Week 4

By Rachel Liao:

Change management.  Such an important concept.  I first heard this term in Kurt O'Brien's class last year during our study of organizational effectiveness and high-reliability organizations.  A friend who is Director of Transformation of Care (Performance Improvement) for UWMC also stressed to me that change management skills are critical to success as a leader interested in implementing changes.

In our case study this week, our Moyen Sante CEO Emma had overpromised on implementing a fully functional EHR with 18 months when the original timeline had been 3 years.  The CMIO Sarah was put in a difficult place, as she had comprehensively planned out the way she would approach managing the change with clinicians.  At this point, she had a few options to pursue as her next step.  Our team (as well as most other teams) came to the conclusion that she could: 1. say yes and concede to the new timeline, 2. say no and stand firm on 3 years, 3. compromise and perhaps implement the portions of the EHR that were most acceptable in the eyes of their clinicians by the 18 month mark. They could then slowly implement the rest by their 3 year mark.

I think the biggest pitfall to avoid in change management would be failure to include clinicians and other front line staff in the planning and decision-making steps.  The individuals performing the work and involved with the processes and workflow must be invited to provide input on potential changes that will affect their roles and work.  Failure to maintain transparency during the process of planning for and implementing changes is also another huge pitfall that senior leadership must avoid.  Implementers of change must be transparent about their plans, their timeline, how the change will impact workers, and also be able to relate why the change being made is important.  In healthcare, the importance of a change often is tied back to the goals of providing better care to patients and families, improving population health outcomes, containing costs and/or increasing provider engagement.

I will remember these concepts and apply them when I eventually work in this space.  Relationship building is incredibly important and part of being a good leader is being an advocate for your people.

Chapter 4 - If you don’t like change you’re going to like irrelevance even less

What is change management? What are the guiding principles?

Change management is defined as “the discipline that guides how we prepare, equip, and support individuals to successfully adopt change in order to drive organizational success and outcomes.” In order to keep up with competition, organizations continuously assess, reassess, and adjust their organizational strategies and operations. These constant changes, however, can put stress on employees if not implemented tactfully.

According to a number of organizational design and transformation specialists (here), there are 10 guiding principles of change management:

1. Address the “human side” systematically
1. Involves identifying and engaging stakeholders throughout the entire organization and involving them early on in the transformation process
2. Start at the top
1. The CEO and leadership team will need to set an example and practice the same principles they are encouraging all employees to adopt
3. Involve every layer
1. “Change efforts must include plans for identifying leaders throughout the company and pushing responsibility for design and implementation down, so that change “cascades” through the organization”
4. Make the formal case
1. This is a three step process that involves (1) articulating the need for change, (2) demonstrating faith in the organization, and (3) guiding employees in the right direction
5. Create ownership
1. Best done by involving people early on in both identifying problems and crafting potential solutions
6. Communicate the message
1. Regularly communicate with employees, reinforcing core messages and expressing confidence in their abilities
7. Assess the cultural landscape
1. “Thorough cultural diagnostics can assess organizational readiness to change, bring major problems to the surface, identify conflicts, and define factors that can recognize and influence sources of leadership and resistance”
2. This will also help identify core values and beliefs among employees that will help determine the best approach to organizational change
8. Address culture explicitly
1. Leaders should know the culture necessary to support and sustain the transformation and then devise a plan as to how to promote that particular culture
9. Prepare for the unexpected
1. Continually reassess the organization and the impact of the transformation
10. Speak to the individual
1. “People will react to what they see and hear around them, and need to be involved in the change process”

            But how does change management relate to health informatics? With advanced technology taking over the healthcare industry, hospitals, health plans, physician groups, and other healthcare facilities have had to either quickly adapt or risk being left behind. One of the biggest changes facing the healthcare industry has been the implementation of electronic health records, which will make up the remainder of this post.

What are some ways in which people are really resistant to EMR system? How can this resistance be mitigated?

The majority of people fear change and the greater that change is the more they will try to resist it.  This is a natural human instinct but yet is often forgotten by those making leadership decisions.  In the case of an EMR implementation there are many reasons for people to fear change.  Such a dramatic shift affects every aspect of operations throughout the hospital.  Everyone will have some aspect of their workflow changed because of the new EMR and for some people it alters nearly every single task they perform throughout the day.  Knowing what type of concerns are likely to arise and how to mitigate those concerns are key for a successful implementation.

           One major concern on the part of clinical staff is that they do not know how to use technology.  Nurses or physicians who have been practicing medicine for decades may not be as technologically savvy as younger generations and therefore be concerned that they are not capable of learning the new system.  In order to show that these concerns are unfounded it is necessary for part of the medical executive team who shares these demographic traits to sample and endorse the new EMR.  If clinical staff see that the CMO has been willing to give the system a try and supports it they will be more willing to do the same.  Additionally, offering extra training opportunities such as free typing lessons to help gain familiarity with computers can make the transition easier.  This can have dual benefits as it will not only ease concerns over the implementation but also speed up the amount of time it takes for them to adjust to the new system

           Another possible reason for staff displeasure is that they do not believe the benefits are worth the incredible disruption to the normal routine.  A new EMR complete with a CPOE system will add significant time to the process of charting as well as placing orders which will take a minimum of months to begin seeing gains in efficiency compared to the baseline.  At this stage it is important to stress the benefits that will be accrued by patients once the EMR is implemented.  The convenience of having records available online as well as the increases in quality through automated checks for prescriptions or orders need to be emphasized.  On top of the benefits to the patient there are also benefits for physicians despite several inconveniences.  The ability to access imaging or lab results from anywhere is a key feature and will cancel out some amount of the hesitation on the part of physicians.

What are the specific roles your people play in a transition to EHR?

           Transitioning to an EHR requires significant manpower and commitment to help make the change successful.  Senior executive leadership should be sure to involve all stakeholders early in the process to foster a sense of ownership over their responsibilities to ensure successful EHR implementation.  Additionally, defining clear roles and expectations is critical to the success of a transition to an EHR as well.  Putting the organization’s human resources at the center of the change and including them in every step of the process will bring the organization closer to achieving its defined goals of the project.

Drivers of the EHR implementation project will usually include highly-visible clinical leadership, IT staff leaders, and administrative managers, all of which may sometimes form a steering committee with responsibility to lead and oversee the planning and implementation work.  Implementers of transitions to EHR will make the actual changes occur within the IS network and infrastructure, create and lead the staff training, provide post-implementation support and ensure that the project is on-time and within budget.  Many healthcare organizations will appoint project managers to ensure the project is on-track and goals are met.  Vendors are often included in this phase of EHR implementation.  This team of individuals further ensure the project succeeds through creation of “super-users” that lend a hand with change management and can communicate issues and challenges between different parties involved and impacted by the new changes.  Champions of EHR implementation are influential and well-liked members of the team who are able to actively convey the benefits of the new changes to other staff members who will be impacted by the transition.  Champions are often clinical leaders who are relatable and understand both the clinical workflow processes and the relationships between members of the care team.  Though champions can also sometimes be supervising office managers, other staff members will look to these individuals for guidance.

The workflow of both clinicians and non-clinical office staff will undoubtedly change.  Post-implementation, clinicians and office staff play a critical role in evaluating the EHR software’s usability and paying attention to opportunities for improvement as the front-line users of the new technology.  The transition from paper to electronic data records will need to be carefully managed by administrative managers to ensure that all necessary patient and clinic information is being properly documented, stored, used, and accessed.  IT staff will need to be continually involved with system upgrades and maintenance even after the EHR is implemented.  

How important is change management to implementing an EHR?

          The healthcare industry is changing rapidly. There is a transition in incentives from volume to value, the entry of non-traditional healthcare providers to the market, the introduction and utilization of telemedicine, as well as the changing dynamic of patients to a consumer focus mindset. All of these changes add additional stress to an already stressful industry for those frontline providers. All of this culminates in the truth that EHR systems are essential for healthcare organizations to remain competitive in their markets, yet is is arguably even more essential for healthcare organization to be adept at change management in order to implement said EHR systems.

          A leader in change management, and someone who has developed tools and models for organizations to utilize when conducting change management is John Kotter. Kotter believes that there is an emotional component as well as a situational piece to every change, and that both have to be managed effectively for the change to be successful. The model below illustrates Kotter’s three phase approach to managing both components of change that are inherent with every change management project.

    This model emphasizes the entire change management process, starting with laying the foundation for the change within the culture of the organization all the way through the importance of sustaining the change when the change has been implemented. Following this model, and tweaking it to fit specific organizational needs should provide the guidance necessary for successful change management relating to the implementation of an EHR system.

What are some change management must haves?

       Staying with the insights shared from the model presented in the last section, here we will identify some of the must haves for a successful transition from paper charting to an EHR.  The first of which is creating a climate for change.

1. Creating a Climate for Change

      The first step in creating a climate for change is to clearly define the future state or vision for the project.  It is in this phase where stakeholders opinions are solicited and headed. Through the conversations and meetings you will be able to achieve buy-in and acknowledgement of the change that is to come in the future. In this step it is also critical to identify a champion for the change through the meetings and discussions. The identified champion should be staff who will be directly impacted by the change, has the respect of peers, and are supportive of the change. Additionally, it is critical in the creation of a climate for change to establish the project plan. This will be the road map for the EHR implementation and will allow the expectations of everyone involved in the project to be aligned.

2.   Engaging and Enabling the Organization

    Once the climate for change has been established. The next must have for successful change management regarding the implementation of an EHR system is to make sure that staff are engaged in all aspect of the system selection and workflow/processes redesign. This relates back to the importance of getting their buy-in and acceptance of the project. Additionally, it is critical in this phase of change management to conduct the trainings for users of the EHR system. Before the system goes live, users should be comfortable with it and able to navigate throughout the system. There will be strong resistance to the EHR if it slows down the workflow for clinicians after its’ launch. The training component will help to alleviate that. Lastly, this is the step where it is important to evaluate the usability of the new system. After training has been completed the project manager should have a good idea of what use of the system should look like. This is the final opportunity to cut losses and find a different system if the one selected will not improve patient care and is not a good fit for the organization.

3.   Implementing and Sustaining the Changes

       The last set of must haves for the change management surrounding the implementation of an EHR system pertain to the implementation and sustaining of the changes themselves. The first key component of that is by putting to use the feedback that engaged staff have provided throughout the entire process through system updates. This ensures to staff that their opinions are heard and will continue to garner their support of the new system. It is also a key must have for change management and sustaining the changes to reward the staff who have worked hard throughout the process to get the EHR system in place. Do not allow their hard work to go unnoticed and thank them to gather their continued support.

         All of the information listed above in the three groupings of must-haves for change management are depicted visually in the table below:

Who should be in charge of the change management process? Who does the change management need to be tailored toward?

          There are many moving parts of healthcare and determining who is accountable for what is challenging in a highly matrixed industry.  For HIT, the change management process must involve all parts of a health system because everyone is a utilizer and customer to the HIT system.  

Many organizations assemble a change review board or change advisory committee.  This committee is represented by HIT personnel from various teams of the HIT department and also includes key users typically identified as “super users” from different business and clinical areas.  Technical expertise is less of a predictor of success and those who participate in the committee are likely chosen for the respect and influence they have among their community.  A typical makeup of this committee includes:

• Network engineer or network architect
• Server engineer or architect
• Key application analyst
• Support center manager
• Nurse manager
• Business office manager
• Physician
• Vendor representative
• Third-party consultant
• Other experts (as needed)

         Change management does not necessarily tailor itself toward one group or one entity.  It is organized through a formal process to allow managers to authorize change requests and to allow the advisory committee to review proposed changes to issues.  Its purpose is to ensure changes coming from the business or clinical units are factual and the changes the advisory committee makes will amend and alleviate root causes to problems that arise.  All change management processes are documented and are prioritized by urgency in order to quickly move requests to production.  This is to ensure service disruption is minimized, but also to ensure that expectations such as competencies are properly tracked and demonstrated.  One area that is tailored to specific groups is during training.  To foster participation and to allow that all staff have adequate knowledge to carry out their responsibilities, members of the advisory committee will ensure under the direction of management that training materials are specific to the people doing the work and to ensure .  

What are the common mistakes in change management?

Mistake #1: Not Defining Clear Leadership Roles-

         Defining clear roles is the first step to avoiding mistakes in change management. Effective change management requires clear definition of change leadership roles: sponsor, change process leader, change leadership team, initiative leads, project teams, and change consultants. Without a common understanding of roles, the project cannot go forward in a coordinated fashion.  All parties will need to align on their vision of decision making levels and authority, and the decision style and process that best supports the overall execution of the IT project.

Mistake #2: Making the change too quickly-

          Change can sometime happen rapidly, and in a vacuum.  With this occurrence, there will not be a collective effort because different departments within the organization are working on their own solutions to their own problems, and do not have time to come up with solutions to solve the bigger issues at hand.

Mistake #3: Failure to make a compelling case for change-

          It takes time and energy to convince employees to work outside their comfort zones. It takes a strong emphasis from leadership to promote a sense of urgency surrounding a project.  Creating a sense of urgency creates momentum within the project because it highlights how important the change is within the organization.  Many times leadership will get resistance from employees while a project is underway.  Leadership must circumvent this by messaging that a problem truly exists; the messaging should be a compelling change story that will become a motivator to their employees.

Mistake #4: Not having a clear vision-   

          After the case is made for change, many leaders feel that they have helped to create a clear goal for a project. However, this clear vision may not translate to the rest of the organization.  According to Kotter’s 8-step process for change, communicating the vision and empowering others to act on the vision.  Empowering others to act on the vision leads employees to take action sooner and more efficiently on efforts that will support the change.

Mistake #5: Not celebrating the small victories-

            When a group goes through a project that deals with change there needs to be some early on success. This success will motivate the group and carry them forward onto the next set of tasks and goals for the project. It is crucial to choose targets that can easily be obtained to keep the momentum moving forward.  It is no use to set high benchmarks that will only discourage the participants in the project.  The benchmarks that are set should be completely analyzed to avoid potential failure.  

Resources:

https://www.prosci.com/change-management/what-is-change-management?utm_source=tutorial-definition-2010&utm_medium=redirect&utm_campaign=cm

http://www.strategy-business.com/article/rr00006?gko=643d0

https://www.healthit.gov/sites/default/files/tools/nlc_changemanagementprimer.pdf

https://www.healthit.gov/sites/default/files/changemanagementprimer_feb2014_0.pdf

http://library.books24x7.com.offcampus.lib.washington.edu/assetviewer.aspx?bkid=74363&destid=479#479

https://www.healthit.gov/sites/default/files/changemanagementprimer_feb2014_0.pdf

Week 4

By: Katheryn Christiansen

     A compelling discussion came up during class-  Is it okay to use work computers for personal tasks?  Should organizations allow that?  Employers worry that employees are using online sites for non-work purposes while on the job or engaging in speech in public venues that might reflect poorly on their organization. Many organizations have been busy building into the culture that it is not okay to access non-work websites on work computers.The question of are you building a relationship of trust with your employees, and leaving all websites open or do you restrict websites that are deemed non-work related.  It is difficult for organizations to fully trust their employees to use non-work sites when there is the potential for this misuse to make organization vulnerable to cyber threats.

     We also discussed what happens when organizations have to deal with unexpected downtime. We are not going back to paper, so how are we going to deal with down time?  Do you go back to templates or do you close the doors?  It is critical to have down time procedures.  There are systemic security issues (swiss cheese model) that occur that leads to a sequence of events that therefore lead to a breakdown in the system.  98% of security system breakdown comes from the human side, so that is how the issue of security needs to be addressed.

Week 4

By Moo Young Baek

I think this week's case study was not too far removed from the reality health care organizations go through with HIT implementation.  Organizations benchmark against each other to keep each other competitive and although patients may  not necessarily look at who did what first, organizations from staff to leaders believe it will help in their curb appeal.  I believe if a senior leader had pulled a stunt that cut the EMR implementation time in half that leader would no longer be around.   Adequate time would equip the organization to discover inadequacies  whether it is in the hardware or the training of the staff and relieve the pressure to deliver.  However, I think even if the timeline was cut in half any organization would still have to face the post-implementation challenges such as having to polish certain processes that were planned out, but did not go as smoothly in reality.  This in my opinion is the more challenging part because it requires changes to a system that is already "alive."  

The focus of our discussions were more on change management and not the technical aspects of a EMR system.  I think this is why this course makes sense as part of the MHA program.  Although HIT knowledge is essential in implementing an EMR system, it is not all that is required.  Much of the building and support goes into having staff translate their paper or non-electronic process and have it arranged to ensure a smooth workflow in the electronic reality.  I think if all staff were invested and believed beyond the surface values of implementing and relying on an EMR system, building and implementing would be easier.  However, we all know what heavy resistance exists in all organizations regardless of the affinity staff have towards electronic devices.  I hope regardless of everyone's interests, organizations and their staff recognize that this is not a trend and stay committed to creating an interactive and interoperable EMR system.

Week 4

By: Max Vrooman

          I was very glad to see that we addressed change management as its own topic within informatics rather than as simply an unmentioned component to every case study we encounter.  The largest IT change that I have ever been a part of was while volunteering for Virginia Mason.  At that point in time I had never taken any kind of change management course or had any notion about some of the difficulties of implementing a CPOE system.  It is very interesting now in hindsight to re-examine the experience and try to piece together the ways in which they either succeeded or failed to do a proper job in facilitating the change.

          One of the first things I noticed at the time was that before any of the training began they played a video from the CMO explaining why this was a necessary step for the organization to take.  He acknowledged that there are a number of ways in which the new system would be scary or disrupt workflow but that in the end this was the in the best interest of the patient and that was the most important consideration for the organization.  This is a key step to placate physicians who may oppose the system or feel it is being forced upon them by administrators who don't know anything about medicine.  The CMO is a powerful stakeholder and is a voice that the majority of physicians trust.  Even if it doesn't change the mind of every physician the hope is that it will at least influence enough of them to change the current of the discourse from negative to positive.
       
          Secondly, they made the change small.  Each week they rolled out the changes to two or three units with each one starting on a different day.  This made it so that each unit had the entirety of the organization's resources making sure they adjusted well to the CPOE system and could have any questions addressed.  As a super user I was assigned to the new units and was there in-person to help with concerns.  This made it so that physicians didn't have to call the IT help desk and get stuck waiting on hold when there was potentially an urgent situation that had to be addressed immediately.  This took a lot of the stress off of the physicians when they realized that there was an extremely accessible source of expert information should a problem arise.

Week 4

By Lili Hozakowska:

I saw today’s case study as a surprising turn of events considering the focus of the study was not informatics, but rather change management. The informatics component was certainly apparent since the issue at hand was related to an EHR implementation, but this issue could have been anything and we would still step through the same change management process. While I was confused at first, I soon came to realize that discussing – and in particular, practicing – change management was incredibly important. We have heard about it in other classes, but change management is something that we, as future healthcare administrators, will need to know how to implement no matter the situation. By focusing on this case study, it gave us the opportunity to actually work through what we might do if we found ourselves in Sarah’s (the CMIO’s) shoes. Additionally, considering so few people in our program our techies, the case study was able to provide us with an informatics context to which to apply change management, which again could very possibly be something many of us will face in the future.

The three options most groups came up with were essentially to either agree with the CEO, disagree with the CEO, or seek some type of compromise. When approaching change management, a compromise is usually the chosen course (unless there are extenuating circumstances that make negotiation impossible) because it provides both parties with the opportunity to explain their side and then work with each other to formulate a new plan that they both can accept. The reason that I preferred compromise in this instance is because one of Sarah’s main concerns was the administration versus clinician culture; she didn’t want the providers to feel as though administration was trying to force them to adopt a system they didn’t want to use. By compromising with Emma (the CEO), Sarah could maybe find physicians who were already on board with this transition and were willing to volunteer their department to be the pilot. This would result in greater transparency and help garner support from the remaining MSMC employees.

The one last point I wanted to make was regarding a comment made toward the end of class. It was assumed that the articles printed about MSMC falling behind technology-wise would not actually impact the organization much. I disagree. For patients who already go to MSMC, then maybe they wouldn’t pay attention to the articles. However, for those who do not have a regular physician or who have not previously been to MSMC and had a positive experience, what are they supposed to think? Most people today, when they have to pick a restaurant, a cleaning service, or even a doctor, they usually turn to websites such as Yelp! to search for ratings and reviews. If MSMC is seen as falling behind the times, then they are at risk of receiving poorer ratings from younger consumers who associate advanced technology with higher quality care. Before truly answering whether or not people would be influenced by the articles, I think that it’s important to first assess the demographics so that you understand the population to whom you are catering.

Week 4

By Connor Ledbetter:

Class today was similarly structured to our other Health Informatics classes to date this quarter. Yet, even with the similar presentation of material, I walked out of the classroom feeling as though I had gleaned more, today, than most days. The business case presented Team Jefferson with the opportunity to propose recommendations for a CMIO to implement a “fully integrated EMR system”. A daunting undertaking on its’ own. However, as we read on through the business case, there was the proverbial wrench thrown in when the CEO of the organization decided to cut the implementation timeline in half. Effectively and swiftly shifting the daunting task, to a monumental nightmare.

What I enjoyed most was that our conversation, and that of the class, was not as technically founded as others had been and focused more on the people component of the implementation process. Specifically, change management and working to get everyone on board and supportive of the change. I found this conversation to be more fruitful than others due to the overarching nature that change management encompasses. The ability to persuade people to support change and effectively navigate a project through the minefield of personal opinions and opposition that will inevitably arise when change occurs, is a skill that will serve all of us well no matter our career path. In any position or undertaking, ultimately, it comes down to the people. Today's class allowed me to foster growth in my own ability to effectively implement change through insight from my team, and conversation from the class, on how to work with, persuade, relieve, and encourage people which, in my opinion, was an invaluable experience.

Chapter 3 - You have zero privacy anyway. Get over it.

Cybersecurity has become a hot topic due to the upcoming presidential elections.  Cybersecurity is not only vulnerable to politicians, but health care organizations as well.  As healthcare organizations maintain patient health information to deliver higher quality for its patients, security becomes a bigger need.  Health care organizations have established security programs to identify potential threats and implement processes to eliminate or mitigate the ability of these threats to cause damage.  Security should involved not only protecting patient information, but the organization’s information systems as well which include networks, hardware, software, and applications.  Threats can take form in human beings or environmental causes.  

Top 10 Recommendations for Cybersecurity in Health Care

1. Protect Yourself Through Firewalls:  

All networks need a HIPAA-compliant hardware and software firewall.  Firewalls restrict incoming and outgoing network traffic through rules and criteria as configured by the individual organization.  A hardware firewall is installed between the organization’s network and the Internet to protect the systems from the outside environment.  Meanwhile, software firewalls protects specific devices they are installed on from internal threats.  Security Metrics Blog surveyed 52 healthcare professionals responsible for HIPAA compliance to see how they were doing with network firewall protection and found that only 18% use both hardware and software firewalls.  In addition, 27% of those surveyed did not know which firewalls they use.  After appropriate installation, management of firewalls and regular review of firewall rule and regulation changes is critical to keeping a healthcare IT system safe.  

2. Control Physical Access:

One of the most common ways data is breached is by losing a device.  This can occur by accident or intentionally through theft, but every device should be regularly inventoried and be locked up so that only appropriate personnel will have access to devices.  Limiting physical access also includes managing physical keys, securing down machines within locked areas, and limiting the ability to remove devices.  Servers are protected in a controlled environment meaning it is protected from physical and environmental elements which can include temperature, water, and even fire.  In many instances, there is also a security guard monitoring the area.  

3. Plan for the Worst (have tested regular backup and recovery system in place):

There comes a time in every healthcare organization’s history when disaster will strike.  It could be a natural disaster where an earthquake, blizzard, tornado, or hurricane cause damage to the hospital.  It could also be equipment failure which causes an electrical failure and shuts down power or human error which necessitates shutting down the EHR for many hours to fix issues.  None of these scenarios can be predicted to occur with 100% accuracy but an organization is nonetheless asking for trouble if they don’t have a plan to deal with each and every one of them.  The most critical element in this regard is to have a secure backup system.  In the event of emergency, patient records need to be regularly stored in a second location to ensure that they are still accessible.  These backups need to occur regularly and automatically to prevent human error and a mindset of “what’s the big deal if I miss a backup or two when nothing ever happens” to sink in for any staff member.  Additionally, the backups must be housed in an off site location.  In the event of a natural disaster which wipes out the main system, the backups must survive the same event.  However, just because they live in a secondary location does not mean they should not be just as secure as the main system.  If patient information is stolen off of the backups it is just as disastrous as if it is stolen off the main system.  Lastly, there must be protocol for transitioning between the primary and secondary system.  This will include assessing the various levels of damage possible and coming up with a plan for each one.  If the hospital is on emergency generator power that may necessitate a different reaction than if the EHR is temporarily taken offline because of newly discovered software errors.  Thorough risk analysis must take place for every imaginable scenario to ensure that the organization survives each.

4. Use and Update Antivirus Software:

The use of antivirus software is designed to reduce the threat from viruses.  Viruses are one of the easiest ways security will be compromised and using antivirus software helps minimize vulnerability as well as is one of the most affordable ways an organization can protect itself.  Although antivirus software is not full proof in detecting all unusual activity, it still helps reduce risk of flaws especially when organizations continuously use updated protection.  Antivirus software works with “signatures” and only respond when a virus comes into your network.    

5. Have a Communication Plan:

There is no use hiding your response plan within an employee handbook.  Organizations must have a comprehensive plan that outlines how and when information is disseminated to staff.  Trying different avenues of communication is the key to reaching the largest amount of employees possible.  Newsletters, announcements at staff meetings, reminders in break rooms and cafeterias, blog, vlogs, podcasts, screen savers displaying data security and privacy messages can be effective ways of communication.  Remember that it is not a plan unless staff members know their role, and can execute their portion of the plan in a timely manner.  Providing ongoing education, as outlined below, will allow the plan to be a living document and policy.  This ongoing education will remind employees that they have a vital role in securing data.  Try to have employees view it from their home life.  How would they want their own data to be protected?  By having a communication plan, you are demonstrating value around an organization’s data.

6. Establish a Security Culture/Employee Education:

No matter how competent an organization’s IT department is with regards to security and privacy they are still heavily dependent on every other staff member to do their job effectively.  The majority of people in any organization are of the belief that they will never accidentally put patient information at risk even though many do exactly that on almost a daily basis.  Constant education is needed to impress upon staff that the actions they take while at a computer can have real and severe consequences for themselves as well as the organization.  Training must begin at orientation for new staff as well as should involve annual updates for existing staff members.  Leadership must be willing to set an example for the people under them by always practicing good habits and continuing to hold others accountable for doing the same.

7. Encryption (of Endpoint Devices and Sensitive Data):

Encryption is taking something and making it appear meaningless.  Even with laws such as HIPAA that requires patient information to be encrypted by organizations, once security has been compromised where violators have access, encryption becomes obsolete.  Another large vulnerability to not encrypting devices and data is violators will try not necessarily find health information on patients, but try to sell it in the dark Web.  Patient information sells up to five times the amount of individual’s credit card information.  On top of this, many violators will try ransomware where victims will have to pay the perpetrators to gain access to their own information and decrypted.  Encryption should be a priority for all healthcare organizations and with the assistance of good IT support, organizations are left less vulnerable.  

8. Control access to confidential electronic health records:

With the spread of EHRs, healthcare systems have the opportunity to improve coordinated care for patients and provide easier, continuous access to their health information.  HIPAA regulations for securing confidential patient EHR are meant to keep private patient information safe from being inappropriately accessed/hacked, stolen or lost.  To avoid security breaches, healthcare IT staff must remain up-to-date about tools at their disposal to adequately protect their patients’ EHR.  Access control lists dictate to the firewall what you trust coming into or leaving your network, accessing your network’s data.  When no access control lists are configured, all network traffic is free to come and go.  In addition, setting and resetting passwords and PIN numbers, encryption of transferred and stored information, as well as auditing network trails all serve as other methods to increase EHR security.  As a tradeoff, it’s important to remember that large rule sets within access control lists can often negatively impact the network’s performance, slowing down workflow.  Network administrators will also need to hear and address the relevant needs and complaints from staff members about inability to access files they should have access to, in order to perform their job duties.  

9. Perform regular security and risk audits:

Another method of security that we recommend implementing for Moyen Sante Medical Center’s EHR is the ongoing use of security audits through the utilization of audit trails and audit logs. We will avoid the technical components of all that an audit entails and briefly summarize some of the benefits that the organization will capitalize upon when security audits become an organizational standard.

The first benefit that is realized immediately upon the implementation of security audits, when the audits are main known to the organization, is that the organization will see a reduction in inappropriate access. Audits are one step in the process of creating a culture of accountability. This is due to individuals changing their behavior when they are aware that they are being monitored. Additionally, and in the same vein, audits create a trail that may be followed when malicious use does occur that may be accessed when conducting investigations.

Another benefit that will occur for Moyen Sante is retroactive in nature but will allow for the security of the EHR to continually be improved. Security audits allow the organization to identify malicious attempts to access patient records and analyze the way in which the attempted or successful access occurred. This knowledge allows the HIT staff to bolster the EHR security systems to diminish the likelihood of that form of unwarranted access occurring again in the future. Further, a malicious access attempt does not have to occur to identify weak points in the EHR security. Some audits will reveal weak points in security simply through conducting the periodic assessments.

Lastly, aside from the accountable and reliable culture pertaining to electronic patient health data that occurs when a health system performs security audits, the organizational leaders who are developing security measures around HIT will need to consider security audits due to the fact that they are compulsory.  The HIPPA security rule mandates the following provisions;

“Section 164.308(a)(1)(ii)(c) – Information system activity review (required), which states organizations must “implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.””

“Section 164.312(1)(b) – Audit controls (required), which state organizations must “implement hardware, software, and procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.””

10. Have a mobile device policy:

In today's world of smartphones, laptops, tablets, etc., all the information we could possibly need is right at our fingertips. In the healthcare industry that information includes the personal information of thousands of patients via Electronic Health Records. Now we have already mentioned the importance of securing these records, so why do we need to address mobile devices separately? This is because mobile devices contain their own set of security risks. Some of these include:

• The mobility of the devices which make them easy to lose as well as susceptible to theft
• If this happens, you need to ensure that the device is secure so as to prevent unauthorized use; this can be done via password protections, access controls, and other authentication requirements

• Because mobile devices can be used almost anywhere with a wireless internet connection, you must:
• Pay careful attention to your environment - such as the people around you - before you view private information on your mobile device
• Be wary of transmitting any unencrypted information via a public or unsecure wireless network

Taking these risks into consideration, if you can avoid transporting data with mobile devices, then you should do so. However, in today's wireless world, we must account for the fact that many people are dependent upon these devices. Therefore, if you must transport sensitive information via your mobile device, you must always ensure that the data is encrypted. A crucial rule of cybersecurity is: if you are unsure whether or not transmitted data would be encrypted on a particular mobile device, do not use it.

Developing and enforcing a mobile device policy for your organization that emphasizes this rule is essential. No longer is private patient information located in a single, secured facility; now it can be found on a mobile device, small enough to fit inside your pocket, and be taken home with you. It is said best by healthit.gov: "Those who have responsibility for protecting patient information must recognize that this responsibility does not end at the office door."

One of the biggest challenges of healthcare cybersecurity is balancing the cost of security with the need for security.  Organizations are still unclear on how to measure the level of vulnerability its network is in and therefore is challenged with how much or how little it needs to invest to reduce risk.  

Source:

https://www.healthit.gov/sites/default/files/Top_10_Tips_for_Cybersecurity.pdf

http://library.ahima.org/doc?oid=300276#.WA5YwIWcHIU