By Brian Olearczyk
When the pandemic struck around the world, healthcare systems had to act fast to provide care in new ways, including remotely through telemedicine. This relatively new medium of healthcare came with myriad benefits, but it also introduced a host of potential dangers in terms of patient data bleed and compliance failures. While these digital risks might seem less important in the life-and-death setting of healthcare, that shouldn’t detract from the fact that compliance is meant to support the mission of hospitals as they care for patients.
Compliance enables healthcare providers by reducing risk, but it’s often tacked on to processes and procedures as an afterthought. Unfortunately, leaders often fail to grasp the wide adoption of tech, particularly cloud solutions, along with the sheer quantity of unsecured data residing in them. Additional challenges arise in a hybrid environment, where you might find cloud, client/server, and mainframe application architectures all operated simultaneously and co-dependent on one another.
In closed legacy application architectures, both the front and back end of an application are hosted in the provider’s data center, and corporate desktops are the only way patients or employees can interface with the system. In a hybrid architecture, integration of the cloud on both the front and back ends means that employees, patients, and others can access applications from any device with a browser.
To secure the cloud-powered future, leaders design compliance into their systems, helping them avoid operational and technology risks and improving efficiency. Pulling this off requires a culture that embraces compliance instead of viewing it as a box to check. To instill that culture in your own organization, follow these three steps.
1. Record your security precautions
An accurate record of your security decisions and the thought processes you followed to arrive at them is an invaluable tool for both external auditors and internal efforts to improve security. Knowing what you did, when you did it, and why the team felt it was necessary will help you navigate every future security decision you’re likely to face, whether it’s next week or in the next decade.
2. Prioritize people
Despite what some software vendors might lead you to believe, there’s no blanket tech solution for security and compliance in healthcare. Instead of installing a program and calling it a day, you should prioritize education to help nurture a culture of compliance in your organization. Spend time going over the most common security risks and illustrating how employees can keep their credentials and administrative privileges secure. Only then should you look at solutions that lower the chances a threat can land.
3. Use audits to uncover vulnerabilities
A compliance audit might not be the most riveting exercise, but it offers valuable information about your organization’s security posture and opportunities for improvement. Conducting regular security audits is an excellent opportunity for teams to step away from normal business operations. While these exercises can feel taxing at the time, they are far better than auditing a breach or data loss after it’s already occurred.
To drive digital transformations, leading healthcare organizations are relying on the latest and greatest cloud systems such as Salesforce. Because Salesforce fields often include PII and, in the case of healthcare providers, electronic protected health information, it’s vital that these systems are pulled into audits discerning HIPAA compliance and/or third-party certification processes by organizations such as HITRUST.
The versatility and flexibility of Salesforce have contributed to its widespread adoption. Still, those same features and the platform’s capacity for data mean it poses a huge and growing risk to the companies that fail to properly secure it. In 2019, for example, our security risk assessments of clients found that only 16% of high-risk fields were encrypted. In 2020, that number dropped to just 7%. In the average client organization, a whopping 70% of users had the privileges to export reports and data.
For healthcare organizations, it’s time to stop the data bleed and secure patient information, whether it’s stored in the cloud or on-premises. A culture of compliance will help accomplish that goal and support the creation of the security processes that further the mission of healthcare and, above all, do no harm.
Brian Olearczyk focuses on customer success for clients of RevCult. His perspective is informed by working with the most complex organizations in the world on data governance.