MD Anderson uncovered a potential problem. Their physicians were using non-approved cloud based storage programs that they “may or may not” have been using to share PHI. I will note that they use a pretty broad definition for “consumer driven”. I define consumers as the target market that, in this case, a healthcare provider must engage to generate revenue that impacts the bottom line. The inside of the organization collaborates with “consumers” outside of the organization. That’s, perhaps, because I come from the business world where “consumer driven” is defined as “offerings, plans, or strategies motivated by customer demand or expectations.” In this case they were targeting physicians and not patients. Yes, anyone who consumes a technology is a “consumer” of that technology, but that would basically make the entire technology world as a whole “consumer driven” because every technology is created with someone and their problem in mind.
Now that I have stepped off of my soapbox, below you will see the three steps they used to solve their problem using cloud based technology.
Step 1: Analysis and Planning
Used support of network and desktop teams. Reached out to a few employees and received positive feedback. Need to establish an appropriate scope. Decided it was naive to say that they couldn’t put the data they use in that system. They went forward assuming it would include PHI. Worked with desktop and network teams to identify actual target technology. Engaged Information Security early.
Step 2: Prototype Pilot Implementation
MD Anderson used the following process to implement their pilot
- Implement gradually and with care.
- Evaluate surveys and usage data.
- Pilot with a mixed user base, prototype with power users and set end user expectations
Pilot program tips were to address security concerns early, take the time to test support and administrative tools, and don’t forget about the support staff.
Step 3: Support and Marketing
Partner with key groups for support. Advertise that these services are available. For internal collaboration I often suggest you communicate these new tools “7 different times in 7 different ways”. In MD Anderson’s case this included advertising the tool on their very own television station and using the help desk to document users that they knew were already using cloud based storage (perhaps inappropriately) and targeting those users. One of the ways definitely need to be a training program that highlights any self-service functions built into the new program.