Rapid digitalization has made healthcare easier for patient, service providers and intermediaries. However, it has also brought in a lot of vulnerabilities like the risk of exposure of sensitive data unless deliberate precautions are taken. While we do many things digitally and remotely, ensuring privacy of sensitive data and secured access to specific transaction are of utmost importance.
The complete scope of Privacy Case Management in healthcare industry covers the areas of – Identity Governance of Electronic Health Records (EHRs) on round the clock basis, monitoring for suspicious privacy access activities, reporting/logging of privacy incidents in real-time through automation driven multi-channel hotlines, assess privacy Governance-Risk-and-Compliance mechanism, privacy incident resolution and closure within defined timeline SLA (Service Level Agreements), assessment of risk exposure (in $ terms), risk mitigation compliance level and required insurance against non-compliances.
Healthcare privacy case management needs to be treated, with topmost priority, as a series of intertwined actions- executed in sequence – to result in Healthcare Privacy Index (HPI) of an organization along with Privacy Risk Score (PRS). HPI and PRS definitions are explained towards the end of this white paper.
Here is a guideline to ensure a structured, real-time privacy management solution framework in place. A data driven intelligent-automation solution provides best result to this framework.
Identify the Applications holding EHRs
The first step of setting up a comprehensive privacy case management solution in place is to identify the applications both web applications and mobile applications – that are holding the Electronic Health Records (EHR) of the patients.Very often these could either be the applications that are storing the records or the applications accessing these records in run time. This exercise needs an understanding of the business use cases to arrive at the list of EHR applications.
Establish Identity Governance
A governance and control mechanism around Identity and Access Management (IAM) or Privileges and Access Management (PAM) of the identified applications is required to be put in place. Checklist driven automation enabled review of regular users, One Time Users, exceptional users, against the active, authorized user list of the organization throws up many surprises which are easy to control and mitigate the privacy risk exposure.
Ensure 24×7 Identity Access Monitoring Intelligently
Access monitoring takes the role of Digital Caretaker of your landscape. This must perform on 24x7x365 basis, monitor all theaccess to the identified applications – be it human based access or API (Application Programming Interface) based access. Intelligent Access monitoring mechanism also defines the various types of suspicious activities which are compared on continuous basis against the authorized PAM/IAM access for anomaly detection purpose. Deviations are triggered as alerts for privacy violation cases either as potential violation threats or privacy violation incidents.
Privacy Case Reporting Hotline
There should be hotline channel kept available for patients and other healthcare consumers to report any violation cases or potential violation threat cases. There is a substantial number of violation cases occur due to negligence. The intelligent monitoring system should ensure an automated logging of all such cases. It is important to identify all such cases as much as possible. The number of Privacy Case Reporting hotline channels is a decision for the organization as to how many channels it would feel appropriate. However, our recommendation is to have a minimum of the following:
- Integrated Access Monitoring System based
- Telephone based Integrated Voice Response (IVR)
- Email based
- Portal (Web and/or Mobile based)
Privacy Incident Resolution
Once logged through the hotline, the Privacy Incident Resolution System provides an exhaustive coverage of acknowledgement of the privacy cases, risk assessment in terms of business impact (in $ terms), urgency, priority, risk profile, resolution, agreed upon SLA (Service Level Agreement) for timely closure of the incident, Extent of mitigation and residual risk levels. This system needs to have a real-time notification and alert mechanism to sensitise concerned persons through various medium (like email, SMS, Instant Messenger, etc) to reduce the further impact. The system should auto-assign the concerned cases to respective Privacy Incident Resolver Team. Again, use of automation technology can work here as a miracle. It can send response and action which are executed through automation technology.
Assess Privacy GRC
Assessing privacy related Governance, Risk and Compliance (GRC) is very critical to ensure proper functioning of the overall Privacy Case Management System. We monitor and measure the various Governance Metrics, Risk Metrics and Compliance Metrics through this process to establish a comprehensive GRC program for the organization. This program provides confidence to the management in terms of accurate measure of the financial risk and associated insurance programs.
Comprehensive GRC Program
- Privacy Data Source
- Intelligent Access Monitoring KPI
- Segregation of Duty (SoD) KPI
- Privacy Incidents KPI
- Risk Profile
- Risk Exposure
- Risk Impact
- Acceptable Vs Non-Acceptable Risk
- Residual Risk
- MoD (Mitigation of Duty) Action Plan
- MoD Closure Status
- Privacy Audit Plan
- Privacy Audit Closure
- Industry Compliance
Financial Risk | Privacy Risk Insurance Program
Assessment of Unmitigated/Residual Risk
It may not be possible to completely mitigate certain level of risk even if an exhaustive mitigation plan is defined. This may come due to the nature of organization structure, ways of operations within certain department and availability of human resources to carry out certain functions. We term them as Residual Risk.
It differs from Acceptable Risk. In case of Residual Risk, the mitigation action plan exists (i.e., attempts made to remove it) whereas Acceptable Risk will not have any mitigation plan.
Healthcare Privacy Index (HPI)
The HPI is a measure of identifying how efficient the privacy protection measures are. The index varies between 0 to 1 where 0 indicates the lowest and 1 indicates the highest level of privacy. The desirable outcomes should be closure to 1.
Privacy Risk Score (PRS)
PRS is an indication to identify the risk appetite of an organization. This is generally indicated in %-age terms. The desirable outcome should be closure to 0%.
Privacy analytics covers the various real time analytics needs of the Healthcare Privacy Risk Management System to facilitate decision making. It includes various reporting and analytics such as Responsive Incident KPI Dashboard, Responsive Risk KPI Dashboard, Privacy monitoring reports, comprehensive risk management reports, audit compliance reports etc.
Healthcare Privacy Case Management- A Comprehensive Solution Framework:
The following framework provides the complete need of the Privacy Case Management in the context of healthcare industry.
Subrata is a Co-Founder and Chief Operating Officer (COO) at iFIX tech Global (www.ifixtechglobal.com). He is a continuous technology explorerand focuses on building niche technology products and solutions that provide competitive edge. Find more about Subrata at https://www.linkedin.com/in/subrata-ifixtechglobal/ . He is reachable at Subrata@ifixtechglobal.com