Academic medical centers (AMC) maintain reputations for excellence in research, innovation, and specialized care. But the way AMCs bring practitioners, medical staff, students, and researchers together creates unique challenges to address in order to keep patients’ sensitive data safe. What are some of the most difficult hurdles privacy and security professionals must overcome to protect their patients and staff?
1. Managing EHR access
In brick-and-mortar hospitals, practitioners, staff, contractors, and business associates have the potential to access PHI. AMCs have the added complexity of including students and researchers to the mix – a unique situation, as neither are strictly employees. With more eyes on patient data comes a higher potential for violations and a larger pool of people to monitor.
Jackson Health System faced challenges like these – between physicians, staff, and medical students, their user activity generated between 8-10 million lines of data in a single day. How did they keep up? By implementing a proactive monitoring solution, they were able to streamline their time spent on investigations so they could focus on putting patient privacy first and build a culture of compliance at their organization.
“Without proactive monitoring, our privacy/compliance team was spending countless hours manually investigating alerts.” – Blaine Kerr, Chief Privacy Officer at Jackson Health System
By monitoring proactively and establishing security controls that limit access to personnel on a “need to know” basis, you can ensure that users will access only the records they need to for business reasons.
2. Compliance with multiple laws
Compliance is paramount for every medical institution – and at AMCs, this becomes even more complex. In addition to HIPAA, laws like Family Educational Rights and Privacy Act (FERPA) – which protects the privacy of student records – and the Institutional Review Board (IRB) – which maintains the rights and welfare of research patients – also apply to AMCs.
Failing to comply leaves sensitive information vulnerable to a breach – a costly consequence. According to the HHS’ tiers of culpability in the event of HIPAA violations, breaches that occur as a result of willful neglect can cost up to $1.5 million each. To ensure both compliance and the continued privacy of PHI, developing a proactive privacy program where incidents are detected and remediated early can save your organization from both costly fines and reputational damage.
3. VIP snooping
Because they’re renowned for quality in specialized medicine, VIP patients such as celebrities and politicians seek AMCs for specialty care. Because of the curiosity that generates, it puts their medical records on a heightened risk for snooping. And once a high-profile patient’s records are inappropriately accessed, their privacy has been breached, which can be damaging to a hospital’s reputation while leading to potential termination for involved parties.
For cases like these, prioritizing training and retraining is essential for all users with access to EHR. When clinicians, staff, students, and researchers are trained on the organization’s privacy program with an outline of remediation for violations, that knowledge can potentially stop them from pursuing unauthorized records.
4. Drug diversion
Because AMCs encompass specialized facilities such as children’s hospitals and cancer centers, they often feature larger pharmacies and more potent prescriptions. This makes them a potential target for drug diversion – when a prescription drug is removed from its intended path from manufacturer to patient.
“When you are working in a healthcare facility every day, you have access to medications. It’s easy to become addicted. It only takes a dose or two.” – Kara Earle, Drug Diversion Specialist, FairWarning
If a prescription goes out to a patient and a member of staff is addicted to drugs, they could divert the medication to feed their addiction. As a result, that hospital must monitor and eradicate drug diversion in order to protect patients, the organization, and even drug diverters themselves, who are often addicts diverting prescriptions for personal use, not for financial gain.
Establishing a drug diversion monitoring program is vital so the medical center can recognize common warning signs and remediate before the drug diverter causes significant harm to themselves, patients, and the facility.
5. Identity theft
AMCs encompass a vast array of different types of medical centers, from those who offer a wide range of care to specialized facilities like children’s hospitals. These experience a heightened risk for identity theft because children’s health records have become a valuable commodity among identity thieves. According to a 2018 child identity fraud study by Javelin Strategy & Research, over 1 million children were victims of identity theft in that year, two-thirds of which were under the age of eight.
“[T]his is just the tip of the iceberg; odds are there were far more than a million victims last year,” said Al Pascual, Senior Vice President for Research at Javelin. Children are “an extremely vulnerable population with minimal ability to protect itself.”
However, there are ways of keeping your organization and patients safe from identity theft, such as adopting a patient privacy platform that includes artificial intelligence (AI). With its keen ability to sift through massive quantities of information in the fraction of a time it would take a human, AI can detect anomalous behavior that deviates from the normal workflow, which is an indicator of potential security risks. If a user typically accesses seven records per day, then downloads thousands out of the blue in one shift – a red flag for identity theft – AI would quickly detect and send you that information. This grants you the opportunity to take immediate action in order to protect your organization and the sensitive information it safeguards.
AMCs are leaders in specialized healthcare and research, but nevertheless face unique challenges – from ensuring secure EHR access for students and researchers to more severe risks like drug diversion and identity theft. To face these hurdles head-on, establishing a strong privacy program that nurtures a culture of privacy can protect patients and the organization’s reputation from serious threats.