One of the faults often cited with HIPAA is that it lacked enforcement. In recent years, some fines have finally been levied, but they have been few and far between. In November, the Office of Civil rights began a program to audit up to 150 HIPAA-covered entities to “assess privacy and security compliance.” While it would be nice to say the potential of audits may impact hospital management to improve compliance, history has not borne out that hypothesis. What’s more, HIPAA compliance is clearly not the solution to the continued privacy breach problem.
HIPAA was not intended to be a security program in and of itself; yet, that is how many healthcare facilities have treated it. HIPAA compliance alone is no substitute for a fully developed, organization-specific protection plan that is built on the hospital’s unique threats, goals and culture. Non-compliance is a factor in the healthcare industry’s problem with privacy, but it is not the only one, and compliance alone is not the solution.
As the Ponemon study asserts, the majority of data loss events reported in healthcare occurred as a result of employee ignorance or neglect of proper protective actions. This could be corrected through appropriate, engaging training and an atmosphere that supports improvement rather than discipline alone. “We have a culture of transparency and not blame, so when someone is doing something that’s unhelpful from a security standpoint, we re-educate, we get people to ensure that they understand how to do things differently and understand what problem they may be creating rather than simply sanctioning them,” Michelman says.
Offering and mandating line staff training that is useful and effective is as important in preventing data breaches as it is in preventing workplace violence.
A Shifting Business Model
To compound all the continuing and growing risk issues hospitals face, the healthcare market is changing and hospital facilities are changing with it. “The healthcare delivery system is shifting,” says Gibbs of Guidepost Solutions. “Instead of having a very large urban hospital with 1,000 beds, healthcare providers are building regional clinics and 100-bed hospitals. In doing so, they are bringing healthcare treatment to the patient.”
The move to smaller, less centralized healthcare models has many drivers. It is a business decision to respond to the needs of patients and to make it easier for them to seek care. It is also a cost-based strategy — specialty clinics are far less expensive to construct and maintain than general hospitals, says Gibbs, particularly in places like the West Coast where OSHPD (Office of Statewide Healthcare and Planning Department) building seismic construction codes have a major impact on construction cost. And it’s a way to add capacity to the healthcare system more quickly.
“As a result of all this, we’re seeing nationwide a strong interest in doing master planning, including security,” Gibbs says. “Hospitals need to re-assess how they do business. They need to look at their legacy way of addressing security — technology, physical spaces, etc. — by asking themselves, ‘are my employees safe and secure? Are my guests safe and secure? Are my patients safe and secure?’”
The projected healthcare building boom has another upside as well: It is likely to give more security teams input into building design on the ground floor.
“One of the keys to an effective security program is whether the designers of the facilities understand the concepts of crime prevention through environmental design (CPTED),” Gibbs asserts. “Architects are rarely trained in this topic in school. They often fail to understand that the addition of a wall, door, lock, gate, perimeter property vegetation berm, or an enclosed cage in the shipping /receiving department will have a major impact on the security program. If they attempt to add CPTED concepts later, not only will they impact construction costs, it may be impossible to change the design.” Guidepost Solutions conducts weekly presentations on CPTED for architects to help bridge this knowledge gap.
The State of the Industry Is Promising
The challenges hospitals face are well documented, both inside and outside the industry. For this reason, responsible management is unable to remain unaware of the problems, and, says Warren, many hospital management teams are much more willing and eager to address them. “Security has been a necessary evil for many years. But from an enterprise risk management philosophy, a lot of organizations are coming to appreciate the value-added services of security,” he says.