Note: The first section of this article and the title are written in the sarcasm font to make a point in case you can’t see that font.
Everyone loves to talk about doing patient centered care. The best organizations are spending both time and financial resources to provide the best patient care possible. Seems like a noble goal. After all, healthcare wouldn’t exist without the patients. There’s no need for healthcare without the patients.
Let me tell you something that would make patient’s lives better. Looser cybersecurity restrictions. How good is the patient experience if a doctor or nurse is struggling at the computer trying to figure out their password because they’ve had to reset it every 6 weeks and include a number, a letter, a special character, a capital, and their first born child’s middle name? The patient sits there while the clinician is frustrated trying to login to the computer.
If you’ve been there you know. If you’re an arrogant techguy (I can say that since I’m @techguy) that is better at password management, you might look this off and teach them about pass phrases or other ways they can remember their password better. There’s a much simpler solution, just change your password policy. Don’t worry about cybersecurity. That password policy is impacting patient care, so just remove the policy. Easy fix and a very patient centric move. Then, the doctor or nurse is no longer frustrated with their login and password and they have more time to focus on the patient. Plus, you get the bonus benefit of reduced physician burnout.
Some of you may be sitting there and saying that there are solutions to this. For example, you could use Imprivata’s single sign on to make this experience better. You’d be right. However, that doesn’t work for the patient portal password policy for patients. Talk about a bad patient experience. Patients often complain about forgetting their password to the patient portal. Many of them get so frustrated with it that they give up. That’s not very patient focused.
Simple solution. Let’s get rid of the password policy for patients too. That’s a patient focused policy right there. Easy access for patients to their information on the portal and ability to communicate is very patient focused. To be honest, since we’re not focusing on cybersecurity, do we even need a password at all? HIPAA says appropriate safeguards. I think a picture of your cat would be unique and much easier than a password.
Ok, if you haven’t figured out by now, I’m being sarcastic. We can’t just throw out cybersecurity. In fact, doing so is a bad patient experience. If patients can’t trust that their data is going to be safe and protected then they won’t share that info with us. That’s important and thus cybersecurity is important and we can’t just give up.
However, I hope that my sarcastic approach above illustrates how too much of a good thing can have bad consequences. Patient focus is a good thing, but it can be taken too far. Especially if that focus is done in a bubble without understanding the other unintended (and sometimes intended) consequences. There’s a balance required when it comes to any solution. Cybersecurity and usability/experience are often at odds. That doesn’t mean we give up on one or the other. It does mean we have to learn to compromise and to have some give and take as we identify the best solution.
One of my patient friends, Stacy Hurt, recently shared that we shouldn’t just design with patients in mind, but we should design it with patients in the conversation. I’d add that you need the right patients. How do you find the right patients? It’s hard because some patients are better at identifying a broad spectrum of patient needs and being able to identify the potential consequences than others. Some are pretty myopic to their own requirements and concerns. The best solution there is to ask a diverse set of patients. That’s powerful.
We’d all love to give up on cybersecurity. This world would be a much nicer place if everyone was just honest. Unfortunately, they’re not and so we can’t throw out healthcare cybersecurity. However, we shouldn’t throw out patient focus in the name of cybersecurity either. The real work of health IT is when you have to battle through competing priorities to find a solution that satisfies both as good as possible.
Ironic Bonus Point: Many password policies are just annoying and don’t add any extra security. In fact, they reduce security if people can’t remember their passwords. That’s an easy fix if you do the research on effective password policies.
I respectfully disagree. Security is important. It’s a combination of knowing and diligence. Changing your password every 6 weeks is as dumb as changing your door lock every 6 weeks. Remembering to shut down your computer or reset it, priceless. Passwords aren’t going to do you any good if anyone can guess them. 123456 isn’t a password, it’s a cop-out, the passive-aggressive “I don’t want to” (I can’t change is I don’t want to change). Sanction policies that aren’t enforced and are just paper tigers don’t work either. HIPAA was and still is a political act of stupidity and protects no one, most people talk, proudly, about their communicable diseases. Real security starts before you’re compromised, the billions of $ lost to breaches should be enough reason to keep up and be diligent regarding data and information.
Hi Barry,
Sounds like you agree with me, but just didn’t read the whole article. The title was sarcasm and illustrates some of the extreme thinking that many apply in healthcare. Of course, security is important, but it’s finding the balance between security and usability that’s required.
#clickbait
You’re right John, I missed the “explicit” comment about being sarcastic. Security is important and I’ve met and spoken with many doctors and admins that think security is overkill. I perform security risk assessments and I can say, unsarcastically, that hospital rules don’t apply well to single or even multi doctor practices. When a Dr. asks me for a penetration test for an EMR in the cloud because he read about I shudder. I can see, as I have with many other industries, PC Magazine being the go-to for knowing about computers and security. It’s not! Our biggest albatross in HIT isn’t security, it’s the administration of security and the deification of HIPAA. Regarding patient inclusion, when I worked for an EMR company one of our Doctors surveyed the patients regarding the patient intake process and registration. They took 5 minutes and 10 clicks and turned it into 2 hours and Homer’s Odyssey. Needs assessment outweighs patient inclusion, the patient needs to get in and verify information, not write their version of War and Peace. John, much respect for pointing out my omission.
Barry,
I added that explicit note at the start after your comment. Didn’t want people confused. You highlight why it has to be a collaboration.