Wednesday, June 6, 2012

The Summer of Compliance

I was recently asked at  a conference - "What is your most significant concern right now?"  I answered "As a clinician and informatics leader, I worry about delivering care in the healthcare reform world of global capitation - we need to increase the value (quality/cost) of the services we provide.   However, as a CIO, it's the mounting regulatory and compliance pressures that keep me up at night.  They will require a level of resources and focus that will reshape my plans for the next year or more."

The compliance work we're kicking off this Summer includes:

*An enhanced encryption program to ensure all personal laptops/tablets that access hospital systems are encrypted.
*An enhanced mobile/BYOD program that ensures all personal smartphones that access hospital systems are password protected, have timeouts, and encrypted as technology permits
*An enhanced learning management infrastructure so that every person in the BIDMC ecosystem can be held accountable for completing training requirements, including security and compliance topics.   Creating this infrastructure requires a new level of identity management that captures roles and characteristics for employees, volunteers, board members, and contract workers.
*Enhanced Conflict of Interest reporting including the management tools needed to followup on any disclosed conflicts
*A comprehensive audit of our security program and polices - where are we "standard practice" and where are we "best practice".   What gaps do we need to close?

Earlier this week I submitted my capital requests for FY13 and over one third of my budget is for security and compliance related projects.

I've dubbed June 21-Sept 21, 2012 as the "Summer of Compliance".    My hope is that we'll enter the Fall with reduced risks and a technology foundation that not only meets our regulatory needs but also further ensures we respect the privacy preferences of our patients.

1 comment:

chale99 said...

Hi John,

As IT Director of a small clinic (~100 providers), I'm very interested in more details of your security compliance programs. I'm especially interested in methods to communicate the importance of system/network security and compliance to our management and BOD. It would be helpful to many of us that follow you to send a few tips/tricks/presentations that you have found helpful in the past.

Great job, and keep up the communications. I've shared your posts with many of our senior management team as examples of the priorities we need to attend to now and in the future.