Engaging clinical staff in information security can be an uphill challenge. For people doing the tangible, social, and physical work of healthcare, a Security Officer’s cautions regarding the invisible threat of cyber-theft can seem like science fiction paranoia. Further, among the healthcare practitioners who do recognize information security as a relevant concern, a substantial number still see it as an “IT issue.” And finally, as if those barriers weren’t enough, the mere mention of “HIPAA compliance” can cause practitioners to yawn (or groan!). So how do you convince a bunch of very busy providers and staff members that it’s worth their while to take the few extra steps necessary or to alter some processes slightly in order to comply with HIPAA policies and procedures? There is no one size fits all solution, but one or more of the following tips may augment your current change efforts.
- Create awareness of the threat.
Understandably, you may have begun your awareness and training campaign with what staff members need to do to comply. Until they understand why they need to take the required precautions, however, consistent behavior change is unlikely. They need to know that healthcare organizations are being actively targeted by cybercriminals and that any organization with an internet connection is at risk – no matter how large or how small.
- Reframe HIPAA as a clinical safety issue.
Practitioners also need to understand that an information breach could impact their ability to deliver care, not just the administrative functions. Cybersecurity is a clinical issue. An organization paralyzed by ransomware is unable to access medication records, lab results, or radiology records, making it impossible for clinicians to deliver safe care. Even “smart” medical devices, such as glucometers or infusion pumps, can be hijacked to give inaccurate readings or operate at dangerous levels. Explain cybersecurity as the electronic equivalent of infection control precautions, measures staff members take every day to keep their patients safe.
- Educate everyone!
The Board, C-suite executives, volunteers – no one is immune! Everyone should understand the threat, their own responsibility for keeping PHI secure, and how to identify suspicious activity in their realm. Once everyone is educated, remind them – again and again. Frequency, redundancy, and variety are key to information retention. Use every channel available to you – staff meetings, newsletters, performance reviews, email, screen saver and/or text messages. Use games and contests to make it fun. Use images and slogans to make it memorable and to emphasize the importance.
- Train everyone!
Wait, isn’t that what I just said in the previous paragraph? No – educating everyone is making sure they know what to do and why. Training ensures they know how to do it. Any security precautions that require physical action, such as logging out of a workstation, should be physically demonstrated, either in person or by video. In order to complete training, each learner should then demonstrate the ability to correctly perform the required action. Note: In some of our client organizations, staff members have not understood the difference between logging out of the EHR and logging out of the workstation.
- Track and discuss progress – and any barriers to compliance.
We’ve all experienced “flavor of the day” initiatives, and in the current political climate, some people may think HIPAA was a politically-motivated initiative that might be overturned. The fact is, HIPAA or no HIPAA, your organization’s PHI is a valuable asset central to the delivery of safe care and the organization’s financial solvency. Signal your staff that whatever the political climate, your commitment to information security is here to stay. Choose 3-5 metrics that provide some indication of HIPAA compliance, then review and discuss them regularly. Again, use every channel available.
But make sure these communications aren’t a one-way street. Often there are valid reasons why staff are having difficulty complying with the requirements, such as equipment location or contradictory role demands. Listen, then do everything you can to make it easy to do the right thing.
Good luck! If you have additional recommendations, please share them with us via info@thirdrock.com. If we receive several suggestions, we’ll post them in a future blog.
Until then, be safe, not sorry!