When she arrived in 2010, she had her work cut out for her: "We found some of our applications didn't even have audit logs turned on." She set about "sending the message [of security and privacy] and saying it in different ways so that while [staff is] hearing the same thing, you're making it interesting. We did carnivals and had games and gave away prizes. In our newsletter we'll do crossword puzzles and different things just to get people engaged."
But in addition, CaroMont has FairWarning software that analyzes its network and examines audit logs and presents at-a-glance summaries of this information.
"It's also a huge deterrent to employees who in the past were used to looking at their own records or records of their family members, even though we've always had a policy that that was not allowed," Horseman says. "There was never anybody watching, and so nobody was ever getting in trouble. Nobody was ever getting caught. So they just continued to do it.
"Then we put FairWarning on. Within the first month that we had it in, we had hundreds of alerts that were popping up. We sent all that information out to department managers and directors and said, 'Look, these are all the alerts for the people in your department. You need to be reinforcing the policy and doing the education,' and within the first two weeks after we started enforcing it, this inappropriate access just fell off the face of the earth."
Protecting healthcare privacy will never be simple. In a few short years, providers have evolved from unencrypted laptops being stolen or lost to more sophisticated threats, sometimes inside jobs. But as the HIPAA omnibus rule and the random audits kick in, regulations and enforcement will be harder for healthcare providers to ignore, as digital privacy and associated safe practices rise to their proper place alongside other healthcare safety practices.
This article appears in the September issue of HealthLeaders magazine.