customers such as Rochester Hospital, VIVA Health or NHS Wales.