Is Your Data Safe? Are You Sure?

"No one has to be convinced of the importance of keeping this information private—there has been enough in the news about health records becoming public. But even though people get it that it's important, there aren't enough CEOs and CIOs who are being brought into the decisions about the broad issues that are affecting patient data security," says Andrew Hurd, chairman and CEO of Carefx Corporation.

Actively involving senior leadership outside of IT in the decision-making process, rather than just obtaining a passive vote of support from the C-suite, helped Mountain Family Centers put effective data security practices in place, says Greer, adding that it didn't hurt the process that he and CEO David Adamson share a technology background. "Our CEO has agreed from the start that this needed to be done right. He has a very strong technical background and he wanted to take the right approach so we could become leaders in the state," says Greer.

Beyond the CEO
With data security breaches up 85% between January 2007 and January 2008, according to a 2008 survey of SecureWorks, an Atlanta-based security services provider, the push to keep data safe must start with management creating and implementing effective policies, says Frances Dare, a director in Cisco Internet Business Solutions Group's healthcare consulting practice. "This is a journey, and the industry and hospitals will never reach an end point where they can stop being vigilant because security risks change over time. Educating the staff is part of the challenge, but so is having the right governance policies," Dare says.

Those governance policies have to address where the hospital's technological requirements will be in 10 or 20 years, according to Hurd. "True data security requires a longer strategic view that contemplates where you are going to be, not just in the next quarter but for the next quarter century," he says. "Ask yourself what kind of data security will move the way we move and evolve with the way this organization is going to evolve."

Steve Carter, director of IT and telecommunications at the 189-staffed-bed Monongalia General Hospital in Morgantown, WV, says he believes educating the board of directors is key to getting everyone in the hospital to recognize that data security should be paramount. "How I look at it is, if I'm a patient, I want to make sure my data is protected, and certainly I want to do the same thing for anyone else who comes to this hospital. What we've done here starts beyond the CEO; it starts at the board," he says. Carter says educational sessions that are held intermittently for the board on patient privacy and security help keep the subject from being tucked away as just an IT problem.

Fear: the great motivator
Beyond organizationwide commitment and front-end policies, one way to ultimately make staff understand the gravity of not following security procedures is to educate them about what could happen if they don't, says Ody Granados, director of information systems at the Department of Family & Community Medicine at Medical College of Wisconsin in Milwaukee.

"We make everyone very aware that there are serious legal ramifications to not keeping data secure as part of their orientation," says Granados. Part of that training process is letting staff know that the corporate compliance office performs regular internal audits to ensure the department is following federal regulations and best practices.

"Any serious offense can be grounds for dismissal, and that is a powerful motivator," Granados says.