Three key lessons for health IT leaders
This post is written by Matt Olsen, the Chief Privacy Officer of Sidley Austin LLP and the Former Privacy and Data Sharing Officer of HHS.
Healthcare is experiencing a technological revolution. As the decades-long transition to electronic health records has reached nearly every hospital in America, we need to ensure the protection of our most sensitive data in those records. Until last month, I was the Chief Privacy and Data Sharing Officer of the U.S. Department of Health and Human Services (HHS). In that role, I saw, despite the perceptions of Federal bureaucracy, an organization with a trillion dollar budget, 80,000 employees and the holders of personal data for 1/3 of the U.S. population taking action to be a leader in protecting patient privacy.
During my tenure, I helped HHS stand up a consolidated and comprehensive data privacy program, and it became strikingly clear that there are some basic building blocks of information management that you have to get right to fully utilize the new tools available to us in privacy. Put another way, I often say, if you don’t have your shoelaces tied, you trip walking in the door, and the technology doesn’t matter.
We still have a ways to go in ensuring that patient data receives the protection it deserves, but the healthcare industry is learning from each breach and applying those lessons to decision-making strategies. Like I mentioned in my interview on the Protenus Talk Healthcare podcast, here are three key challenges I faced along with the corresponding lessons I learned from them:
First. Within healthcare’s tech revolution, vendors are building solutions designed to tackle issues including patient privacy monitoring, infection control, data sharing between providers, and patient engagement, amongst hundreds of others. With all that’s available, it can be tempting to jump at the latest shiny new object.
However, I want to caution against this behavior. While we must continue to support the ongoing migration from a paper to an electronic environment, we need to be smart about how we implement technologies and consider how a new system will work with and interact with already existing tech. Too often, a new solution is plugged in and turned on, which leads 14 other systems to break down and actually increases the risk to sensitive data. Or, just as bad, the new tool simply duplicates functionality you already have.
To circumvent this, maintain rigorous vendor requirements when evaluating prospective technologies. Get into technical requirements early on to ensure that they acutely understand the composition of your systems and have the necessary infrastructure in place to maintain data safety. This involves significant effort from a privacy, security, systems, and business owner perspective, but it’s worth it.
Second. Due to the increasing amount of regulation that healthcare faces, it’s an industry dominated by compliance activity, which can disrupt the streamlined ways for providers to deliver care. While this is meant to protect patients, it puts a heavy burden on health system workforces to manually document their decisions and activities. For example, HHS maintains over 800 privacy impact assessments for our IT systems. Quality manual review of these is a daunting task due to the level of time that reviewing and revising even a single one can take. We must be smarter and more efficient in how we assess our risks, in order to not get buried by the volume.
Additionally, HHS experiences thousands of privacy breaches each year. Fortunately, most are simply mis-mailings on the millions of snail mail documents we send to individual beneficiaries and providers, and are very low risk. However, without effective means of sorting and measuring the risks of those and the potentially higher risk breaches, we could potentially spend hundreds of hours sifting through the content of individual breaches looking for potentially risky behavior in programs and systems. These heavy workloads currently overwhelm privacy, HIM, and cybersecurity offices, and we need improved tools, policy, and technology to even the odds. Artificial intelligence, one of the more widely discussed technological innovation right now, can automate once time-consuming manual tasks. The result is that healthcare leaders can understand where the actual risk lies in order to design programs and policies that address these vulnerabilities head on and give them more time to focus on core strategic questions that are essential for success in a quickly-evolving health IT landscape.
Third. While AI holds promise, the technology itself is not the answer. I think of AI like a friendly monster. The more you feed it, the more powerful it gets; the more data the system ingests, the smarter or more accurate it becomes. There’s a caveat though: you need to know what you’re feeding it, which is especially important in a healthcare setting that deals with people’s most sensitive information. Otherwise your monster isn’t so friendly anymore. At HHS, I pushed the idea, made it my war cry per se, of internal transparency to understand how we use patient and other sensitive information. The goal in that is not to stop the usage, but to ensure we understand the risks we are accepting in exchange for positive outcomes. This is another heavy commitment for stakeholders across your organization, but it’s the only way to understand how the information going in will influence outcomes and the ultimate business problems being solved.
And to throw in a fourth for fun: the tension that exists between privacy and cybersecurity is an ongoing theme in any organization, including at times within HHS. It can be instinctual to view cybersecurity and privacy as wholly distinct domains with separate goals, or that one must be subservient to the other. However, over time, the HHS cybersecurity team became my greatest ally, and collaboration allowed us both to more efficiently meet our goals. As one example, we now have relied on insights gleaned automated tools and privacy and cybersecurity expertise to form a collective body of information that tells us where the most serious privacy vulnerabilities lie within organizations.
We face a lot of challenges in the healthcare environment, but through transparency and innovation we can meet those challenges head on. If you’d like to learn more, check out my interview on Talk Healthcare, a 30-minute podcast that discusses the latest in healthcare technology and is produced by the folks at Protenus. I encourage you to give it a listen, and enjoy!