Digital Access in Hospitals- Keeping CIOs and CISOs Awake
For those faithful readers who have come to expect an article posting every other Wednesday, my apologies in advance. I’ve been in Europe on vacation, and am now back to the grindstone!
Recently, I read an interesting article about how the role of CIO in healthcare is expanding into much more complex responsibilities involving hospital operations, not just minding the technical side of things. It got me thinking about the role of CISO, too, and how it’s not just about responding to a breach anymore. The profound impact of digital access in hospitals is making itself known across the enterprise. Those in charge of the digital bottom line must also pay attention to operations and behaviors connected to it that pose major risk to the organization they lead.
Allow me to break this down into practical terms using a common example:
Let’s say a nurse is on temporary assignment at a hospital, also known as a “travel nurse,” or “traveler.” A travel nurse is a nurse who is hired to work in a specific location for a limited amount of time. Travel nurses typically work 13 week periods in one area, and move around the country depending on where they are needed. Among others, they are given digital access via a photo ID card to the hospital and patient unit(s) where they are assigned to work- the patient care units can be multiple, depending on staffing needs, experience and contract terms. Below are the usual digital access points involved:
1. Digital Photo ID badge access to the hospital facility, controlled areas and patient care unit(s). Depending on local configuration, the traveler may have digital access to most or all patient units, not just the ones in which they are assigned to work.
2. Digital fingerprint access to Pyxis (patient medication dispensing machine) or similar device, containing major controlled substances. Amounts can vary- most narcotics tend to be housed in surgical and oncology wards, as well as Emergency Departments and Recovery Room areas. If the travel nurse is assigned to “float” to several units, he/she will have access to numerous Pyxis machines across the hospital, and perhaps multiple hospitals, depending on the contract agreement.
3. FYI- for nurses working in the Operating Room, there is also physical proximity to (often unlocked) medication carts used by Anesthesiology that contain major narcotics.
4. Sign on access to the EHR system containing sensitive PHI. Depending on local configurations, a travel nurse may have access to all hospital patient data, not just in the unit(s) they are assigned.
These access points are generally monitored well until the nurse either completes the contract or departs early. Early departure occurs more often than you’d think; the hospital staffing needs have unexpectedly changed, or more concerning, the nurse is discharged for disciplinary reasons. In all departures- early or not- it typically falls on the unit manager to notify HR, who then communicates to the various IT departments in order for access to be revoked. In my experience with most hospitals, this is where the major breakdown occurs. Emails are sent to HR by the unit manager, and are often missed in the ever growing pile of inbox messages. Even if HR forwards these notifications immediately to IT, those teams are often overwhelmed with other concerns and tend to place the access requests in a pile to handle as a batch item. The average time I have calculated in several hospitals between departure and access termination is approximately 8 to 9 days.
Now, I’m not here to disrespect travel nurses- I’ve been one myself in the past. However, due to the transitory nature of the job, it certainly adds to overall organizational risk if access to very sensitive information/substances is not dealt with swiftly upon departure. It only takes a few unscrupulous travelers to wreak major operational and digital havoc if they know that the hospital has a weak link when it comes to extending their digital access to PHI and narcotics. This risk tends to especially hold true in major urban areas, where large numbers of travel nurses flow in and out of multiple units on a regular basis to alleviate persistent nursing shortages. Word travels quickly among drug seeking nurses as to which hospitals have this problem, and they can be in another city or state very quickly- essentially out of reach.
So what are CIOs and CISOs to do about this? It seems on the surface that this responsibility lies squarely on the unit managers and HR to communicate in a timely manner. True, in part. However, the IT departments in charge of multiple access points are often siloed themselves. For example, the digital access to Pyxis is typically handled by the IT folks in Pharmacy, the ID badge access to the hospital and patient care unit is handled by a facility-based IT team, and the EHR access by yet another IT team working in a different location. This makes total sense from a technical perspective, but from an operational one it is nothing short of a nightmare.
Smart CIOs and CISOs are coming to realize that they need to have a packaged automated approach to all employee digital access points, whether the employee is permanent status or on temporary contract. In a packaged scenario, one urgent prioritized message will automatically alert all areas of concern with an individualized digital access footprint of the exiting traveler/employee, mandated timeframe for completion, and include appropriate penalties for delayed responses. This will require departmental buy in, education and regular follow up to ensure successful results but it is well worth the effort in mitigating risk. If you would like to hear more about this approach and how it can significantly improve your organization’s process, please contact me at: firstname.lastname@example.org.