Posted by: adelvecchio
Disaster planning, Protected health information, Risk assessment
Every facet of most health organizations’ operations, processes, and policies are intertwined in a myriad of systems, applications, and data. One hour of lost operations can cost an organization tens of thousands of dollars and, more importantly, have a negative impact on patient care. One of the most important things a CIO can do is assess and mitigate an organization’s risks. A healthcare risk assessment may not be sexy, but a bad day can become catastrophic if you don’t take the proper steps to prepare your organization.
Step one: Plan and brainstorm. Sometimes it is difficult to imagine your beloved data center in an inch of water because of a premature fire sprinkler. Preparation for such as terrorist bombings, chemical warfare, or a power outage combined with a powerful snowstorm must be considered and documented. Each disaster’s record should note its likelihood of occurring, based on historical events and the current environment. Thankfully many of the items on the list don’t have a very good chance of actually happening (a zombie apocalypse, for example). The probability of each risk in this section should be rated numerically from one to three. This section should be weighted as 25% of the total risk score.
Step two: Evaluate the level of impact for each risk. The impact of any outage or catastrophe can range from loss of life and limb, partial to complete system outage, or a breach of protected health information (PHI) that affects millions of people. Each risk should be rated numerically (again, from one to three) to assess the overall impact for each of these areas. This section should also be weighted as 25% of the total score.
Step three: Review the plan or lack thereof for each risk item. Each risk item should be given a numerical value (one to five) that corresponds with the level of planning in place for that item. This section should be count as 50% of the total score.
Step four: Quantify your level of risk. The more quantitative you can be scoring the assessment, the better. Every assessment has a degree of subjectivity. By rating each risk item with a numerical value, it gives team members a starting point around which to frame the overall risk discussion. You should document your risk numbers in a spreadsheet to determine the value for each risk item, accounting for each section’s numerical score and weight.
Step five: Assess the results. It doesn’t matter if you determine a low score is good or bad as long as you are consistent for each section and risk item. For now, I’ll say a lower total score means an item possesses greater risk. You must have a risk mitigation action plan for each item given a score of three or fewer. Having a solid disaster recovery plan and a tested downtime process will mitigate most of the risks for any organization.
Ongoing assessments: HIPAA laws at the federal and state levels are constantly changing. The regulations in this area are strict and carry heavy penalties if breached. The following areas have recently changed and must be covered in your healthcare risk assessments.
- Laptop and device encryption. The assumption should be that every mobile device could contain PHI. Once a device leaves the organizational boundaries it is at risk of exposing PHI. The only way to protect the contents of a laptop is to encrypt its hard drive. This makes it incredibly difficult for the most advanced equipment to decode and break. There are many software options like TrueCrypt that do a very good job of laptop encryption.
- Email PHI filter: Email filters detect PHI keywords and reject or ward emails containing these keywords from being sent outside the organizational fire wall. CISCO Iron Port has good filtering devices for protecting your email systems.
- EMR security: There are several articles that deal with this topic. Meaningful use stage 2 is the current standard for EMR security. At the minimum the system must be certified and be equipped with the following functions: Authentication and user ID password restrictions, the ability to audit information and archive data and logs. Controlled role-based access must also be part of the application.
Secure text messaging: The adoption of smartphones in the M.D. demographic is reaching close to 95% penetration. Recent studies show that nearly 70% of physicians use their phones for work. Doctors text PHI to other physicians because it can lead to better patient care. Doc Halo is an industry leader in enterprise text messaging.
Cliff McClintick is Chief Operating Officer of Doc Halo. He is a former Chief Information Officer of an inpatient hospital and has expertise in HIPAA compliance and security, clinical informatics, and meaningful use. He has more than 20 years of information technology design, management, and implementation experience. He has successfully implemented large systems and applications for companies like Proctor and Gamble, Fidelity, General Motors, Duke Energy, Heinz and IAMS.