The following is a guest post by Danny Lieberman. Danny Lieberman, founder of Pathcare, the private social network for doctors and patients, talks about how to develop clinical care teams that will become world-class at patient data-handling.
Patient data loss is a peculiar problem.
Unlike malware and attacker intrusions that is caused by “attackers” who are “other people”, data loss happens inside your healthcare provider organization and is perpetrated by your people, your contractors and your business partners who have access to your patients data and your systems.
Patient privacy data loss is best mitigated by management leadership reinforced by real time data loss monitoring that is part of a continous process of improving data governance.
Management needs to lead from the front, providing a personal example for how to handle data and behave ethically in the workplace.
Real-time monitoring of data loss events on a healthcare provider network can be performed using DLP (data loss prevention) technologies from companies like Websense, Fidelis Security Systems (recently acquired by General Dynamics) and Verdasys.
While I do not subscribe to vendor rhetoric regarding data loss prevention, experience tells me that data loss detection provides information security and privacy officers with firm examples of what data is actually exiting the network.
The combination of management commitment to ethical behavior with a real time monitoring facility can create a powerful feedback loop that improves behavior and drives improved data governance.
The practical question is then “How do I go from Point A to Point B”:
How do I take an organization where HIPAA compliance is the auditors’ responsibility and make the responsibility of care team leaders and members?
Let’s start with management.
In a follow-on article, we’ll discuss how to best deploy DLP technologies and integrate them with security and privacy leadership.
Just because everyone does it doesn’t make it right
Data leakage is as old as mankind. Think about Jericho and Rahav. People have always bartered or “sold” things of value to one another. This doesn’t make it acceptable on your watch.
Getting it right is why they pay you the big bucks
Managing a care team is complex, especially since your care team is not you. They have their own economic background, religious beliefs, and cultural upbringing. Your team will look at you for both formal and informal cues as to your data handling ethics and then they will follow that direction intuitively.
If you close an eye to infringements of data handling procedures (like exchanging plain text files with external users over Gmail since the internal email system won’t let you attach files with PHI, then you are sending a subliminal message to the team that is acceptable to bend rules.
Patient data breaches are bad for business
Aside from this being an inappropriate security policy, it is also bad for business. If your team doesn’t care about the little stuff like HIPAA physical and administrative safeguards then maybe they won’t wash their hands as often as they should. Patients (who are also customers) may feel that an organization where patient data leaks like a sieve, is an organization that cares less about healthcare and take their business elsewhere.
Since your clinical care team looks at your data handling as a role model for their expected behavior, setting an ethical standard for data handling is as much your job as it is the individual responsibility of nurse, resident or surgeon on your team.
The 2 elements of ethical standards for healthcare privacy are shared by manager and team members:
1) healthcare provider standards for patient privacy (nominally at least HIPAA compliance since a hospital or HMO are covered entities and must comply) and
2) individual responsibility.
6 rules for ethical data handling in a health organization
- Ethical data handling must be verbalized and demonstrated. You must communicate to your healthcare team your expectations of what you expect and what you consider unacceptable. Set the standard for all to be measured by. Once a quarter, discuss ethics, privacy and data governance at a team meeting.
- Develop a detailed set of data/privacy breach use cases in your practice area, and have your teams to sign off on them.
- Management must use a top-down ethical approach and demonstrate the standards they expect their team(s) to follow. This includes not accepting unauthorized gifts from vendors, or allowing nursing and administrative staff to bend the rules of disclosing patient files to non-family members.
- When hiring employees, include a clause on ethics in their job description. (Check with your company lawyer on this.)
- Communicate to your care team on a monthly basis what is expected of them with regard to maintaining security and enforcing privacy.
- Don’t always assume that a a team member is unethical just because a patient complains.