|
|
  |
|||
        |
|||
 |
|
|
|
|
Hospital Slashes Employee Downtime When Mobridge Regional invested in a PC-monitoring tool to help comply with HIPAA, its ROI included a significant productivity boost. Like so many medical facilities, Mobridge Regional Hospital in Mobridge, S.D., has faced an uphill battle complying with the Health Insurance Portability and Accountability Act. What sets this hospital apart, however, is that it found an unexpected way to turn a $2,500 security investment into savings that will hit a projected $180,000 this year alone. Mobridge Regional has as many HIPAA-related concerns as major hospitals. Located in a town of 3,800, it is the only hospital within 100 miles. Of the facility’s 130 employees, 50 have PC workstations. It is this group of workers, and its handling of PHI (protected health information), that HIPAA requires Mobridge Regional to monitor. “To put it in a nutshell, medical record information needs to be distributed to people who need to see it,” says Eric Skillingstad, Mobridge Regional’s IT director and HIPAA security officer. “But you must have on your IT systems the ways and means of preventing people who shouldn’t see that information from viewing it.” Any health information that identifies an individual is considered PHI, says Barry Runyon, a research director at Gartner. The HIPAA security rule requires health-care entities to deploy technical mechanisms for protecting PHI in electronic form. Lab reports and other PHI often swirl throughout hospital networks, particularly through e-mail, to a greater degree than people realize. “A lot of people don’t know they’re sending out PHI,” Runyon says. “For instance, they send it to state agencies or local attorneys. They could send it to community doctors or clinics. There are any number of places where you could send PHI and not know it.” Mobridge Regional had to develop acceptable-use policies for the Internet and e-mail—and make the policies enforceable. Skillingstad turned to technology from SpectorSoft that lets a central administrator record and monitor what workers are doing on their computers. He tested the software on six employees’ PCs late last year. After employees were told they could be monitored, nonwork activity dropped to ‘about zero.’ In deterring unauthorized activity, the software easily paid for itself. Within a week, Skillingstad realized the software would have benefits beyond enforcing acceptable-use policies and auditing for HIPAA compliance: It could save Mobridge Regional hundreds of labor hours employees were wasting on activities unrelated to their jobs. During two days of clandestine monitoring, one worker was caught spending a total of seven hours on personal business. Skillingstad discovered that the average employee was devoting an hour per day to nonessential tasks. “We saw all kinds of nonwork activity in that first test,” Skillingstad says—including online banking and shopping, reading personal e-mail and visiting chat rooms. Savings Add Up Skillingstad calculated a first-year ROI from the technology as a selling point with management. If Mobridge Regional could cut out frivolous activity on PCs, productivity savings based on 50 workstation employees averaging $15 per hour would total $180,000 in the first year of the monitoring software’s deployment. The hospital rolled out the technology to all 50 computers at a cost of $2,500. After employees were told they could be monitored, nonwork activity dropped to “about zero,” Skillingstad says. Now, when a computer boots, a window pops up informing the user that he or she is being monitored. In deterring unauthorized activity, the software easily paid for itself by early this year, Skillingstad says. The SpectorSoft package consists of two main components. Small modules that reside on PCs record activity, including e-mail, instant messaging, Web browsing, chats and file transfers. Every 15 to 30 minutes, the modules transfer activity data to the hard drive of a central PC that essentially acts as an archive. Alternatively, such data may be transferred to a database, though this isn’t the method Mobridge Regional chose.
Mobridge Regional’s network presented challenges for the SpectorSoft deployment, Skillingstad says. The software includes a deployment utility, but the hospital’s peer-to-peer network structure required the IT director to manually push the software’s PC module elements to individual PCs, rather than send it out to the entire network at once. The technology doesn’t automatically aggregate and report activity data from among many employees, so users must work to pull such information together manually. SpectorSoft says it’s in the process of developing a version that will compile aggregate reports. But with installation complete, and employees aware that their activities can be watched or audited, Skillingstad is satisfied that Mobridge Regional has enforceable e-mail and Internet use policies in place. Workers have learned, for example, that sending e-mail about the condition of a friend or relative to someone outside the hospital constitutes a breach of patient information. “It had to be workable,” Skillingstad says. “It couldn’t be something that just looks good on paper, and then you cross your fingers that everybody does it.” Skillingstad’s ROI calculation doesn’t include network-related and IT labor savings that he credits at least partly to the monitoring software. Employees are deterred from random Web surfing or receiving streaming video, which has freed up network bandwidth. IT is also spending less time removing spyware and viruses, Skillingstad says. Only Part of the Answer For all its effectiveness, the SpectorSoft strategy constitutes only a small part of Mobridge Regional’s overall HIPAA-compliance effort. Indeed, the monitoring method is by no means the only technology option available to hospitals and other health-care organizations, says Gartner’s Runyon. For example, HIPAA does not require that e-mail messages be encrypted, but some hospitals deploy tools that automatically monitor such messages for PHI and then either quarantine or encrypt them. HIPAA does require holders of patient information to take “reasonable and appropriate” technical measures to protect data, but that definition varies from one organization to another. What all the technologies have in common is that they monitor content on some level. “This is really content filtering,” Runyon says. “You’re looking at all the transactions across the network and determining if there’s PHI. And then you’re tracking it back to the original IP. It’s really not that hard.” It’s the full PC-monitoring approach used by Mobridge Regional, however, that Skillingstad credits with the ROI the hospital expects to achieve this year. And he favors enforcing rules about PC use and work time as part of ensuring the security of patient information. “It would be the same if you were at any job and doing something other than what you’re supposed to be doing,” Skillingstad says. “It’s just a standard work practice—you want to make sure people aren’t spending time doing nothing. And it’s enforceable.” How Much Will You Save? Spector CNE can save your company money by reducing the amount of time employees waste online. To find out how much your company can save, enter the requested information below and click "Calculate Now!". |
|
||
 |
 |
||
| © 1999-2010 SpectorSoft Corporation. All rights reserved. |
| Terms of Use Online Privacy Policy |
by TED KEMP
A
central control center called Spector CNE (Corporate Network Edition) is installed on Skillingstad’s PC. The interface lets him determine which computers to monitor or audit. Using tabs, he can then choose among
e-mail messages, Web sites, chat rooms, keystrokes, programs and peer-to-peer file shares. A “snapshot” option records everything appearing on a user’s screen, essentially acting as a surveillance
record.
