Risk Assessment and HIPAA Security Compliance Starting Points

If you look at the number one meaningful use audit risk for a healthcare organization, I’m certain you’ll find lack of a proper Risk Assessment at the top of the list. I found this video of Jack Kolk, President of ACR2, talking about the need to do a risk assessment as part of the HITECH EHR incentive money which I’ll embed below.

That’s right, there’s a whole company that’s main focus is doing healthcare risk assessments. I think this illustrates a number of things. First, there are a lot of healthcare organizations that are outsourcing their risk assessment. This is likely a good plan for most large organizations since they often don’t have the time or expertise to do it well in house. Second, I believe it also illustrates that doing the risk assessment is not a simple task. There’s a lot that goes in to doing a proper risk assessment.

I must admit that I was also intrigued by ACR2′s cloud based risk assessment platform. Far too often a risk assessment consists of huge stacks of paper that get shuffled around the office. There’s a certain irony that the audit of IT would happen on stacks of paper. It just makes sense to do the risk assessment in the cloud.

Regular readers will probably now realize that I think the risk assessment is important both because of the meaningful use audit risk, but also because keeping a patient’s health information secure is the right thing to do.

The reality is that half of you reading this have already done a proper risk assessment or are looking to do one now. The other half have already decided that it’s too much work and so you don’t care to go to the work of a full risk assessment. You’d prefer to risk not doing one. You won’t likely admit this in public, but I know this is what goes on in many healthcare organizations.

For this later group, let me see if I can at least offer a couple important suggestions on HIPAA security compliance and protecting your health information. If healthcare did only these two things, we’d see a decrease in HIPAA violations.

Disk Encryption – Hospitals have no excuse to not be doing disk encryption on all of their devices. The technology is there and every hospital IT staff should be able to easily implement disk encryption in their environment. I’m not going to give a pass to ambulatory environments either, but I won’t be surprised if many ambulatory clinics just never knew they should be doing it.

Disk encryption is a relatively simple technology to implement and should have very little effect on your workflow. Every hospital CIO should make this mandatory and implement it immediately if it’s not already implemented. Every ambulatory office even down to the solo practice should find some IT help to implement disk encryption in their environment as well. If your IT support doesn’t know how to do disk encryption (and possibly if they haven’t recommended it previously), then you might want to consider finding new IT support.

Strong Authentication – Generally organizations do a pretty good job when it comes to strong authentication. I know that this is the case because I hear so many people complaining about their hospitals authentication requirements. Most have some sort of two factor authentication in place and have implemented strong password policies.

One challenge for hospitals is that they have so many different applications that they manage. This makes it a real challenge to ensure that good password policies and other authentication requirements are met.

Luckily, the tools we have to centrally manage these and other computer security policies are so much better today than they were previously. Plus, most of them integrate with an array of biometric, single sign on (SSO), Digital Signatures, and more. I’ve been a big fan of the DigitalPersona biometric solution since I first wrote about it years ago. It is really amazing how far they’ve come with their integration in the enterprise healthcare environment and how they can solve many of these issues.

The Real Solution
The most important thing a healthcare organization can do is to integrate HIPAA security and risk assessment into everything they do. Securing health IT and assessing your risk shouldn’t just be a one time event. Instead, a quality healthcare organization will make an institutional decision to make HIPAA security a priority in everything they do. However, the realist in me hopes that every organization will at least start with disk encryption and strong authentication.

This post is sponsored by HP Healthcare, however opinions on products and services expressed here are my own. Disclosure per FTC’s 16 CFR, Part 255.