Not every patient admitted to your hospital will know that healthcare promises to be the most frequent target of hacking efforts in 2017.
But many will. They may be among the 21 percent of patients who withhold information from their doctor for fear of data breaches.
They might also be familiar with hacking and data breaches more generally, so they will put two and two together and figure out that they have much to lose—both personal and financial information—in a successful hack or ransom scenario.
You have a lot to lose, too, starting with patient dollars and trust, both of which are essential to what you do. Surveys suggest most patients will find a new provider should their information be hacked.
If they do inquire, allay patient fears by pointing to these specific strategies and values your hospital uses to safeguard patient data and prevent malicious access.
Transparency: Some of your older patients are not and will never be comfortable with technology. Many of the younger patients will be very comfortable and knowledgeable about it. For both groups, the strategy is to be transparent, which is actually a much broader subject in healthcare than the scope of this blog post. For our purposes here, explain what patient data is maintained, why it is collected in the first place and what you do with it. If you share de-identified patient data, make sure patients know this. Explain the benefits of data accumulation and evaluation and how it could impact their lives or the lives of someone they love.
Dialogue: Continuing the transparency, consider asking patients if they are familiar with the transition to EHRs and how they feel about it. Ask if they have an idea about whether security is better or worse in an electronic system versus paper. Explain the weaknesses of paper and how it may impact patients. Talk to your patients about the commitment your organization has made to keeping patient data safe. Ultimately, your obvious goal is to inspire confidence in the patient and demonstrate your expertise with the technology.
After demonstrating transparency with the patient and establishing open communication about the importance of protecting patient data, explain the measures your hospital has taken to prevent breaches and ransomware incidents.
Security Technology: It will be wise and necessary to assess your patient’s understanding of healthcare technology before offering an explanation of what you’ve put in place. Making every effort to keep the explanation as simple as necessary, talk about what you’ve done to make sure unauthorized access does not happen. This can be as straightforward as talking about the use of strong passwords to access the system, giving different personnel varying levels of access and hiring a chief security officer (CSO), if you have one.
Training and Policy: Something your patients hopefully do not know is that clinicians and other hospital staff are the greatest security vulnerability. Without focusing on that fact, share with patients the security training your hospital has engaged in and policies that define much of your interaction with the EHR system. When you can speak authoritatively to the issues that crop up in a normal day related to security of patient data, your patients will feel more at ease.
System Backup and Recovery: It might be appropriate and reassuring to tell patients that your hospital has a plan for system downtime, as is the case now with almost all hospitals. Perhaps you can also mention the organizational strategies associated with system backup and recovery, how often backups are created and, at a high level, how you test the backup system to ensure proper performance.
Familiarity and Comfort: Often, as patients become more familiar with the aspects of healthcare IT available to them—the patient portal—they also become more comfortable with the system overall. So, by introducing patients to the portal and getting them registered, you are moving toward two goals: lessening their technology anxiety and giving them a little more responsibility for their own care. Over more than a decade, Kaiser Permanente has tracked, documented and refined their use of a patient portal, which may give your hospital some ideas of what a portal can do and how to engage patients in using it.
So, that’s a lot of information to present to patients when many interactions with physicians only last 10 or 15 minutes. Is it too much for a doctor to present? Yes, it probably is, and it might also be inappropriate for the doctor to be focusing on EHR security instead of addressing clinical concerns. The hospitals that find other ways to communicate with patients about healthcare IT will find themselves ahead of the game and will be initiating a transparent dialogue with patients.
What tactic might further this goal?
- Give them reading material. A really technologically advanced hospital might give patients tablets on which to read materials about IT security, but that’s expensive and creates concerns about theft. Instead give patients documentation on the hospital’s security policies and procedures during the check-in process. Make the same information available on the patient portal.
- Train the staff. After or in lieu of reading, patients are going to have questions. Make sure the administrative staff are familiar with the healthcare IT policies and can explain them to concerned patients. Still, that’s probably not enough. To assist patients who need it, you will probably also need to designate and provide special training for certain strong communicators among your administrative and clinical staff.
So, in the end, it comes back to sufficient training and subsequent open communication, just as it so often seems to with healthcare IT. Ultimately, hospital staff are both the strongest asset and greatest liability with regard to both security and patient care. Sufficient and periodic training should give your people the knowledge and experience necessary to maintain a secure patient data environment, and it will also enable them to demonstrate why patients should have confidence in your ability to do so.
D'Arcy Gue is Director of Industry Relations for Medsphere Systems Corporation.