When I began my career in the early 1980s with IBM Corp., the first order of business was to get my user ID and password to the corporate mainframe. I didn't have it for long: Every 30 days, the password would expire and a new one was automatically provided to me. And it was never anything simple to remember. The passwords were usually something like "q8y2r9f5."
No one paid much attention to the security process and its demands on employees. It was standard operating procedure, and rightfully so-company secrets and private information were at stake.
Nearly two decades later, I'm sure not much is conceptually different at IBM with regard to security. However, a sampling of healthcare facilities across the nation most likely would reveal the opposite. Common or shared user IDs and passwords for caregivers are fairly common. Providers make insufficient use of security tools and techniques to ensure frequent password changes and unique passwords. There's a general feeling that security is a hassle rather than a welcome requirement.
When I first entered the healthcare industry several years ago, I encountered many of the characteristics mentioned above and was astounded by the lack of security on mission-critical systems. While corporate secrets were not at stake for the most part, very private and sensitive patient information was.
The stewardship of those sensitive details finally is facing scrutiny as components of the Health Insurance Portability and Accountability Act of 1996 are enacted through regulation. HIPAA brings to healthcare concepts and practices that should have been in place years ago.
Many industry pundits have made outlandish claims about how much HIPAA compliance would cost. Worse yet, those promoting this kind of hype and sensationalism also have suggested in some cases that these efforts are in addition to what healthcare organizations already deal with today. At North Shore-Long Island Jewish Health System, we have taken the position that HIPAA compliance is part of everything we do, especially within information systems security. Many of the guidelines and standards set forth in the HIPAA regulations are processes and capabilities we are striving toward.
For this and other similar reasons discussed below, our budget for HIPAA this year is zero. As I enter the budgeting process for next year, I am confident that again, our HIPAA budget will be zero. But that just means that our HIPAA efforts are inseparable from other initiatives. During this year and next, I anticipate substantial inroads on security issues associated with HIPAA compliance.
For example, although many of our applications will need to be upgraded in line with HIPAA requirements, application upgrades generally need to be performed every 18 to 24 months anyway. Again, another concept not well-adhered to in healthcare. Looking back on my years in industry, applications that were four or five releases behind were an exception, not the norm. In healthcare, although significant investments are made in implementation of new applications, facilities never seem to have the same commitment to maintaining this investment through regular upgrades. Granted, healthcare is more financially challenged than other industries. But the cost of neglected applications is much higher over the long term compared with staying current in the short term.
Many of the specifics in HIPAA regulations regarding information systems security already are prerequisites for some of our most strategic IT projects. For example, North Shore-Long Island Jewish will be launching a physician portal later this year that will provide Internet-based access to physicians so they can view their patients' data from wherever they are. Naturally, the security required for this implementation is significant and is driven by the natural need to secure this information. If this information is improperly secured, the potential for the loss of patient and physician privacy far outweighs "noncompliance."
The implementation of the new HIPAA guidelines actually comes at the best possible time. For many organizations, the efforts associated with Y2K helped get many users on the most current release levels of their applications. HIPAA now will help continue this concept of remaining current. Secondly, many other healthcare providers are now beginning to use the Internet to connect physicians and patients to the organizations. Much like the philosophy we have embarked on at North Shore-Long Island Jewish, I'm sure others will secure these systems with policies and procedures even more stringent than what HIPAA requires.
We recently completed a thorough HIPAA assessment. The project was a success in that it helped raise everyone's awareness of these new regulations, and it also highlighted areas where we need to focus improvement efforts. One thing that's clear is that HIPAA is not about information technology like Y2K was. Although HIPAA involves various IT components, much of an organization's ability to achieve compliance will be based on process changes and an overall culture change. It goes without saying that access to information in certain situations is more critical in healthcare than in other industries, but that alone is not a reason to sacrifice information security.
The tools and systems that can meet our unique information security needs are out there. We simply need a culture change and rededication to process improvement to implement them. Healthcare organizations will realize that HIPAA is an opportunity to demonstrate that their information technology environments can be comparable to those found in Fortune 500 companies and can increase respect from their constituents. q
Patrick Carney is chief information officer of North Shore-Long Island Jewish Health System, Great Neck, N.Y., which includes 17 hospitals and 85 other facilities