The attention of health care compliance and privacy professionals once centered on misdirected faxes or the documents of one patient mistakenly comingled with those of another. Now, on any given day, we deal with phishing attempts, ransomware attacks, lost electronic storage, hacking incidents; the list goes on as to the intrusions into our medical records in particular and our overall privacy in general. Given the technical sophistication involved in this state of affairs, many compliance professionals may be unprepared or under-resourced to address these events. More likely is the fact that technology and compliance function in different silos and, while it may be cliché, we must learn to break down those silos. But how? Given this writers role as a compliance officer, emphasis will be placed on how those in similar roles can initiate some of that destruction.
ADD IT SECURITY TO THE COMPLIANCE COMMITTEE
Regardless of when the Committee meets, IT Security should have a place at the table. This provides another important forum for an audience to hear of potential threats as well as the actions and strategies as to how they might be mitigated. It is not uncommon for many already at the table to be unaware of who IT Security is, what they do, and their importance to the organization.
BRING IT SECURITY INTO THE DEVELOPMENT OF THE ANNUAL WORK PLAN
If two heads are better than one, that other head should have the knowledge that yours does not. Different perspectives are invaluable, especially when it comes to tech. (Be aware too that you may be teaching IT about your areas of expertise.) This is also an opportune time to cooperate in the enterprise risk management (ERM) if your organization has implemented it.
"For any partnership to be successful, you need to have a better understanding of the IT world. And this does not mean returning to school to obtain an advanced degree in information technology"
TRAIN, TRAIN, TRAIN
Incorporate some of the basics of security into new employee orientation, the facility newsletter, and your on-line training. Relate those security measures as to how they can protect the employee at home as well as their place of work. Detail how passphrases rather than passwords offer better security not just for work but for their banking, credit cards and their Amazon Prime accounts. Describe what phishing looks like and show how to hover over the address of senders of emails to reveal their real identity. Reinforce that when in doubt, don’t act; no clicks, no downloads. The stronger the connection between being secure at your home computer and being secure at your work system, the better for all. But most importantly, keep it simple. Non-IT folks don’t want to sit through tech-talk. Concepts, risks and mitigation of those risks must be stated in plain, lay language.
MANAGE BY WALKING AROUND
Training is never a one-and-done nor is it only an annual event. This writer frequently will round in areas of the hospital. One purpose is to be better identified. Another is to be available to answer any impromptu questions. Yet another is to see if documents with PHI are secure, appropriately covered, discarded appropriately and that computer screens are off when unattended. This offers another chance to reinforce – in a friendly, approachable manner – privacy and security practices. Morning ‘huddles’ on the various units are also good opportunities to have brief, informal discussions with small groups. It would also be an excellent chance to have your IT colleague join you.
Finally, for any partnership to be successful, you need to have a better understanding of the IT world. And this does not mean returning to school to obtain an advanced degree in information technology.
Subscribe to some of the technically oriented new feeds as well as some of the online newsletters (such as this one or Becker’s IT). Visit NIST.gov (the National Institute of Standards and Technology). There are interesting articles on cyber security. Apply for membership to Infraguard (infraguard.org). This is a partnership between the FBI and the private sector where you can be informed of security risks (cyber and non-cyber) throughout the country and world. Webinars and seminars are also offered.
Some years ago the Governor of New Jersey had a line to promote tourism in his State. It was ‘New Jersey and You: Perfect Together’. With some effort, silos can be brought down, walls can be destroyed and barriers overcome. Compliance and IT Security can, in fact, be perfect together.