Although community hospitals often have tight budgets for information security programs, they still can take meaningful steps to improve breach detection and prevention, says Ed Ricks, CIO of Beaufort (S.C.) Memorial Hospital.
"What we realized a few years ago is that as a community hospital, we don't have all the resources that maybe some of the larger academic institutions have. But we can make the most with our people ... resources ... and money. Even though we had all the bullet points from a [HIPAA] compliance perspective, it wasn't an active, living security program," Ricks says in an interview with Information Security Media Group.
About a year ago, the 197-bed acute care facility hired an information security director, "and he got us up and running for the true program," he says. "From there, we've done a lot of things from ... culture to education ... and [implementing] technology tools."
Ricks will speak about the security strategies at Beaumont Memorial at the Healthcare Information and Management Systems Society 2016 Conference in Las Vegas.
To help prevent and detect breaches, Beaufort has implemented tools ranging from intrusion detection to vulnerability scanning, as well as tools to flag potential unauthorized access to electronic health records data by insiders. The hospital also uses a program to test user awareness in spotting phishing email scams and offer automatic tutorials for those who fall for the tricks.
Meanwhile, the hospital's new director of information security, along with a new compliance officer, have worked together to step up efforts to address improper EHR access through automated tools that help flag potentially suspicious or inappropriate activity that needs to be investigated, Ricks says.
The tools have helped stem potential occurrences of inappropriate access before they become full-fledged privacy breaches, he says. "We've been working through this for about the last year. ... We've seen the incidence of reportable [actions] ... where we need to take the next step of [discipline] of an employee drop by 98, 99 percent," he says. "Part of that is just the awareness - getting the word out [to employees] that we're monitoring - and that it's really proactive and real-time."
In the interview (see audio link below photo), Ricks also discusses:
- The challenges involved with role-based access and setting baselines for "typical" user access;
- Preventing and detecting breaches involving business associates;
- Managing and safeguarding privileged user access.
Ricks, vice president of information services and CIO at Beaufort Memorial Hospital, has 25 years of healthcare information systems experience working for four health systems, with nearly 15 years at a senior level. He's a member of the College of Healthcare Information Management Executives as well as HIMSS.