Employee Monitoring Ensures HIPAA Compliance
By Isaac Kohen
The ongoing pandemic has pushed medical facilities and staff to the brink, taxing resources, exhausting employees, and disrupting decades of norms and protocols. It also has accelerated technological trends that were quickly becoming popular, namely the centrality of technology and data in patient care.
Today, many medical practices are digital-first operations, embracing telehealth and remote work at far greater levels than before the pandemic.
Federal funding, relaxed restrictions, and patient demands surged telehealth service implementation, which increased in use by more than 150% at particular periods during the pandemic. Similarly, a patient survey found that 42% of respondents used telehealth services since the pandemic's onset, and their experiences were overwhelmingly positive.
At the same time, the pandemic prompted many health care providers to embrace remote work for the first time, following general business trends that saw a significant uptick in the number of people working offsite. In 2021, one-quarter of Americans will work remotely, including many from the health care sector, expanding the workforce beyond four walls.
Collectively, the benefits are multifaceted, including expanded health care access for rural or homebound patients, better access to a skilled workforce for health care providers, and greater flexibility for everyone. It also poses significant challenges, especially for HIT departments tasked with ensuring regulatory compliance for increasingly distributed operations. As Richard Tarpey, PhD, an assistant professor in the Jones College of Business at Middle Tennessee State University, explains, “Compliance is not flexible based on the location of the workforce. It is absolutely reasonable to expect the same level of security for remote workers as is in place for employees on company property.”
In this environment, IT leaders need to understand the compliance risks in a digital health care environment while implementing effective solutions that harness telehealth and remote-work opportunities without compromise.
Know the Risks
Even before the pandemic radically reoriented the health care sector, cybersecurity and regulatory compliance were top concerns for providers. Already spending billions annually on regulatory compliance–related requirements, providers are finding the shift to telehealth and remote work creates new opportunities for failure.
Specifically, while cybersecurity and regulatory compliance concerns often conjure images of nefarious bad actors looking to capitalize on the chaos surrounding the COVID-19 pandemic, regulatory compliance is often, in reality, an internal shortcoming, not just an external threat.
In other words, although cyberattacks increased significantly during the pandemic, impacting health care organizations at twice the rate of other sectors, in many ways, these vulnerabilities are the symptom of another problem: accidental and malicious insider threats undermining cybersecurity standards and compromising patient data.
According to Gartner, the most common cause of protected health information (PHI) breaches is people not following proper procedures when accessing or sharing patient data. And, more health care PHI breaches are caused by insiders than hackers, according to a Verizon report. For instance, HIPAA violations can occur when employees fail to protect their account credentials, accidentally stumble upon restricted information, or access patient data on personal devices.
In a digital-first environment where teams are distributed and employees are isolated, these risks are amplified. For example, remote workers are less likely to accurately identify phishing e-mails, and they are more likely to use personal technology for work-related tasks. When coupled with the potential for unsecured internet connections, multifaceted personal responsibilities, and other at home-related vulnerabilities, preventing a HIPAA violation is no small ask.
Of course, some employees are just malicious—emboldened and empowered when working off-site, they will misuse patient data to the detriment of all parties.
To address these problems in today’s hybrid environment while preparing for increasingly digital and data-driven health care initiatives, providers should look to employee monitoring, a software solution that can help providers maintain regulatory compliance in a shifting landscape.
Monitor Employees to Support Regulatory Compliance
Health care providers have no shortage of monitoring software options. This increasingly capable software is becoming ubiquitous in many professional environments because of its ability to address cybersecurity, productivity, and regulatory concerns in a hybrid work environment. For health care providers, this software can support their compliance efforts in the following ways.
Identity and Access Control
Health care providers are striving to strike a delicate balance between data accessibility and patient privacy. On the one hand, patient data are increasingly used to identify and implement care options, making them one of the industry’s most valuable resources. On the other hand, this information needs to be accessible on a need-to-know basis, limiting its exposure to treatment providers with data authorization rights.
In this way, employee monitoring does more than just provide oversight. It establishes and maintains data access controls, ensuring that the right people have the right information at the right time for the right reason.
Employee work schedules were distributed throughout the day during the pandemic, forcing companies to recalibrate their workday approach. Employee monitoring software analyzes this behavior, differentiating between employees working in the evening and those accessing patient data for the wrong purposes.
Privacy-friendly employee monitoring software will automatically identify personally identifiable information (PII) and PHI while analyzing behavior-based activity for content security violations. What’s more, it can warn IT administrators of this behavior or automatically block the employee from accessing this potentially dangerous information.
Data Loss Prevention
When software actively identifies PII and PHI, it can protect this information by preventing data exfiltration, actively stopping a potential compliance violation before it begins. Whether an employee is about to e-mail patient data to a personal account or download medical records to distribute online, endpoint data loss prevention is a powerful tool to prevent data loss and compliance violations.
Many compliance violations involve e-mail compromise, phishing scams, and other maneuvers that are powerless unless employees engage. Similarly, many workers may not have regulatory compliance top-of-mind during their day-to-day operations, creating opportunities for compliance failure. Health care providers can reduce these risks through regular training, feedback, and follow-up, effectively turning a potential vulnerability into a defensive asset.
Audit and Forensic Data
If a compliance incident does occur, health care providers need the capacity to immediately identify the source of the breach and conduct an audit of forensic data. Not only does this provide extensive organizational accountability for compliance best practices, but it also allows health care providers to be dynamic institutions, always evaluating their digital landscape to optimize ongoing cybersecurity and compliance initiatives.
In the months and years ahead, health care providers will make many critical decisions about the means and methods by which they tackle the industry’s digital-first direction. However, patient privacy and, by extension, regulatory compliance can’t be compromised in the process. Instead, highly effective providers will identify a plan to detect potential problems, respond with appropriate actions, and report on record-keeping requirements of privacy offers, auditors, and other compliance professionals.
Those who execute on these priorities are positioned to improve patient care, empower a hybrid workforce, and ensure regulatory compliance at every step. For those who decline to meet this moment, the regulatory fines and opportunity cost will hinder every other part of their operations. The cost of failure is steep, but the opportunities are abundant. Let’s start preparing now.
— Isaac Kohen is vice president of research and development at Teramind, a global provider of employee monitoring, data loss prevention, and workplace productivity solutions. They are on Twitter @teramindco.