Hospitals Must Prepare as Security and Privacy Concerns Increase in 2021
By Scott Mace
Last March 15, the U.S. Department of Health and Human Services (HHS) waived sanctions against hospitals that did not comply with five provisions of the HIPAA Privacy Rule during the COVID-19 pandemic. Those rules governed:
- The requirement to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care
- The requirement to honor a request to opt out of the facility directory
- The requirement to distribute a notice of privacy practices
- The patient’s right to request privacy restrictions
- The patient’s right to request confidential communications
Tim Tindle, chief information officer and chief information security officer for the clinical communications company Spok, spoke with HealthLeaders about the changed landscape for healthcare security and privacy in 2021. The following responses have been lightly edited for space and clarity.
HealthLeaders: What will likely impact HIPAA–compliant communications in the future?
Tim Tindle: As the pandemic enters our rearview mirror sometime in 2021, we can expect HHS to return to a pre-pandemic posture relative to the five provisions waived on March 15. We’ve seen a decade’s worth of change in just a few months. The pandemic drove our healthcare systems to embrace telehealth and demanded we find new ways to communicate between clinicians, patients, and families. While generic consumer communication applications might be a temporary solution for overwhelmed healthcare workers, they create additional privacy and security risks that will likely only escalate.
Beyond the ability to communicate securely with patients and families, COVID has reinforced the urgent need for health systems to have in place an end-to-end enterprise communication strategy that extends beyond secure messaging. If we are to ever achieve real engagement by patients in their own care, our strategies must include patients and families. The right solutions must facilitate workflows, teamwork, collaboration, and security. All the coming change related to communications will have a significant impact on future HIPAA regulations. Security and privacy controls must evolve as healthcare information, communications, and cyber threats evolve.
HL: How significant will cloud technology be, post-pandemic?
Tindle: We have seen a sudden cloud surge with the rush towards remote work, and this trend will continue long after the pandemic is over. Fortunately, the elastic nature of the cloud allows us to expand and contract based on the needs of teleworkers. We will also see an increase in demand for collaboration platforms, as the pandemic continues to prove how important it is to connect care teams with the people and information they need to make faster clinical decisions. It will be vital to understand how the technology is built, the company’s security practices, and the platform’s continued value stream. The cloud allows additional modern protection with serious reduction around potential ransomware attacks.
HL: What steps should hospitals take now to prepare for the event of a data breach at their organization?
Tindle: Start by assigning a strong cross-functional response team to take responsibility for creating and carrying out a customized response to a specific breach. Next, develop, document, and maintain an incident response plan. This plan should define how to detect a breach, what information to collect and how to do so, and who to notify under what circumstances. While data breaches may seem inevitable, a negative impact on your hospital doesn’t have to be.
HL: To what degree is secure communication in healthcare a given today? How much communication still flows through nonsecure means? What initiatives are underway to reduce or eliminate such communication gaps?
Tindle: As cyber attackers continue to become more and more sophisticated, having robust secure communication is essential for every healthcare system. Surprisingly, many communication channels such as faxes, phone lines, SMS text messages, and email still operate in nonsecure means. The move towards secure communications is essential, specifically solutions that are tailored and built for healthcare. But having a secure app isn’t enough. It’s important that the secure technology is as easy to use as the nonsecure means, like text messaging, and offers much more value to the user in the form of pro-active delivery of critical information the user can manage and act on.
Scott Mace is a contributing writer for HealthLeaders.