By Johanna Legaspi, Hayes Management Consulting
Twitter: @HayesManagement
Security Issues
When hearing the words “information governance”, at first glance, you think ‘does this deal with the government’? In fact, it is a part of something larger than we expected: healthcare information and data security. Lately in the healthcare news, we have been hearing a significant increase surrounding cyber security threats to healthcare industry most especially in patient data breach or ransomware. Why is this happening? Security breaches are what we have been dealing with since healthcare has become digitalized. There has been a significant surge in patient data collected, shared, and analyzed on a daily basis.
Ransomware is a type of malware that prevents or limits users from accessing the system with encrypted files. Then forces the victims to pay ransom via online to grant them access. Hospitals are the perfect mark for this kind of extortion because they provide critical care and rely on up-to-date information from patient records.
These types of attacks create fear and anxiety. And if we’re educating our healthcare leaders to today’s best standards then we can take appropriate actions as opposed to reaction. It is the responsibility of the executive in charge of information security at a healthcare organization to help C-suite executives understand and digest technical and threat assessments, which can be quite complex. The appropriate answer is to build an information governance program.
Information Governance
So let us understand what is information governance (IG). Defined by AHIMA (American Health Information Management), information governance is the set of multi-disciplinary structures, policies, procedures, processes and controls implemented to manage information at an enterprise level, supporting a healthcare organization’s immediate and future regulatory, legal, risk, environmental, and operational requirements.
IG is an ongoing learning curve with current industry standards and regulatory changes that require trustworthy information. Information governance initiative completely transforms the healthcare organization’s thinking about the value of information and how powerful it can be.
The IG goals are to establish a solid framework for the information, which are required to manage the processes for storage, retention, and disposition of medical and business records. Establishing sound policies and procedures are critical for IG program success. It will serve to communicate, educate, and facilitate compliance and enforcement.
Starting an IG initiative can begin with a gap assessment: understanding where there are needs and organizational pain points. From this, a solid strategy can be built along with a development committee to formalize an IG program that will initiate, establish, and execute. Leading industry associations including AHIMA and ARMA (Association of Records Management), are putting increased emphasis on governance, and health systems across the country are undertaking IG initiatives with the focus they demand. By leveraging best practices from both inside and outside the healthcare industry, healthcare administrators can streamline their information access and better enable enterprise-wide governance.
Healthcare Cyberattacks
In the past, the most common healthcare security issues were breaches into patient data and personal information, most prominent examples were CVS and BlueCross Blue Shield. Now there have been attacks to the U.S. hospitals through ransomware. Ransomware viruses have evolved and can target hospitals and other healthcare facilities. Earlier this year, attackers took hostage to Hollywood Presbyterian Medical Center in Los Angeles. Computers were offline for over a week until officials were forced to pay the extortionists. In March 2016, Methodist Hospital in Henderson, Kentucky was struck by a specific ransomware virus called Locky that prevented the healthcare providers from accessing patient files. The facility was in a ‘state of emergency’ over the weekend and was systems up by the next business day. The administrators refused to pay the ransom and simply restored the hospital’s data from backups.
Conclusion
It seems that ransomware has taken the healthcare field by storm over the past few years. While there can be no guarantee against being a victim, it is necessary to implement an IG program that will manage the information throughout its lifecycle – from capturing, processing, use of, and storage of information. As the volume and variety of information in the healthcare industry continues to grow, the need for information governance (IG) becomes paramount. It is necessary to create and implement rigorous data retention policies to ensure that only necessary data is maintained, thus minimizing the amount of data subject to ransom.
This article was originally published on Hayes Management Consulting and is republished here with permission.