The world of health information management (HIM) continues to evolve. Larger percentages of information have moved to digital and online. At the same time, more health data is being shared across a wider playing field of public, private, and consumer stakeholders, including a larger virtual workforce. This vast amount of electronic healthcare data now resting in multiple hands raises the bar for health systems’ cybersecurity diligence.
As many organizations shifted to remote work as a result of the COVID-19 pandemic—one-third of those being security operation centers (SOC)—threats such as phishing, malware, and ransomware have skyrocketed. A recent survey conducted by Healthcare Innovation, which was completed by approximately 150 healthcare senior executives, revealed that 52 percent of participants found that their recent experience of cyber threats and attacks have been more challenging than a year ago.
I recently sat down with two privacy and compliance experts to understand their unique challenges with cyber threats and how organizations can work collaboratively with their internal teams to mitigate risks through cybersecurity diligence in the year ahead.
Blass: How does each role—compliance, HIM, privacy, IT/security—contribute individually to protecting a healthcare organization against cyber threats? What part does each play in general? Describe the challenges you experienced that prompted your organization to seek a better solution.
Dolores Baughman, MJ, CHC, CHPC, Privacy Manager, Corporate Compliance and Ethics, Inspira Health: Our privacy program audits and monitors for inappropriate uses and disclosures of protected health information (PHI). If anomalies are detected in user activities, we investigate and mitigate potential incidents that may include privacy violations or fraudulent activity. Inappropriate uses of our systems increase the risk for cyber threats to be carried out. A cyberattack on our IT infrastructure would negatively affect all areas of the health system.
The privacy program also ensures that our business associates’ information security programs have safeguards in place to identify cyber threats and protect against cyberattacks. Our organization has business associate agreements in place and initiates vendor risk assessments prior to doing business with vendors that use, share, store, or disclose PHI on our behalf in order to determine the level of cyber risk.
Joe Piccolo, MBA, CHC, Vice President of Corporate Compliance, Chief Compliance Officer, Inspira Health: The office of compliance is closely aligned with IT/security in regard to cyber threats. This includes protecting patient information and also protecting proprietary business information. We review the results of IT’s phishing campaigns and actively monitor, investigate, and audit any potential threats that could impact patient privacy or business confidentiality.
Blass: How does your individual role work to uphold/enforce the security and compliance strategies owned by other teams? How do you avoid competing initiatives?
Baughman: Teams across the organization involve privacy to ensure compliance with HIPAA regulations and our internal policies and procedures. It is important to identify common ground when there are overlapping strategies with competing initiatives in order to secure a positive outcome and avoid conflict or confusion.
Piccolo: I make sure to communicate regularly with my colleagues in IT/security as well as in our legal and risk management departments. We make a concerted effort to deliver a consistent and clear message to operational leadership to alert us to any potential issues and use that information as a resource for training and investigation of potential concerns.
Blass: What are the pitfalls or risks if the leaders are siloed and do not collaborate?
Baughman: In healthcare, all departments must communicate and collaborate with each other to ensure that we are providing the best patient care and outcomes. Without collaboration among the leaders in those areas, the silos created would prevent the exchange of important information, cause unnecessary duplication of effort, and result in division.
Piccolo: Ongoing communication and collaboration among departments is necessary to avoid the following pitfalls:
- Inability to identify potential or real risks to the organization
- Confusion as to how to report potential issues
- Overlap in investigations or, worse, a lack of investigation when an issue occurs because the assumption is that another department is addressing the concern
- Lack of an effective strategy to address risk
Collaboration fosters greater knowledge and a consistent approach in developing a strategy to mitigate risk. This is lost when departments operate in silos.
Blass: How does C-suite governance and oversight come into play here? How can these leaders best present a united front to ensure foundational success?
Baughman: C-suite governance and oversight is critical to ensuring that our organization is prepared with necessary resources to prevent cyber threats and with the ability to mitigate the impact should an attack occur. By communicating clear and concise messages, our senior leaders provide guidance and oversight to instill confidence in the strength of our organization’s foundation.
Piccolo: The first challenge is to educate leadership, including the board of directors, regarding the risk associated with cyber threats. Goals around education and prevention should be integrated into organizational goals so the message is clear that it is everyone’s responsibility to understand the risk and how to report concerns. From a board perspective, each member should be aware of issues, risks, and the corrective or mitigation plans to reduce risk. This includes the use of outside consultants to validate the work being done internally.
Blass: What are your recommendations on how healthcare providers should enhance collaboration among various teams, especially in light of current events and changes to come regarding HIPAA and information blocking?
Baughman: First, conduct a compliance analysis focused on regulatory changes and proposed changes, and then involve a multidisciplinary team to review internal policies, processes, and data systems. Second, focus on technology and the challenges facing Compliance, Privacy, IT/Security, and HIM. And third, foster a level of trust between these teams so they can work across the silos to reduce identified risks and mitigate potential harm or noncompliance.
Piccolo: Here are three recommendations to promote collaboration and compliance:
- Define roles regarding compliance with the Cures Act to ensure that Compliance/Privacy is part of the planning and implementation process for Information Blocking.
- Offer guidance by Compliance regarding Information Blocking exceptions, specifically related to the preventing harm exception.
- Track exceptions through Compliance and report to the board as part of a regular reporting cycle.
In summary, there is much to be done as healthcare leaders prepare to transfer information safely and efficiently, especially with the recent April 5, 2021, information blocking effective date. As outlined in the conversation above, leaders across various departments, including compliance, privacy, IT/security, and HIM, have a responsibility to work together to reduce risks and mitigate harm before it occurs. C-suite leaders and top-level executives within organizations should be invited to join the conversation as well to avoid duplicate efforts and the creation of silos. Ultimately, everyone is responsible for their part in a collaborative approach to reducing cyber threats.
Gerry Blass is the president and CEO of ComplyAssistant.