Kaiser’s Novel Approach to Security

Good people, good employees–anyone–can be powerfully tempted at times to take an unauthorized peek at patient records, says Eric Liederman, M.D, director of medical informatics at Kaiser Permanente’s Northern California division.


Good people, good employees--anyone--can be powerfully tempted at times to take an unauthorized peek at patient records, says Eric Liederman, M.D, director of medical informatics at Kaiser Permanente's Northern California division.

That's one reason why the division has developed what on the surface may be a quirky policy for protecting patient privacy and minimizing data breaches. But the policy is designed to make folks think twice before snooping in the file of a co-worker, neighbor or celebrity. "The goal here is to deter people, remind people and let them keep their jobs," Liederman said during the Physicians Symposium at the HIMSS 2010 Conference & Exhibition in Atlanta.

The industry is facing an increasing risk of privacy violations with growing lists of fired employees, prosecutions and bad press for unauthorized snooping and other breaches of protected health information. Along with the new breach notification rules and state attorneys general being given jurisdiction to enforce privacy rules, "this will only be ramped up more and more in coming years," Liederman contended.

California, for instance, has a new agency with the sole interest of finding people who violate privacy. "People can lose their license over this, so the stakes are much higher than just a year or two ago," he added. Further, state attorneys general are usually looking at higher office and protecting consumer privacy "is a great way to get some good press."

Under the HIPAA privacy and security rules, covered entities must regularly review and update policies and procedures as appropriate.

The common approach is to restrict access to patient data by assigning roles to users and allowing role-based access. But this can hamper appropriate exchange of health information and raises the risk of patient harm, particularly in the case of sick patients quickly getting sicker, Liederman said.

Kaiser took another route by making all accountable by giving everyone access to everything. But ... record all views, investigate all complaints, use surveillance to find "silent offenders," sanction the guilty and publicize the sanctions. "You don't have to publicize the names but put out the word that coworkers--real people--no longer work here because they violated privacy," Liederman explained.

The accountability approach deters temptation-driven mistakes and keeps good employees on the job, removes barriers to people doing their jobs, and avoids proliferation of security profiles and roles, he added. This reduces confusion while increasing consistency, and protects key privacy targets--physicians, co-workers, neighbors and celebrities/VIPs.

And the way to maintain law and order in an open environment is to police, police, and police with information technology surveillance tools.

Look for unexpected "pairs," such as pediatrics staff looking up the records of adults, or OB/GYN staff looking up males. Use a data feed to human resources systems to know if a patient and user that accessed the patient's record are neighbors.

To combat the "I didn't do it" defense of suspected offenders, look to see what records were accessed before and after the breached being investigated. An employee may insist someone else accessed his unclosed computer session after he walked away, but that argument falls flat if the employee appropriately accessed other data right before the suspected breach and 30 seconds afterward.

To combat the "No one told me" defense, put the policy that data is to be accessed for business purposes only at the bottom of each login screen, Liederman advised.

Kaiser Permanente of Northern California also has simplified its password policy. The password must be at least eight characters with at least one letter or number and it doesn't expire. This eliminates the posting of passwords around the facility and actually reduces risk, Liederman said.

Joseph Goedert

More for you

Loading data for hdm_tax_topic #reducing-cost...