|
In today’s celebrity-crazed world, it came as little surprise that when a popular actor and his female companion were hurt in a motorcycle accident, the details of their injuries spread instantaneously throughout the media. It came as more of a surprise, however, when the media later reported that 27 employees at the New Jersey hospital where the two were treated had been suspended for a month without pay after an internal investigation found that they had accessed personal medical records without authorization — even though there was no evidence that they had released any of that information to the media. Their suspension was punishment for having violated the Health Insurance Portability and Accountability Act (HIPAA) — a U.S. law that protects patients’ privacy.
Avery Cloud has spent a lot of time worrying about the damage those kinds of situations can create. As CIO of the New Hanover Health Network (NHHN) in Wilmington, N.C., Cloud and his information systems team are responsible for supporting the information management needs of the network’s three hospitals. They also need to ensure that the organization’s information measures don’t get in the way of any clinical or business requirements — while still complying with all the relevant government and regulatory demands, including HIPAA and the standards set forth by the Joint Commission on Accreditation of Healthcare Organizations (JCAHO). “At any given moment I could get a call from a compliance officer about whether a nurse on 5C accessed information she shouldn’t have,” Cloud explained in an interview just weeks before the celebrity privacy incident. “And if that information happened to be about a well-known patient, we could all find ourselves scrambling. That’s the kind of stuff that was keeping me up at night.”
Lately though, Cloud has been sleeping a lot better — thanks to the knowledge he’s gained from an in-depth assessment designed and conducted by IBM to identify vulnerabilities and gaps in NHHN’s information security practices and recommend corrective actions. The results are helping NHHN implement a series of best practices in information security. The project began after Cloud was called upon by NHHN’s Board of Trustees to become involved in the auditing process for information security. That’s when questions about who might have accessed what information — or when they could have done so — helped him realize the extent to which the organization could be exposed. “Practically all our information is in play,” he explained, “which means I needed to understand the risks associated with everything from patient information to marketing and financial plans. After all, compromising the security of our business could be just as problematic as compromising confidential patient information.”
So Cloud decided to find out exactly where his organization was vulnerable and what could be done to improve the situation. Specifically, he was looking for a best practices guide that would spell out what should be audited and how often those audits should take place. He also wanted to know what could be audited and what couldn’t. “Our legal department told us that the more we could demonstrate that our information was available for auditing, the more we’d be able to use it,” he said, “because security and privacy concerns were actually hindering our ability to make use of the information we had.” It turned out that what Cloud wanted didn’t really exist — yet. “When you go to your typical consulting firm to ask about security issues, you just get the same old answers. It seemed that no one could tell us how to develop a program that would show us where we were most vulnerable and help us make intelligent decisions about where to invest,” he said.
When Cloud told IBM Senior Managing Consultant Chris Davenport that he wanted something that went beyond the “traditional” security assessment, Davenport knew he and his team of IT security specialists had to create something unique and innovative. “Put simply, we wanted to make the client happy,” he recalled. “So we came up with the matrix idea, took the issues that were important to NHHN, lined them up with research and our own experience in the healthcare industry, and pulled it all together with our analysis and a set of recommendations.” In addition, IBM’s approach included the use of data collection tools, individual interviews and physical surveillance.
|
