HIPAA Security Rule - Availability

My Patients Don't Tell Me When They Are Sick

We get to talk to a lot of CIOs and CISOs due to the work we are doing and through the support of our investors - Polaris Partners and Flare Capital Partners. Often the stories we hear are similar across meetings. But sometimes, a particular CIO will nail an anecdote that sticks with us. "My patients don't tell me when they are sick" is one of those anecdotes.

The "my patients don't tell me..." anecdote surfaced at our most recent CIO dinner. The guests were lamenting the challenges of keeping workstations throughout their clinics up and 100% available. Frequently, doctors would approach the CIO baffled that the CIO or someone on their team didn't realize a particular workstation wasn't working or was missing a device. The CIO summed it up perfectly when he said that unlike a doctor's patients, his "patients" (workstations) don't tell him when they are not working or missing mice or monitors or attached medical devices.

Solving this fundamental issue of detecting workstation availability issues is essential to maintaining the availability of PHI. The HIPAA Security Rule calls for the confidentiality, availability, and integrity of protected health information. The confidentiality aspect of PHI gets significant press every time there is a breach. Availability also gets airtime as a problem, but only when it deals specifically with ransomware attacks. The reality is that a lot of the day to day operational issues that impact the help desk and hence clinician satisfaction with IT tend to be around system performance or "simple" items like a workstation missing a mouse or a printer.

The challenge with these issues is that workstations can't accurately report when they are "sick" or missing a key device like a mouse, keyboard, monitor, or an attached medical device. So unlike the doctor who is informed by their patients of illness, CIOs are generally forced to rely on third parties like the clinicians themselves to report issues. In many cases, IT does rounds to track down equipment that is not operating.

Even issues reported to the help desk are challenging to track down. Calls to the help desk reporting "the systems seem slow today" are especially tough to diagnose. First, clinicians move throughout the hospital, logging into and using different workstations. When diagnosing a problem, is it one workstation or one department or one application or one user across all these systems causing the problem?

Understanding PHI availability issues is one area that Tausight is working to solve. The data to diagnose many of these problems will be visible as we blueprint the underlying systems. Blueprinting is the first step in our capabilities roadmap and will be part of the first commercial release. Combining the underlying system blueprint with PHI location information and behavioral information then starts to create a potent application for CIOs to maintain PHI security. With Tausight, CIOs will know when their patients are getting sick even before the symptoms occur. That is a genuinely proactive approach to PHI security.