For healthcare providers, regulatory compliance for system and data access goes hand-in-hand with IT security. As we gear up for the HiMSS conference in April here at RES Software, I’m thinking a lot about these issues and how they fit in with this year’s HiMSS theme of Staying Ahead of the Curve.
One thing that comes to mind is that the conversation around compliance and security for healthcare providers typically centers on daily operations. Here, the priority is controlling access to electronic health records and patient health information. Given HIPAA regulations in the United States and similar laws or guidance in Europe and elsewhere, this is well and good – as far as it goes.
But one area outside of daily operations is often overlooked – and this is unfortunate because it’s an area that is increasingly common for healthcare providers and exposes a high degree of security vulnerability. Here, I’m talking about mergers and acquisitions (M&A).
Healthcare M&A Trends
M&A is back big-time for healthcare. Right here around Philadelphia, where yours truly is typing away, we have Abington Health and Jefferson Health Systems in the process of merging. Before that, Penn Medicine acquired Chester County Hospital and is now in process to either merge with or acquire Lancaster General. Just drive a little bit further up the road, and you come to Cooper University Health Care, which recently partnered with University of Texas MD Anderson Cancer Center in Houston to open a new cancer center in Camden New Jersey. That one is not a merger/acquisition strictly speaking, but more on that in a moment.
These examples are just off the top of my head because they happen to be in my immediate neighborhood; but in the rest of the U.S., Europe, and elsewhere around the globe, consolidation is happening as well. Not too long ago, for example, Sweden-based EQT bought Terveystalo, Finland’s largest healthcare services company. In France last year, Médipôle Sud Santé and Médi-Partenaires merged to become one of the biggest private hospital players in the country. Moreover, in The Netherlands, it looks like Bronovo Hospital and Medical Center Haaglanden in The Hague are merging, along with the Foundation Rhineland Care Group in Leiderdorp and Diaconessenhuis Leiden.
What’s more, consolidation is not limited to the private sector. Take the NHS in England for example. Virtually the poster child for the western world’s public health systems, NHS has recently approved some mergers of its own. These include the Frimley Health NHS Foundation Trust (merging with Wexham Park Hospital in Slough and Heatherwood in Ascot) and King’s College Hospital NHS Foundation Trust (taking over Princess Royal University Hospital in Bromley, Orpington Hospital, and some clinical services at Queen Mary’s Hospital in Beckenham Beacon).
Call It What You Want
According to PWC, the third quarter of 2014 saw 169 M&A deals announced. Surprisingly, compared to the same period the year before, this represents a net decline of 1.3% in M&A activity. But, as PWC notes, this decline is likely due to a “surge in non-traditional M&A structures that are excluded from [its] analysis.” What are these structures you ask? Partnerships, joint ventures, memorandums of understanding, joining a healthcare network, and similar arrangements like the one mentioned earlier between Cooper and MD Anderson.
So, call it what you like, but the point is this: healthcare providers are getting together in more ways than ever before – and when they do, compliance and security are major issues.
When healthcare organizations get together, one thing that almost always happens is that employees change roles, titles, status, facilities, etc. Some are transferred, some are promoted, and some leave.
Then there’s the inevitable system conversion. Should we transfer to your EHR system, should you transfer to ours, or do we need our clinicians to have access to both? Whatever decisions are made about employees and systems – one thing remains certain: there will be a lot change to contend with; and that’s where issues with compliance processes and security vulnerabilities are likely to make themselves known.
Staying Ahead of the Curve
Let’s bring this back to my HiMSS theme. What does it mean to stay ahead of the curve in the context of compliance, security and M&A? It means adopting capabilities now to deal with the change that’s inevitably coming soon.
One of these capabilities is automated employee on- and off-boarding. A good way to accomplish this is to define roles up front according to established rules and then associate individual profiles with these roles to control system access. However, keep in mind that roles are not enough – in today’s digital world you need to think about context too. Does the clinician have a secure Wi-Fi connection? Is he or she on a mobile device?
With M&A activity it is even more critical to outline business logic around the context of the users, adding the ability to secure and adapt access to apps and data based on each clinician’s immediate situation. What about the provisioning and de-provisioning of software, for example; shouldn’t that be part of the on- and off-boarding process and traceable based on necessary approval cycles? When going through the chaos of a merger, acquisition, or joint venture, such capabilities can help IT maintain sanity and control.
There are other benefits as well. The changeover process is easier, so there’s less need to engage consultants – who tend to come out of the woodwork during a merger and sometimes never leave. You’ll have far fewer IT service desk tickets as well. This is good because there’s always more than enough for IT to deal with during a merger. Better to free up IT to focus on more, higher value activities.
Talking healthcare is what I do. For more on the subject, check out the blog: For Healthcare System Security, Approach Matters. Next up: Facilitating Access at Teaching Hospitals Where Employee Turnover is Extremely High.