HIMSS14: Implementing top-notch privacy & security

ORLANDO—“If people don’t trust an organization, that organization won’t be able to deliver the care they expect,” said John Houston, vice president of privacy and information security at the University of Pittsburgh Medical Center (UPMC), speaking at the Health Information and Management Systems Society annual conference.

Helping to maintain patient trust is vital, he added.

Houston said UPMC has worked hard to build out an effective program to manage users as well as identify breaches and respond to those.

Surveys have shown that patients weigh an organization’s reputation for privacy and security when choosing their healthcare, said Kurt J. Long, president and CEO of Fair Warning, which partnered with UPMC. Organized crime, too, has “recognized the vulnerability of healthcare providers as well as the rich set of data.”

UPMC includes 60,000 workers across 20 hospitals and 400 clinics, Long said.

Identity management is an important component of the overall program, said Houston. “Most of the market, I suspect, is still trying to do this on paper.” UPMC developed an electronic process to actively manage accounts. He said he thinks it’s highly possible that the Centers for Medicare & Medicaid Services will look for an organization to make an example of and could even require the return of Meaningful Use money. “Meaningful Use money comes from Medicare reimbursement so not meeting the program’s requirements in essence becomes fraud. When you defraud Medicare, you could be debarred and excluded from participating. That’s the kiss of death.”

To put themselves in a “highly defensible position,” Long said organizations should keep a dashboard of open investigations so they can be aware of trends over time. This helps internally as well as for auditors. A centrally managed dashboard is relatively easy to bring right to an auditor, he said.

Approximately five in 1,000 admissions results in an electronic privacy breach, he said, ranging “from curiosity to malicious actions. It happens everywhere.”

UPMC looked at different models for patient privacy monitoring, said Houston. A central program with one person reviewing alerts is a flawed approach, he realized, because one person would get overwhelmed and simply stop looking at the alerts.

They decided on a delegated approach that pushes alerts down to the local level. Alerts and notifications are distributed to each facility and each manager is required to review alerts and physically talk to the user in question and determine whether there was inappropriate access.

“When we started doing this, we had a lot of alerts. They dropped dramatically because people realized we were watching and taking steps. They knew there were ramifications to looking at records,” Houston said. A weekly report won’t cut it, he said. Rather, an email should be sent right away. Initially, “we found a lot of alerts weren’t responded to” so they upped the requirements of managers.

Typically, there is a 40 to 50 percent reduction on inappropriate access when the program is put in place, said Long. “Unless there are sanctions and reinforcement, it creeps right back up to the previous level.” The rate can be reduced 80 to 90 percent if the organization continues to enforce, sanction and train users. “Perform departmental level training for those struggling,” Long advised.