Special report Healthcare

Transcription

1 Special report Healthcare Customer-Centric Healthcare: Best Practices for CIOs and CISOs Changing healthcare regulations, and the increasing number of security breaches, have healthcare technology leaders in a quandary as to how to proceed with providing readily accessible, yet secure patient information.

2 The model for delivering healthcare is changing. Factors, such as growing patient demands and new regulations for how patient care is delivered, have brought a new era to the industry, one in which healthcare providers must strive to deliver a more customercentric approach. The onus of meeting these new requirements falls heavily on the healthcare facility s chief information officer (CIO) or chief information security officer (CISO). These leaders must play a key role in delivering a customer-centric healthcare experience, as it is their duty to ensure that patient data is both accessible to the patients and physicians who need it, while ensuring it is well protected from those who don t. Unfortunately, many healthcare organizations take a minimalist approach to information security given the high number of competing projects requiring capital expenditures that is until there is a security breach. With the U.S. government pushing new regulations regarding how patient data is stored, protected and made accessible to both patients and physicians and with which organizations must comply by 2016 it is imperative that healthcare CIOs and CISOs understand that advanced security solutions are not an option, but an integral component of every implementation. The result is that healthcare security leaders face a dilemma. They are required to provide open access to far more constituents than ever before, and on more diverse technology platforms, while having to maintain stricter security standards than most other industries. And they must make this transition in an acutely short timeframe. For an industry that has long been charged with keeping patient information locked away, rather than accessible, today s healthcare CIOs and CISOs must learn the best practices for handling customer data and they can learn a great deal by looking toward other customer-focused industries. The right approach should be one similar to the banking industry. Banking customers can get their balance, make transactions, schedule deposits and more all through their mobile phones, giving them easier access than ever. At the same time, the banking industry has numerous safeguards in place to protect customers, such as calling them if a card is used outside the normal zip code or in case of any other atypical transaction. Healthcare organizations must be able to provide a similar consumer experience, giving patients the freedom to access their own personal data, while simultaneously ensuring this information is protected against falling into the wrong hands. Today s dilemma the scope and cost of necessary change The drive to make healthcare data more open started as recently as 2010, with new guidelines surrounding healthcare patient security outlined by the Health Insurance Portability and Accountability Act (HIPAA). Established in 1996, this act provides federal protections of individually identifiable health information held by covered entities, giving patients a wide array of rights with respect to that information. 1 The amendments introduced in 2010 developed additional guidelines, such as meaningful use rules set up at the federal level, incentivize compliance and give payments to providers Healthcare visit us online at

3 for implementing such safeguards. 2 In addition, the act establishes rules introducing significant fines and successive penalties for every breach of healthcare data. As a result, the majority of CIOs were pushed to have all of their data in house, without wireless networks, due to the perceived greater risk of security breaches. This approach was also supported by most software vendors providing electronic medical record (EMR) solutions in this space. However, with the new regulations requiring healthcare facilities to give patients easy access to their information by 2016, CIOs and CISOs are tasked with making enormous changes essentially overnight. Changing patient demands and expectations means healthcare organizations must further evolve at an ever increasing pace. As the new regulations require all patient data to be online, thus enabling patients to gain easy access, healthcare organizations that fail to do so will be penalized in terms of their reimbursement rates. These penalties can amount to an annual 1-2 percent of their Medicare reimbursement, further driving the need for security officers to update their processes and ensure they have the right technology in place. With a complete 180-degree change in how data is treated, CIOs and CISOs must implement the strategies similar to those used by banks, such as PIN numbers, password protection, secure portals and more. However, the infrastructure at many healthcare organizations is not entirely able to support this today, often requiring that CIOs and CISOs make significant changes to be able to comply with the new regulations. Security breaches can cost between $625,000 to $2-3 million, including factors such as remediation, fines, penalties, new solutions to address the problem, outreach efforts to notify constituents and more. While the impact of any security breach can be expensive, it s not just about the monetary cost; damage to an organization s reputation can be far worse and longer lasting. They can also end the career of the CIO or CISO. Such positions have an extraordinarily high dropout rate, as such individuals would rather pursue other career opportunities than go through the situation of an unexpected breach. In addition to the risks and repercussions, healthcare organizations that do not provide a sufficient level of accessibility will fail to meet the needs of today s patients and, therefore, struggle to remain profitable. As patients have more control and choice over the care they receive, many will simply not return to an organization that doesn t give them a high level of service. This isn t limited just to the care they receive, but also other factors like their ability to access their own data. As features like self-service and access to information 24/7 continue to become the norm in many industries, healthcare organizations must be able to keep up and deliver more customer-centric healthcare. Healthcare technology leaders must build, communicate and gain support for integrated information technology systems that address myriad stakeholder, regulatory and privacy concerns. This is neither an easy or linear activity the concerns are rapidly evolving, as is the technology to address them; the investment costs associated with change can be considerable. Most importantly, the CIO needs to build executive and board level understanding of technology investments needed to accomplish the organization s objectives. The business case for change must clearly explain the technology capabilities required and clearly articulate the costs and benefits of various options to achieve objectives, while providing optionality. The reality is that in today s healthcare environment, any IT plan must provide flexibility to adjust for emerging events in digital technology and data security. This means the CIO must not only present the rational and analytical basis for the path forward, but also establish a process for frequent and transparent communications with fellow executives and the board. All parties must be fully prepared to embark on and participate in the journey, as well as in fine-tuning or adjusting the road map when warranted. 1 U.S. Department of Health & Human Services, Understanding Health Information Privacy. ( 2 U.S. Department of Health & Human Services, Key Features of the Affordable Care Act by Year. (

4 5 5 Must-do s for healthcare CIOs and CISOs Look at other industries: There are numerous parallels between the security concerns and consumer expectations within the banking and healthcare industries. As financial institutions have already figured out how to deliver a more customer-friendly approach, while still protecting data, the industry provides a good example of how healthcare security leaders can implement effective change. Perform due diligence: Ensuring data is well protected may be expensive, but so are the costs (financial and reputational) of a security breach. Consider a range of software solutions that best meet organizational needs, while integrating seamlessly with systems to ensure an optimal user experience for hospital staff and patients alike. Understand the importance of getting it right: Failure to comply with the new standards can be equal to 1-2 percent on Medicare reimbursements, while the costs associated with a security breach can be astronomical. In either situation, the costs to the organization s reputation can be far worse than monetary loss. Leverage the right technology: From working with the right data centers, to adopting the most stringent security protocols and secure portals, CIOs and CISOs must take the lead in identifying the technology that can deliver on patient expectations, while protecting the organization s interests. Protecting against security risks Given how disruptive a security breach can be, CIOs and CISOs should take the lead in adopting the practices and technologies that can protect their organizations against such occurrences, while delivering the ease of access to data patients increasingly expect. Fortunately there are several best practices that can be used to address this two-pronged challenge to guide their organizations to success. At the foundational level are the practices, procedures and technologies that protect the physical environment of the healthcare organization and the technical infrastructure. The first line of defense should be data centers offering the proper physical security and clearly defined procedures by which technical personnel should abide. Just as important is having standard security protocols to protect both live and archived data using encryption and password or PIN protection, as well as new smart card technology, to ensure only those authorized to do so can access it. The final piece is to leverage secure, web-based portals that utilize the latest in personal recognition and verification technology. Each of these layers are typically provided by different vendors; as such, the CIO or CISO must assemble a best-of-breed approach to deliver a seamless solution to prevent potential breaches. But, there is another concern to take into account the cost of providing the sufficient level of security. The price tag for delivering a secure yet consumer-friendly solution adds significant cost to the typical expenditure of an electronic health record solution, sometimes adding another 40 percent to that overall number. In addition, many states now offer information exchanges for health systems to safely communicate information and provide a small grant to offset the cost. However, this offset unfortunately represents a small percentage of the cost outlay to participate in these networks. In any case, this is where the industry is going providing an affordable approach to ensure secure access to patient data. Build a better business case: Get the right people fully on-board for the journey. Secure board approval of a case for change that clearly defines the costs and benefits of recommended strategic and mandatory technology capabilities, while providing flexibility to respond to emerging events. Healthcare visit us online at

5 Ensuring a compliant, secure approach As the healthcare environment and its associated processes and regulations continue to evolve, CIOs and CISOs must evolve as well in order to keep up with changing requirements and patient expectations. With patients now demanding an easy, consumer-like experience for accessing their data and managing their health, it is imperative that healthcare security leaders rise to the occasion to make this happen. But the challenge isn t just in facilitating easier access they must do so in a way that minimizes the risk of security breaches. Given the disastrous impact a security breach can have, in terms of cost and reputational damage, CIOs and CISOs must act now to ensure they can meet the requirements to move all patient data online. Doing so requires that they understand the risks they currently face and adopt the solutions that can mitigate those dangers and ensure a compliant strategy. Still, there is another piece of the puzzle essential for success; that is to maintain continuous testing and monitoring. As in any defensive situation, the need to be ever diligent becomes more than a nice-to-have and instead a need-to-have mindset. Proper change control and regular testing of the security measures put in place will enable the CIO or CISO to identify the risks and exposures that must be addressed. These can be prioritized with others at the executive and board levels, designed into an approach that supports forward momentum with reasonable risk mitigation. To be effective in today s rapidly changing healthcare landscape, the role of the CIO or CISO must move more toward the strategic aspects of facilitating the objectives of the organization and to the needs of their patients. This must be done in an environment that is simultaneously productive and protected. In order to get to this state, CIOs and CISOs must take the lead in identifying, implementing and maintaining the technology, tools and techniques to meet the challenges of today and deliver the consumer-centric, and secure, experience their patients demand. Leveraging outside help to achieve compliance The sheer depth of change healthcare organizations are expected to make in such a short period of time can be overwhelming for even the most experienced CIO or CISO. This is especially true given the magnitude of the new regulations. After striving to keep medical records privately tucked away for so long, they must make this information available to the relevant parties, while avoiding any possibility of a breach. To ensure a smooth transition and avoid the disastrous effects of non-compliance healthcare organizations may seek to work with a partner that can provide the executive-level talent to help guide them through this period of significant and unprecedented change. The right partner will offer access to resources who understand the healthcare industry, and these new technology requirements, and know the best path forward. Such individuals can provide the expertise to help manage the technology transition required of healthcare organizations today, with an eye toward compliance and bottom-line improvements. As a result, healthcare organizations can be confident that they re not only meeting the technology requirements required of them, but also delivering an enhanced experience for their patients. About Tatum, a Randstad company Tatum is a leading professional and interim services firm offering hands-on strategic, financial and technology solutions that measurably improve business performance. Tatum s executive leaders and consultants help companies navigate critical points in the business lifecycle and execute their strategic initiatives. Our deep management and operational expertise, keen strategic consultancy and a focus on follow-through enable our teams to deliver solutions that drive sustainable impact. With a national footprint of offices in key markets, our firm is ready to mobilize locally anywhere in the country. Tatum is an operating company of Randstad US. To learn more about Tatum, visit