If you look at the number one meaningful use audit risk for a healthcare organization, I’m certain you’ll find lack of a proper Risk Assessment at the top of the list. I found this video of Jack Kolk, President of ACR2, talking about the need to do a risk assessment as part of the HITECH EHR incentive money which I’ll embed below.
That’s right, there’s a whole company that’s main focus is doing healthcare risk assessments. I think this illustrates a number of things. First, there are a lot of healthcare organizations that are outsourcing their risk assessment. This is likely a good plan for most large organizations since they often don’t have the time or expertise to do it well in house. Second, I believe it also illustrates that doing the risk assessment is not a simple task. There’s a lot that goes in to doing a proper risk assessment.
I must admit that I was also intrigued by ACR2’s cloud based risk assessment platform. Far too often a risk assessment consists of huge stacks of paper that get shuffled around the office. There’s a certain irony that the audit of IT would happen on stacks of paper. It just makes sense to do the risk assessment in the cloud.
Regular readers will probably now realize that I think the risk assessment is important both because of the meaningful use audit risk, but also because keeping a patient’s health information secure is the right thing to do.
The reality is that half of you reading this have already done a proper risk assessment or are looking to do one now. The other half have already decided that it’s too much work and so you don’t care to go to the work of a full risk assessment. You’d prefer to risk not doing one. You won’t likely admit this in public, but I know this is what goes on in many healthcare organizations.
For this later group, let me see if I can at least offer a couple important suggestions on HIPAA security compliance and protecting your health information. If healthcare did only these two things, we’d see a decrease in HIPAA violations.
Disk Encryption – Hospitals have no excuse to not be doing disk encryption on all of their devices. The technology is there and every hospital IT staff should be able to easily implement disk encryption in their environment. I’m not going to give a pass to ambulatory environments either, but I won’t be surprised if many ambulatory clinics just never knew they should be doing it.
Disk encryption is a relatively simple technology to implement and should have very little effect on your workflow. Every hospital CIO should make this mandatory and implement it immediately if it’s not already implemented. Every ambulatory office even down to the solo practice should find some IT help to implement disk encryption in their environment as well. If your IT support doesn’t know how to do disk encryption (and possibly if they haven’t recommended it previously), then you might want to consider finding new IT support.
Strong Authentication – Generally organizations do a pretty good job when it comes to strong authentication. I know that this is the case because I hear so many people complaining about their hospitals authentication requirements. Most have some sort of two factor authentication in place and have implemented strong password policies.
One challenge for hospitals is that they have so many different applications that they manage. This makes it a real challenge to ensure that good password policies and other authentication requirements are met.
Luckily, the tools we have to centrally manage these and other computer security policies are so much better today than they were previously. Plus, most of them integrate with an array of biometric, single sign on (SSO), Digital Signatures, and more. I’ve been a big fan of the DigitalPersona biometric solution since I first wrote about it years ago. It is really amazing how far they’ve come with their integration in the enterprise healthcare environment and how they can solve many of these issues.
The Real Solution
The most important thing a healthcare organization can do is to integrate HIPAA security and risk assessment into everything they do. Securing health IT and assessing your risk shouldn’t just be a one time event. Instead, a quality healthcare organization will make an institutional decision to make HIPAA security a priority in everything they do. However, the realist in me hopes that every organization will at least start with disk encryption and strong authentication.
This post is sponsored by HP Healthcare, however opinions on products and services expressed here are my own. Disclosure per FTC’s 16 CFR, Part 255.
When you push for disk encryption – which devices do you mean? Make’s sense if people are walking around with laptops or the like with sensitive data on them. Absolutely. But is this what you mean? Do you want drives on servers to all be encrypted?
Assuming properly secured portals and terminals/PC’s/tablets and computer rooms and the like, what does encrypting secured drives get you – and what’s the risk?
R Troy,
I’d start with anything portable. Then, you can move to desktops and servers later.
Makes sense.
BTW, one reason I’m a big believer in thin client is that no data is stored on the PC, and hopefully is encrypted from the source to the delivery client (browser or program). But even then a PC has to have proper firewall and antivirus protection and proper security settings (like screen locking when unattended). And I like cloud because I don’t trust most medical practices to properly secure their servers!
During my HealthIT training I had to watch a certain EHR sales video, which ends shortly after the doctor grabs a backup tape from his in office system and takes it home with him – where I’m sure he absolutely properly secures it! 🙂
[…] its staff and students is encrypted. This is interesting in light of John’s recent post about encrypting devices to meet HIPAA. The following update comes from the GeekDoctor blog maintained by Halamka, a resource worth […]
Nice ad, I didn’t know you did sponsored posts.
To be clear:
Meaningful Use Stage 1 Core Item #15 requires this risk assessment.
No exclusions.
Period.
End of Story.
Yet, many docs make a grand assumption here.
Guess what?
The cloud won’t save you.
Some automated process won’t save you.
A real risk assessment involves looking at your computers, your network, your policies, your processes, your training.
John,
I do sponsored posts on occasion, but always disclose when it is. Plus, in this case, they said I could write whatever I want, so I did.
The cloud won’t save you, but it might make it easy enough for you to actually do what you’re suppose to do.
When I see how poorly many medical practices handle their IT I cringe. Even ones that only use PC’s for scheduling and billing. They run old, unpatched XP, screen locking turned off, they figure hey, it’s behind the counter so no one can get to it. But if they have internet access and unusable firewall and antivirus, who knows who they are sharing data with. Now imagine a practice like that doing EHR? If they did client server, I can see – no backup, no system updates, unencrypted or perhaps WEP wifi, doctor’s with patient data on their personal tabs or iphones… At least with a secured cloud client and no data being physically on site (all the cloud does is display or allow entry), it’s not quite as dangerous except that the browser is probably not really secured.
Yes, the cloud can make things easier to accomplish in general, but in assessing the risk level of a practice, the cloud does not do this.
My lawn needs to be mowed – the cloud can’t do that.
The house needs painting – the cloud can’t do that.
There are some things that just have to be done by a person, like a risk assessment.
Very true. The advantage of the cloud is, for small practices or hospitals, is that SOME of the work is offloaded to experts outside the firm. There still needs to be a secured internal network with good equipment that is well maintained, and the firm still needs to know where it’s data is in case something happens to the EHR firm.
Really John? You’re telling me you’ve never seen the cloud powered lawn mowers: http://www.robomow.com/home.html 🙂
Have you never noticed that when its cloudy out that all the lawn mowers disappear?
About a third of our business is risk assessment for providers of all sizes. Fo those we can’t reasonably travel to, we generally contract their IT provider to go in and go through the physical part of the audit. I don’t know how you do a proper one without boots on the ground.
These are very important tools in order to reduce risk management system and other things as well.These type of system does help in order to reduce risk but not in every sector.