IT Trends & Technology Blog | FNTS

Creating a Culture of IT Compliance in Your Hospital System

Written by Don Pecha, CISO | October 16, 2017

Did you know that HIPAA settlement payments reached record levels in 2016, totaling nearly $23 million? Of that group, seven healthcare organizations were on the hook for more than $1.5 million each.

Building a culture of IT compliance within your hospital system can help protect you from significant regulatory risk and substantial financial penalties. It lays the foundation for acceptable behavior, keeping processes running smoothly while allowing staff to focus on their primary goal—providing quality healthcare. Take a look at five strategies you can use to boost IT compliance in your organization.

Implement a Comprehensive BYOD Strategy

While BYOD offers healthcare organizations and employees increased flexibility at work, it complicates the IT compliance picture. That’s because these mobile devices may lack adequate security controls. And even with proper security, some employees do find ways to circumvent or disable the settings. But you can decrease the risk of insecure mobile devices within your organization by implementing three key strategies.

  1. Create and enforce an acceptable use policy for personally owned mobile devices. These guidelines should explain how employees can protect sensitive and confidential information on their portable devices, cover policy enforcement, and discourage jailbreaking.

  2. Secure all mobile devices used for work. Requiring measures like passwords, device-level encryption, anti-virus and anti-malware software, network security solutions, device and endpoint security management, and device anti-theft solutions with remote wipe capabilities helps keep data safe even when devices go missing.

  3. Identify company-related information employees access via mobile devices. Many hospitals lack basic information on the types of work-related applications and databases employees are accessing with their mobile devices.

Handle IT Policy Management

Most healthcare organizations today maintain multiple policies that communicate boundaries and expectations for employees while at work, protect against litigation, and help fulfill the company mission. But it can be a challenge to create consistent policies and keep them up to date.

Manage your policies and procedures efficiently by appointing an administrator who will serve as the policy expert, creating a policy committee to keep initiatives on track, and developing a standard format for the documents.

You’ll also want a policy that lays out the process for writing, reviewing, and approving new and updated policies. Develop a workflow that delegates responsibilities to employees and standardizes policy revision. Give the right level of access to employees, ensuring confidential documents stay secure. Track changes so you know who was responsible for the revision, plus when and why the update was made.

Prepare for Compliance Audits

According to the Brandon Hall Group, just 12 percent of organizations say they are highly prepared for a compliance audit. That’s why you’ll want to conduct regular internal audits to identify problem areas before they come to light in an outside review.

Use these dry runs to get staff comfortable with the information they’ll need to provide to auditors. That might include accessing secure documents and reports, plus knowing where to find policies and procedures. You can also help workers to understand that audits shouldn’t be seen as a necessary evil, but rather a chance to demonstrate adherence to protocols that protect both patients and employees.

Add a Digital Document Management System

Although paper isn’t likely to go away anytime soon in the healthcare world, a digital document management system improves efficiency, decreases human error, and boosts security for confidential documents.

By digitizing important documents and creating a secure storage system, hospital systems can more easily find and access needed documents, while meeting IT compliance standards. Look for the following capabilities when evaluating digital document management:

  • Permission controls that grant access only to authorized users
  • Encryption that keeps sensitive information out of the hands of cybercriminals and other outside third parties

Don’t Neglect Medical Device Security

A report by Gartner predicts that 6 billion connected medical devices, wearables, and mobile devices will require IT support by 2018. It’s a good bet then that your hospital system is seeing an uptick in the number of network-connected medical devices you’re managing.

These “things” improve the quality of care by monitoring critical systems and collecting valuable data from both clinicians and patients. But like anything that’s capable of connecting to your network, these devices can serve as entry points for hackers and malware. Take these steps to combat malicious intruders.

Follow industry best practices and guidance from the Center for Internet Security (CIS) to configure connected medical devices as securely as possible. Because not every device (and manufacturer) allows configuration changes, you’ll need to use network controls to separate and isolate connected devices. Set up firewalls to prevent traffic to and from medical devices and limit access for software updates and patches.

Don’t forget to include connected medical devices in periodic security audits. It’s common for employees to disable security features by creating workarounds and shortcuts. That’s why you’ll need to have a regular process to ensure protections remain in force. And take a look at your purchasing requirements for new devices. As you create a list of required features, give preference to systems that encrypt hard drives and use passwords.

Get Everyone Involved

Creating a culture of IT compliance within your hospital system requires buy-in from everyone in your organization, not just the IT department. Educating employees on the importance of following both the acceptable use policies for personal mobile devices and other company policies drives better adherence. And the more you treat each person as a valuable member of your hospital system, the more likely they are to respond in kind.