Skip to content Skip to navigation

Getting Out of the Compliance Mindset: Doing More with Data Security

November 7, 2013
by Gabriel Perna
| Reprints

At West Virginia University (WVU) Hospitals, the traditional barriers of data protection have always been in place, but for Mark Combs that just wasn’t good enough.

Combs, the organization’s chief information security officer, says the Morgantown-based multi-hospital, nonprofit health system has tried to stay ahead of the game when it comes to use of electronic health records (EHRs) and the subsequent protection of that data. Even before it implemented its current EHR, from the Verona, Wis.-based Epic Systems, it had a physician order entry system from Eclipsys (now part of the Chicago-based Allscripts). Back then, it did manual audits of user activity from various systems to ensure there was no inappropriate access of protected health information (PHI).

Over time, leaders at WVU Hospitals decided they had to strengthen this capability, adding enterprise-wide audit manager software (from the Boxford, Mass.-based Iatric Systems), which allows the organization to monitor access to patient data across multiple applications. Combs says his organization didn’t take this extra step because of a single incident, but just in the realization that it had to do more.

“We wanted to be proactive,” Combs says. “We wanted to make sure we are preventing breaches. The mindset I tried to take is that our patients come to us for care and treatment of some pretty sensitive issues at times. If the patient doesn’t trust us with this information, then they are less likely to tell us if they have some sensitive issue going on with their body.”  

Mark Combs

In an increasingly dangerous environment for data protection, this is the mindset providers should take, say multiple data security experts. The stats back them up. A whopping 94 percent of healthcare organizations have had at least one data breach in the last two years, according to a 2012 independent study by the Ponemon Institute. The same study estimated that overall economic impact of a breach has risen six-fold in the last few years and now costs millions.

Not just that, but as Jared Rhoads, a senior research specialist with the Falls Church, Va.-based CSC’s Global Institute for Emerging Healthcare Practices, and Mac McMillan, co-founder and CEO of CynergisTek, Inc. and current chair of the HIMSS Privacy & Security Policy Task Force, both explain, the threats to data security are evolving. Cybercriminals are becoming more sophisticated. “It’s much easier to be on offense than on defense,” says McMillan. For all these reasons, he and Rhoads implore providers to go above and beyond.

“We’re encouraging organizations to get out of the compliance mindset,” Rhoads says. “For a long time, security and privacy were dealt with as the sort of things you had to comply with. There was HIPAA [the Healthcare Insurance Portability and Accountability Act] and maybe some state level laws. You basically needed to know the law and the requirements, and go through it like a checklist. That’s not sufficient anymore.”

Mac McMillan


At WVU, investing in emerging technologies for data security comes down to that notion of patient safety. With the security audit manager, the organization feeds several different clinical and administrative data applications into it simultaneously.  The data comparison platform allows a team of auditors to see when PHI could possibly being used amiss, possibly with VIP patients or in the case of neighbor snooping.

“The fact that we could correlate logs from different applications, when I was picking out a system, [this capability] was sort of unique. This pulls everything together and gives you that picture of what people are doing with the PHI in your organization. That’s important. One of the things HIPAA requires is that we know where PHI lives and how it’s working within our network,” Combs says.

For the diverse healthcare organizations that have gotten out of the compliance mindset and taken those extra steps, often, there are outlying reasons. At Riverside Medical Center, a 336-bed hospital in Kankakee, Ill., employing biometric dual-factor authentication, single-sign on technology (from the Lexington, Mass.-based Imprivata) made credentialing seamless and easy for its physicians, who were using several different log-ins for different clinical systems.

“Convenience was a big driver,” says Philip Bierdz, infrastructure manager at Riverside. In the past, to log onto an application, the doctor would be pulling out a small sheet of paper with their various passwords on it. Many times, he says, the physician would accidentally leave that paper at one station and have to rush back to get it.  “We had to make it as simple as possible for the physician to use the technology; otherwise, they were going to rebel against the whole order entry process.”

Phil Bierdz

The system Riverside implemented allows physicians to use access an application with a fingerprint and one log-in. The use of their fingerprint allows the system to remember their credentials. If the fingerprint doesn’t read, they have to type in the password themselves. To Bierdz, the use of a secure fingerprint scanner wasn’t about regulatory compliance, but rather protecting patient information and their safety. The added fact that it made the physicians’ lives easier was a win-win.

For More Coverage on This Topic: