HIMSS Privacy and Security Forum – Training and Focus
David Finn, Health IT Officer at Symantec
What do Catie the Lobby Dog and the HIMSS Privacy and Security Forum Have in Common?
Well, if you are like me, you were hoping that maybe December would slow down a bit and you could get caught up. I remember when it used to work like that – – not so much anymore. So, now that Christmas is over, I’m trying to catch up with the blog I was supposed to have done two weeks ago. I didn’t get that done because I was at the 1st HIMSS Privacy and Security Forum . . . and now that it is over. I can talk about it.
Which brings me to the title of this blog: “What do Catie the Lobby Dog and the HIMSS Privacy and Security Forum have in common?” Here’s a bit of a clue – – Catie is actually Catie Copley, Canine Ambassador (her title comes right from her business card) at the Fairmont Copley Plaza in Boston. And if you haven’t figured it out, yet, that is where HIMSS had its first ever Privacy and Security Forum. Anyhow, it was a great conference with a broad range of nationally-recognized experts, government officials, people working diligently in the trenches in healthcare privacy and security. Exceeded attendance expectations – – 250+ attendees, representatives from as far as Alaska and Hawaii. Tremendous content and a great venue! And a lobby dog – – I’m sorry, Catie, a Canine Ambassador.
Aside from the hotel itself, Catie reminded me a lot about Privacy and Security and took me back to my first day as a Privacy and Security Officer at an Integrated Delivery System. No one knew me, and I decided to see how far I had to go in terms of training. I walked into multiple “restricted areas” (including an area where controlled substances were stored) but had a suit on and my badge turned around and was never even asked a question. Finally, as I moved pretty deep into lab operations someone challenged me – – I congratulated them and that only served to confuse them.
On one of the nursing floors, I was aided in logging into the clinical data repository by a very friendly nurse (this was 2001 – – we had ‘results’ on line but no inpatient EHR) despite the fact that I had no account “You can just use mine! It’ll be faster.” I guess it didn’t matter that I was not a clinician, not authorized and had no need to look at patient data. The morgue had better physical access controls. And this is where Catie comes in. Catie greeted every visitor to that hotel and never divulged information about one guest to another. Nor did she tell any of her collegues anything she might have learned about the guests – – unless they needed to know. She was efficient, endearing, did her job and enhanced the sense of security and ‘warmth’ at the hotel while clearly respecting the concept of minimum necessary and not letting people go where she didn’t think they belonged (everyone wanted to sit on her “couch”) or take anything they weren’t supposed to have (you could touch her toy lion, but don’t try to take it).
Oh, every once in a while one of the human staff had to remind Catie that she couldn’t do this or that but Catie knew her job . . . as if someone had trained her. And that was one of the recurring themes of this conference: Privacy and Security is about People and it is about changing the culture. Catie gets it, I think we all in healthcare can, too. It will take training and focus and tools and prioritization. Mostly it will take making Privacy and Security part of everyone’s job – – from the CEO to the valet parkers – – so we can all keep reminding each other and then we’ll have a culture that protects data as if it were the patient themselves.