One of the greatest ripple effects of the COVID-19 pandemic is the “digital transformation” happening across industries and the corresponding privacy risks to personal data. For the healthcare sector, digital transformation encompasses implementing and using digital tools for diagnosis and treatment, patient engagement, and IT operations and security. Although historically the healthcare industry has been slow to adapt to new technologies, the pandemic gave transformation initiatives a massive kickstart, most notably in telehealth. IT teams were compelled to improve areas such as patient-provider communication, data sharing, and remote patient monitoring. All of these developments have helped healthcare organizations catch-up on the technology front but it’s crucial that privacy isn’t left behind.
Even before the pandemic, healthcare professionals identified enhanced security as a top goal for digital transformation. According to a recent survey, 39% of healthcare organizations have advanced privacy programs, compared to 27% of other industries. That said, the remaining majority of healthcare organizations are still without advanced privacy programs, which means that as these systems expand their digital resources, privacy measures are falling behind, ultimately jeopardizing patient privacy. With the objective of enhanced security, where should healthcare organizations start when it comes to pairing privacy with their digital innovation efforts?
Privacy as a Priority
Digital transformation initiatives are an enormous and ongoing process. A successful roadmap requires buy-in from key stakeholders, time, resources, and the right supporting technology. As healthcare organizations improve their digital capabilities, patient privacy and data security should be factored into the foundation of these initiatives, starting with the design of products, tools, and services. By ensuring data privacy and security are part of that design, healthcare organizations tap into benefits which include fewer data breaches, increased patient trust, greater operational efficiency, and higher employee privacy awareness.
For the long term, healthcare organizations should build their privacy programs alongside new digital initiatives to ensure new technology is only incorporated with equal and attainable privacy measures to match. A successful privacy program allows organizations to be proactive and avoid being caught flat-footed when it comes to responding to risks. For example, by proactively monitoring data access and usage over time, organizations can identify insider threats before they evolve into large scale data breaches. In doing so, organizations will be better equipped to identify compromised credentials and suspicious, anomalous behavior.
Identifying the Gaps: Privacy at Every Step
Once privacy is at the forefront of operations, healthcare organizations are then faced with identifying where privacy measures are lacking. As with a successful blueprint for operational strategy, privacy strategy should be tied to the patient journey. By taking a step back and evaluating the patient journey holistically, organizations can get ahead of the privacy needs and risks associated with implementing new digital tools. To identify privacy gaps, an organization should have a full understanding of the ways patients reach out for assistance, where healthcare professionals collect and review information, and how care and treatment are delivered, which as we know, is increasingly through digital channels. Once privacy gaps are identified, security measures can be put in place to protect personal health information from every angle.
Privacy risks present themselves at each step of the increasingly digital patient journey:
Step 1: Providing information
With patients using telehealth and online portals to provide health information, organizations are responsible for ensuring that patients’ data are protected as soon as it is given. Patients should feel like they can share their data without repercussions and be confident that their data won’t make it into the wrong hands. This not only includes securing information shared between patient and provider, but also between individuals within the health system. Lack of privacy contributes to the risk that patients won’t share all of their information, leading healthcare professionals to potentially make mistakes and misdiagnose. In short, quality of care is tied to patient trust.
Step 2: Accessing the data
Organizations are responsible for ensuring healthcare professionals are handling Protected Health Information (PHI) appropriately. Per HIPAA guidelines, that means healthcare organizations are responsible for ensuring that patient information is accessed only for providing treatment, research or payment reasons. For organizations to ensure appropriate access of data, electronic health records (EHRs) need to be monitored proactively. As healthcare organizations transition to a more digital environment, this monitoring encompasses a broader range of channels, such as text messages, online chats or files shared via email. By tracking EHR access and even Microsoft 365 activity, organizations can implement the appropriate privacy and security measures that protect patient data, support better quality of care, and mitigate drug diversion.
Step 3: Delivering care
Digital transformation has positively impacted the delivery of care through increased efficiency with tools such as telehealth, and better safety, such as with technology for drug monitoring. For instance, with drug diversion monitoring tools, healthcare organizations can ensure drugs are only delivered for patient use and that patients receive the intended care. Health organizations such as Mount Sinai Health System, have consistently testified to the importance of having drug diversion monitoring programs in place in order to stay ahead of risk behaviors and alerts. “I feel that having a developed drug intelligence tool nowadays is essential to an organization, whether it be big or small, standalone hospital or a big organization, you really just need a lot of help in detecting drug diversion,” said Lucy Cannizzaro, pharmacy director of Mount Sinai Health System, in an interview with EHRIntelligence.
Step 4: Recording the patient journey
To appropriately secure the data within EHRs, healthcare organizations must implement long-term privacy and security measures. To provide the highest level of patient care, organizations must work to avoid data siloing and promote data sharing. However, this presents privacy risks that need to be addressed alongside these digital sharing initiatives. The future of healthcare digital transformation is in creating a unique digital identity for each patient that spans organizations, while maintaining their data privacy.
Ongoing digital transformation and preparing for what’s next
Industry-wide awareness and internal collaboration will ensure that healthcare organizations stay ahead of market trends and are prepared for future digital transformation. Staying ahead of the curve means open communication and recruiting support for privacy throughout the organization. By creating a culture of privacy, organizations will be able to more easily identify the holes in their processes and the privacy risks associated. Educating employees on correct privacy procedures will help them not only avoid risks themselves, but also identify risks among their peers as well. As healthcare organizations continue to evolve and implement different technology, incorporating privacy measures at every step and enlisting internal support will be the recipe for long term success.