A dangerous but likely sight in almost any hospital care unit is an unattended computer workstation, accessible by any passerby. If by chance the computer is locked, simply flip over the keyboard and you’ll often find the generic logon ID and password posted on the bottom; a failsafe for all caregivers in the care unit wanting to log on.

Perhaps this situation was acceptable when computers were uncommon and therefore intimidating or unfamiliar to a novice, when hospitals were less friendly and less accessible to visitors and when most patients’ sensitive health information was kept on paper records.

The world has changed. Millions of health records across multiple applications are digitally accessed by caregivers. The provisioning of this access by IT professionals is imperative. What is equally important, yet has been overlooked for so many years, is the assurance that the appropriate people are viewing the sensitive data. With the evolution of IT in healthcare and the trend towards electronic medical records, the need for healthcare organizations to invest in the policies, practices, people, and technology needed to safeguard their computer systems within their “four walls” must now move to the forefront.
   
With increasingly sophisticated computer systems, it’s no longer appropriate for computer users to share electronic identities, and in so doing be the “same person” in the electronic world. The problem is, as the “same person,” caregivers can all do the same things, such as order the same medications even when policy generally restricts which medications caregivers in various roles can order. Another problem arises when for audit purposes systems look like they have only one user, making it impossible to know who actually did what, should the need ever arise (say in a litigation).

The key to effectively addressing these issues is in achieving the necessary protections without impeding care delivery. Better yet, the goal should be to achieve the necessary protections while actually facilitating care.

The idea of instituting security controls that facilitate the delivery of care may sound like a contradiction, when in fact it’s the only practical solution. The reason is that the people who will be subject to these controls are among the smartest and highly trained on the planet – nurses and physicians. As a matter of necessity, they are quite adept at bending processes and practices to minimize and even avoid institutional inefficiencies. Provide a computer system that requires each nurse or physician to log on and then wait a frustratingly long 30 seconds or more to gain access to their applications and the result is someone will log on once and never log off. The next caregiver who uses that computer will have instant access because they don’t log on but rather use the logon of the previous user. This next caregiver doesn’t log off either, and so the workaround perpetuates. While the caregivers have successfully avoided the annoyance of logging on, in an electronic sense, they are all the same person as the caregiver who originally logged on. This is not an example of people misbehaving. Rather, it’s an example of people with a critical mission finding ways to “work the system” to support their urgent needs.

Recognizing the need for security solutions has grown in recent years, but most healthcare organizations view such solutions as low-level, perhaps even commodity-like, infrastructure. Executive managers assume that they have no role in driving the selection of these solutions since they are often put off by the security jargon and seemingly arcane security-related considerations. The erroneous assumption is that security technology is solely the purview of the front-line technical staff.

However, the organizations that have successfully deployed effective security solutions all have one thing in common: they understood that their security solution was a business imperative that was going to impact the daily lives of every caregiver. Make a poor selection and the impact is painfully unproductive. Make an appropriate selection and the impact is good security, increased caregiver productivity, and myriad cost savings.

Senior managers in these organizations recognized the business case for good security. These managers led the selection process rather than simply delegating to a front-line technical team. The managers assessed and then selected their security solution as if they were choosing a clinical application. This meant that caregivers were involved in the selection process, and serious consideration was given to how the solution would fit with caregivers’ workflow. And, perhaps most importantly, these organizations worked closely with their caregivers to teach them how to make fast and effective use of the new security apparatus as it was being deployed.

The characteristics of a thoughtful security solution that will be embraced by caregivers may differ greatly from the solution IT professionals would endorse. For caregivers, it’s important that the system be easy to learn and intuitive to understand as well as provide easy access, such as just one identifier and one password. Increased productivity through time savings, as long as care is not compromised in the process, is a top concern for nurses and physicians. A solution mustn’t hinder operations in any way. Access to all key clinical applications must be granted and must function in the same way at every workstation throughout all facilities.

Although caregivers and IT staff would make reliability an essential characteristic, IT professionals must look at the system from a view greater than just one caregiver’s experience. The solution must be easy to administer on a daily basis as well as adoptive to new applications to the network of workstations. Finally, auditing is important and reports on security-related activities within the system must be easily generated.

With the acceptance of a security solution comes acceptance and conformance to established security policies by caregivers and IT professionals alike. Benefits include fast and effective use of computer workstations, resulting in time savings and the ability of doctors to assist more patients. For example, studies have shown that a good security solution can save as much as 30 minutes per physician per day by eliminating time spent trying to log on and off of multiple applications. Not only would caregivers have more time with their patients but the patients would benefit by feeling secure, knowing that their records can’t be seen by unauthorized personnel. User provisioning is also taken care of, security breaches avoided, and an audit trail established. An organization’s attractiveness to nurses and physicians would also increase due to simpler and more accessible IT solutions.

Computer-based systems and applications are part of the fabric of every hospital and in one form or another — from diagnostic cardiology to physician order entry — IT solutions have been used to assist with care delivery processes for more than 40 years. Who uses these systems, and for what purposes, has become as important an issue as who works in your hospital. The need to identify people so you know who they are and can control their access has grown beyond the analog world to include the digital one. Today, the need for hospital administrators to recognize, monitor, and control access in the digital world is as crucial to a hospital’s practices as knowing who holds the scalpel in the operating room. The wired world of healthcare continues to evolve as more systems are developed and deployed. Healthcare executives now need to view IT security and privacy with as much seriousness and intent as any clinical IT solutions.