Failure to pay attention to the security of health IT could put practices at risk.
Digital technologies are transforming healthcare by reducing human errors, facilitating the coordination of care, and improving efficiencies within medical practices. Healthcare IT enables providers to more easily manage the practice, big or small, so they can focus on serving their patients. Because of the sensitive personal and health information stored and transmitted via digital health services, there are many regulations designed to protect patients. This makes regulatory compliance a critical element of any healthcare practice.
Healthcare is a massive industry in the U.S, with healthcare spending representing over 19.7% of GDP in 2020, or an estimated $12,530 per person annually. Estimates show that health spending will reach $8.3 trillion by 2040, up from $4 trillion in 2020. And the global digital health market is expected to reach $1.5 trillion by 2030.
Healthcare providers, from physicians’ offices to hospitals, have many choices in how they engage with patients and they focus on providing the best patient experience. Technologies like electronic health records and encrypted communications protocols, including faxing and texting, are designed to make it easier to serve patients. The reality of digital health is that in addition to addressing patient health needs and providing the care they were trained to give, doctors, nurses, and other practice leaders have to make choices about which technologies to choose and how to secure patient healthcare records and personal information.
Add to that decision-making process that many healthcare providers are dealing with legacy systems, like PBX, which can make it difficult to take advantage of all the features and benefits new technologies have to offer. Another issue practice leaders must take into account when using digital health is how to effectively integrate solutions from multiple vendors, with different contract agreements and unrelated lifecycles for each piece of equipment.
One more obstacle adding to the complexity of adopting information technology is human behavior. Making the transition from antiquated systems into the new digital healthcare environment is not as simple as purchasing software. It includes changing how the practice does business and doing so strategically, looking through the lenses of patient experience, security, and regulatory compliance.
Security is the number one challenge with all health IT—digital security to prevent hacking or unintended disclosure of information, and physical security, like locking down the communications room and ensuring that computer screens are only visible to the person at that workstation.
It’s easier sometimes for a doctor or nurse to call or text a patient from a personal cell phone, or ask a patient to text a photo of a wound. But those are both HIPAA violations since they are the transmission of health information over unsecured channels. The practice may require confirming patient information at check-in, but saying an address out loud or asking for insurance details at the front desk where other patients can hear potentially reveals private patient information and are not secure.
Doctors, nurses, and practice leaders focus on the patients, not the technology. Their job is to examine patients, provide diagnoses, carry out procedures, and enable patients to get back to their daily lives. They don’t have time to think about IT security and regulatory compliance of their communications technologies, their health records, or the remote patient monitoring devices they prescribe their patients.
Yet the failure to pay attention to the security of health IT could put practices at risk—of large fines, lawsuits from patients, loss of affiliation with hospitals, or a threat to insurance coverage, in addition to reputational damage if there is a high-profile breach.
When you consider that the U.S. Department of Health and Human Services Office for Civil Rights has tracked more than 500 cybersecurity breaches in healthcare in the last year, compliance is imperative.
Hospitals on the whole are doing a good job of regulatory compliance. Doctors and physician groups that support hospitals tend to have challenges when it comes to compliance issues. The goal of regulations to protect patients is to ensure that practices meet all professional, ethical, and legal standards; and that means that security and compliance are the responsibility of anyone in the practice who interacts with patient data. All while still providing high-quality healthcare to the patients.
There are several laws designed to protect patients and required to be in compliance. The two major regulations that protect patient privacy in the digital realm are the Health Insurance Portability and Accountability Act (HIPAA), protecting health information stored or transferred electronically, and the Health Information Technology for Economic and Clinical Health Act (HITECH), which expands the scope of HIPAA with standards for using IT to implement electronic health records.
There is also a new requirement on the horizon: Doctors affiliated with hospitals will soon have to return patient texts or phone calls within 30 minutes. How can they achieve that, and do it securely, while also attending to patient needs? And how can they monitor compliance with that?
It is possible, even in small practice groups. Whether individual doctors, physician groups, urgent care facilities, or nursing facilities, the first step to success is ensuring the right person in the practice understands the importance of security and regulatory compliance.
For practices that are ready to sell, private equity firms require penetration testing and many of them fail. Don’t wait until you are trying to sell the business, you’re hacked and sensitive patient data is leaked, or you are forced by insurance to adopt more secure practices.
Making the change—to deciding the right technologies based on the requirements of the practice, such as updating legacy systems or better integrating existing health IT—requires strategy and care. The first step is to fully understand the current state of the practice including what is being done currently and how. Then you can address what needs to change and decide how to accomplish that. In some cases, doctors' groups get together and hire an organization to oversee and handle all the IT. Others hire a firm to do a risk assessment and help navigate the world of health IT and determine where to get started.
Whether you are dealing with outdated systems or lack of time to focus on security and regulatory compliance, UPSTACK can help. We work with healthcare clients to ensure compliance is enforced and the practice communicates the importance of cyber and physical security. Contact us today to learn how we can help.
Judi Mitchell serves as a Strategic Account Executive with UPSTACK, the platform that transforms the way businesses design and select digital infrastructure solutions. In her role, Judi implements a range of voice, data, and cloud-based communications services for clients across a variety of sectors. Prior to UPSTACK, Judi served as a Convergence Solutions Manager at Universal Telecommunications . Throughout her over forty years in the industry, Judi has led multiple teams of account executives and engineers, ensuring that her clients’ digital infrastructure initiatives are seamlessly deployed. Judi launched her career in Sales and Sales Engineering with BellSouth in 1991.