Healthcare - Customer-Centric Healthcare Best Practices for CIO and CISOs
1. Customer-Centric Healthcare:
Best Practices for CIOs
and CISOs
Changing healthcare regulations, and the
increasing number of security breaches, have
healthcare technology leaders in a quandary
as to how to proceed with providing readily
accessible, yet secure patient information.
Special report
Healthcare
2. Unfortunately, many healthcare organizations take a
minimalist approach to information security given the
high number of competing projects requiring capital
expenditures – that is until there is a security breach.
With the U.S. government pushing new regulations
regarding how patient data is stored, protected and
made accessible to both patients and physicians – and
with which organizations must comply by 2016 – it is
imperative that healthcare CIOs and CISOs understand
that advanced security solutions are not an option, but
an integral component of every implementation.
The result is that healthcare security leaders face a
dilemma. They are required to provide open access to far
more constituents than ever before, and on more diverse
technology platforms, while having to maintain stricter
security standards than most other industries. And they
must make this transition in an acutely short timeframe.
For an industry that has long been charged with keeping
patient information locked away, rather than accessible,
today’s healthcare CIOs and CISOs must learn the best
practices for handling customer data – and they can learn
a great deal by looking toward other customer-focused
industries.
The right approach should be one similar to the banking
industry. Banking customers can get their balance, make
transactions, schedule deposits and more all through
their mobile phones, giving them easier access than ever.
At the same time, the banking industry has numerous
safeguards in place to protect customers, such as calling
them if a card is used outside the normal zip code or
in case of any other atypical transaction. Healthcare
organizations must be able to provide a similar consumer
experience, giving patients the freedom to access their
own personal data, while simultaneously ensuring
this information is protected against falling into the
wrong hands.
Today’s dilemma – the scope and cost of
necessary change
The drive to make healthcare data more open started
as recently as 2010, with new guidelines surrounding
healthcare patient security outlined by the Health
Insurance Portability and Accountability Act (HIPAA).
Established in 1996, this act provides federal protections
of individually identifiable health information held by
covered entities, giving patients a wide array of rights
with respect to that information.1
The amendments
introduced in 2010 developed additional guidelines,
such as meaningful use rules set up at the federal level,
incentivize compliance and give payments to providers
The model for delivering healthcare
is changing. Factors, such as growing
patient demands and new regulations
for how patient care is delivered, have
brought a new era to the industry,
one in which healthcare providers
must strive to deliver a more customer-
centric approach. The onus of meeting
these new requirements falls
heavily on the healthcare facility’s
chief information officer (CIO) or chief
information security officer (CISO).
These leaders must play a key role in
delivering a customer-centric healthcare
experience, as it is their duty to ensure
that patient data is both accessible to
the patients and physicians who need
it, while ensuring it is well protected
from those who don’t.
Healthcare | visit us online at www.tatum-us.com
3. for implementing such safeguards.2
In addition, the
act establishes rules introducing significant fines and
successive penalties for every breach of healthcare
data. As a result, the majority of CIOs were pushed
to have all of their data in house, without wireless
networks, due to the perceived greater risk of security
breaches. This approach was also supported by most
software vendors providing electronic medical record
(EMR) solutions in this space.
However, with the new regulations requiring
healthcare facilities to give patients easy access to
their information by 2016, CIOs and CISOs are tasked
with making enormous changes essentially overnight.
Changing patient demands and expectations means
healthcare organizations must further evolve at
an ever increasing pace. As the new regulations
require all patient data to be online, thus enabling
patients to gain easy access, healthcare organizations
that fail to do so will be penalized in terms of
their reimbursement rates. These penalties can
amount to an annual 1-2 percent of their Medicare
reimbursement, further driving the need for security
officers to update their processes and ensure they
have the right technology in place.
With a complete 180-degree change in how data
is treated, CIOs and CISOs must implement the
strategies similar to those used by banks, such as PIN
numbers, password protection, secure portals and
more. However, the infrastructure at many healthcare
organizations is not entirely able to support this
today, often requiring that CIOs and CISOs make
significant changes to be able to comply with the new
regulations.
Security breaches can cost between $625,000 to $2-3
million, including factors such as remediation, fines,
penalties, new solutions to address the problem,
outreach efforts to notify constituents and more.
While the impact of any security breach can be
expensive, it’s not just about the monetary cost;
damage to an organization’s reputation can be far
worse and longer lasting. They can also end the
career of the CIO or CISO. Such positions have an
extraordinarily high dropout rate, as such individuals
would rather pursue other career opportunities than
go through the situation of an unexpected breach.
In addition to the risks and repercussions, healthcare
organizations that do not provide a sufficient level
of accessibility will fail to meet the needs of today’s
patients and, therefore, struggle to remain profitable.
As patients have more control and choice over the
care they receive, many will simply not return to an
organization that doesn’t give them a high level of
service. This isn’t limited just to the care they receive,
but also other factors like their ability to access their
own data. As features like self-service and access to
information 24/7 continue to become the norm in
many industries, healthcare organizations must be
able to keep up and deliver more customer-centric
healthcare.
Healthcare technology leaders must build,
communicate and gain support for integrated
information technology systems that address myriad
stakeholder, regulatory and privacy concerns. This
is neither an easy or linear activity – the concerns
are rapidly evolving, as is the technology to address
them; the investment costs associated with change
can be considerable. Most importantly, the CIO needs
to build executive and board level understanding of
technology investments needed to accomplish the
organization’s objectives.
The business case for change must clearly explain the
technology capabilities required and clearly articulate
the costs and benefits of various options to achieve
objectives, while providing optionality. The reality is
that in today’s healthcare environment, any IT plan
must provide flexibility to adjust for emerging events
in digital technology and data security. This means the
CIO must not only present the rational and analytical
basis for the path forward, but also establish a process
for frequent and transparent communications with
fellow executives and the board. All parties must be
fully prepared to embark on and participate in the
journey, as well as in fine-tuning or adjusting the road
map when warranted.
1
U.S. Department of Health & Human Services, “Understanding Health Information Privacy.”
(http://www.hhs.gov/ocr/privacy/hipaa/understanding/index.html)
2
U.S. Department of Health & Human Services, “Key Features of the Affordable Care Act by Year.”
(http://www.hhs.gov/healthcare/facts/timeline/timeline-text.html#2010)
4. 5 Must-do’s for healthcare
CIOs and CISOs
Look at other industries: There are
numerous parallels between the security
concerns and consumer expectations within
the banking and healthcare industries. As
financial institutions have already figured
out how to deliver a more customer-friendly
approach, while still protecting data, the
industry provides a good example of how
healthcare security leaders can implement
effective change.
Perform due diligence: Ensuring data is
well protected may be expensive, but so
are the costs (financial and reputational)
of a security breach. Consider a range
of software solutions that best meet
organizational needs, while integrating
seamlessly with systems to ensure an optimal
user experience for hospital staff and
patients alike.
Understand the importance of getting
it right: Failure to comply with the new
standards can be equal to 1-2 percent on
Medicare reimbursements, while the costs
associated with a security breach can be
astronomical. In either situation, the costs
to the organization’s reputation can be far
worse than monetary loss.
Leverage the right technology: From
working with the right data centers, to
adopting the most stringent security
protocols and secure portals, CIOs and
CISOs must take the lead in identifying
the technology that can deliver on
patient expectations, while protecting the
organization’s interests.
Build a better business case: Get the right
people fully on-board for the journey.
Secure board approval of a case for change
that clearly defines the costs and benefits
of recommended strategic and mandatory
technology capabilities, while providing
flexibility to respond to emerging events.
Healthcare | visit us online at www.tatum-us.com
5
Protecting against security risks
Given how disruptive a security breach can be,
CIOs and CISOs should take the lead in adopting
the practices and technologies that can protect
their organizations against such occurrences,
while delivering the ease of access to data patients
increasingly expect. Fortunately there are several best
practices that can be used to address this two-pronged
challenge to guide their organizations to success.
At the foundational level are the practices,
procedures and technologies that protect the physical
environment of the healthcare organization and
the technical infrastructure. The first line of defense
should be data centers offering the proper physical
security and clearly defined procedures by which
technical personnel should abide. Just as important is
having standard security protocols to protect both live
and archived data using encryption and password or
PIN protection, as well as new smart card technology,
to ensure only those authorized to do so can access
it. The final piece is to leverage secure, web-based
portals that utilize the latest in personal recognition
and verification technology.
Each of these layers are typically provided by different
vendors; as such, the CIO or CISO must assemble a
best-of-breed approach to deliver a seamless solution
to prevent potential breaches. But, there is another
concern to take into account – the cost of providing
the sufficient level of security. The price tag for
delivering a secure yet consumer-friendly solution
adds significant cost to the typical expenditure of
an electronic health record solution, sometimes
adding another 40 percent to that overall number.
In addition, many states now offer information
exchanges for health systems to safely communicate
information and provide a small grant to offset the
cost. However, this offset unfortunately represents a
small percentage of the cost outlay to participate in
these networks. In any case, this is where the industry
is going – providing an affordable approach to ensure
secure access to patient data.
5. Ensuring a compliant, secure approach
As the healthcare environment and its associated
processes and regulations continue to evolve, CIOs
and CISOs must evolve as well in order to keep up
with changing requirements and patient expectations.
With patients now demanding an easy, consumer-like
experience for accessing their data and managing
their health, it is imperative that healthcare security
leaders rise to the occasion to make this happen. But
the challenge isn’t just in facilitating easier access –
they must do so in a way that minimizes the risk of
security breaches.
Given the disastrous impact a security breach can
have, in terms of cost and reputational damage,
CIOs and CISOs must act now to ensure they can
meet the requirements to move all patient data
online. Doing so requires that they understand the
risks they currently face and adopt the solutions that
can mitigate those dangers and ensure a compliant
strategy.
Still, there is another piece of the puzzle essential for
success; that is to maintain continuous testing and
monitoring. As in any defensive situation, the need
to be ever diligent becomes more than a nice-to-have
and instead a need-to-have mindset. Proper change
control and regular testing of the security measures
put in place will enable the CIO or CISO to identify
the risks and exposures that must be addressed. These
can be prioritized with others at the executive and
board levels, designed into an approach that supports
forward momentum with reasonable risk mitigation.
To be effective in today’s rapidly changing healthcare
landscape, the role of the CIO or CISO must move
more toward the strategic aspects of facilitating the
objectives of the organization and to the needs of
their patients. This must be done in an environment
that is simultaneously productive and protected. In
order to get to this state, CIOs and CISOs must take
the lead in identifying, implementing and maintaining
the technology, tools and techniques to meet the
challenges of today and deliver the consumer-centric,
and secure, experience their patients demand.
About Tatum, a Randstad company
Tatum is a leading professional and interim services firm offering hands-on strategic, financial and technology solutions that measurably
improve business performance. Tatum’s executive leaders and consultants help companies navigate critical points in the business
lifecycle and execute their strategic initiatives. Our deep management and operational expertise, keen strategic consultancy and a
focus on follow-through enable our teams to deliver solutions that drive sustainable impact. With a national footprint of offices in key
markets, our firm is ready to mobilize locally anywhere in the country. Tatum is an operating company of Randstad US.
To learn more about Tatum, visit www.tatum-us.com.
Leveraging outside help to achieve
compliance
The sheer depth of change healthcare
organizations are expected to make in such a
short period of time can be overwhelming for
even the most experienced CIO or CISO. This
is especially true given the magnitude of the
new regulations. After striving to keep medical
records privately tucked away for so long, they
must make this information available to the
relevant parties, while avoiding any possibility
of a breach.
To ensure a smooth transition – and avoid
the disastrous effects of non-compliance –
healthcare organizations may seek to work with
a partner that can provide the executive-level
talent to help guide them through this period
of significant and unprecedented change.
The right partner will offer access to resources
who understand the healthcare industry, and
these new technology requirements, and
know the best path forward. Such individuals
can provide the expertise to help manage the
technology transition required of healthcare
organizations today, with an eye toward
compliance and bottom-line improvements.
As a result, healthcare organizations can be
confident that they’re not only meeting the
technology requirements required of them,
but also delivering an enhanced experience
for their patients.