Action steps CFOs can take to boost data security


Following up on my April 21 column detailing why hospital chief financial officers need to take an interest in the privacy and security of patient data, I spoke with Dr. Barry Chaiken, MPH, chair of the Healthcare Information and Management Systems Society (HIMSS), who shared some additional insights. So, quick: How do you filter viruses out of emails?

If you don't know the answer, that's OK. You can leave those types of tactical issues to the information technology (IT) professionals, advises Chaiken. However, "CFOs are responsible for the financial integrity of the institution. They are therefore responsible for security and privacy, whether they like it or not," he points out.

CFOs should consider privacy and security "a strategic issue," says Chaiken. "CFOs have to formulate the strategic solution--what parameters they want to set to prevent breaches of security and privacy--and then allow the vice president for management systems or the CIO [chief information officer]  to figure out how to deliver that strategic vision. The CIO is not necessarily going to understand the ramifications of a breach the way a CFO might."

Chaiken explains three critical steps that CFOs can--and should--take:

No. 1: Audit work flows.

CFOs should review financial processes to look for places where damage can occur, says Chaiken. "Everything is about work flow in healthcare. You have to examine those processes to see where you think there are weak points." One obvious example of what a CFO might review: a lobby kiosk where an employee is entering personal data. "That is clearly where a work flow could be broken," he explains. "So you have to examine those processes."

No. 2: Institute surveillance.

Surveillance is a common tool for dealing with public health emergencies, but Chaiken believes in surveillance "all across the board." Hospital CFOs should create a surveillance process to monitor processes "to, in an early way, identify potential breaches that could become huge problems," he advises. Often, data breaches start out small, but they aren't caught until the drip becomes a flood. For example, CFOs need to have a surveillance tool to check whether anyone is accessing records that they shouldn't. "You would want to know that early on vs. finding out later that large numbers of people are accessing records without authorization or inappropriately."

It's important to note that surveillance "is not about identifying a problem," stresses Chaiken. "It is about identifying a potential problem."

No. 3: Drop the "silo" mentality.

The interoperability of financial systems and clinical systems in hospitals means "access to one often gives you at least some partial access to the other," says Chaiken. Consequently, CFOs should work collaboratively with the clinical IT leadership to address privacy and security. If the chief medical information officer (CMIO) has a weak process, "that could potentially expose the CFO," he points out. Likewise, a weak security process on the financial side could potentially cause a breach of the clinical data.

"We can no longer in healthcare work in silos," says Chaiken. "Everybody is interconnected, so clinical and nonclinical people have an obligation to work closely together to address all the issues in healthcare, particularly privacy and security."

CFOs need to get started developing a strategic plan for data privacy and security "yesterday," says Chaiken. "The planning must begin now. This is a stepwise process. You don't say, 'I'm going to put together an ironclad system, and it is going to take me three years.' You develop a good plan, and you start to gradually ramp up your ability to establish security and privacy." - Caralyn

P.S., we've just published a new e-book examining the ins and outs of revenue cycle dashboards. You can download it for free here. Enjoy!