Posted by: Jenny Laurello
HIPAA, HIPAA risk assessment, Meaningful use, MU stage 2, MUS2, Risk assessment, Stage 2
Risk assessment — that crucial procedure that ensures your organization complies with security rules — will continue to be a centerpiece of the Health Insurance Portability and Accountability Act (HIPAA) regulations and the National Institute of Standards and Technology (NIST) requirements for a very long time, if the Centers for Medicare and Medicaid Services’ (CMS) and The Office of the National Coordinator for Health’s (ONC) notes and the final rules of meaningful use stage 2 (MUS2) are any indication.
Risk assessment seems to have become negligible for many of us — a marginalized demand, a recurring irritant, a task infrequently undertaken despite the seemingly endless spate of breaches reminding us of the importance of the procedure itself.
That attitude needs to stop now.
Compliance is about creating an inventory of systems, validating identities and access rights, and reporting findings. Most critically, compliance is about aligning that reporting with policies and procedures and building a risk-mitigation plan to address identified security and process gaps.
We will not be able to meet MUS2 incentive requirements and we will be challenged to meet the Office for Civil Rights (OCR) HIPAA audit requirements if we can’t execute the risk assessment process quickly and automatically. We will also spend too much time assessing systems when many think we already spend too much time on reporting and compliance.
I’ve pulled together four key IT infrastructure questions everyone should consider when it comes to evaluating readiness for compliance and risk assessment. Ask yourself if you currently have the best and most efficient automated tools to get the job done as you read through each question – or if you are still “making do” with antiquated, manual tools (such as spreadsheets) that will keep you hamstrung and unprepared for the compliance and assessment efforts required by HIPAA, HITECH, etc.
1. How long does it take to produce a system inventory? The foundation of a risk assessment is identifying all of the systems and devices that contain patient data, the parts of your organization that have critical access to that data, and the disaster-recovery requirements for that data. How long would it take you to muster this data today? Does your infrastructure have the tools to search for and locate data and messages automatically, or is it a challenge for you to identify where clinical data is stored or transmitted to and from?
2. How many open-access points does your network have – that is, through what locations does data enter and exit your secure network? How many external parties log into your system and exchange information with you? How many of your FTP servers house critical data, and how often does that data move? How many access points exist now? How many access points do you expect to have when pressure to share data with patients, physicians, hospitals, laboratories, and public-health authorities increases when MUS2 takes effect in 2014? It’s critical to figure out how you can reuse these access points, consolidate them into gateways, and ensure those gateways offer you the tools to take inventory and identify risk.
3. Do you know where your protected health and personal identifiable data is? Employee, financial, and patient-financial information and other patient data must be secured as it flows between systems. Don’t be satisfied that your certified EHR technology contains your critical data merely because you’ve consolidated all of your patient records there. The truth is you probably haven’t! And that’s because your revenue-cycle management systems store patient data, your card swipes at the admission desk store credit-card data, your satellite facilities store patient data, and your HR systems store employee data. All of this data needs to be inventoried and managed.
Additional questions to ask include: Do your message channels carry critical data? How long does it take you to identify message-delivery issues? How long does it take you to troubleshoot and resolve those issues? More and more, the health care industry is being measured on patient satisfaction and the ability to interoperate and connect with care providers. Offering a quality service to those with whom you exchange information is critical for your risk assessment and overall success.
4. Can you describe, in twenty-five words or less, your strategy for protecting data at rest and in motion? This is your elevator pitch to your senior executives, CIO, and financial leaders. Be able to explain how critical data is routed safely through your network and how your policy aligns with reality. For instance, does your clinical data typically move through a secure FTP, and occasionally through email? Does your email policy prevent all unauthorized movement of clinical records, even employees using something like DropBox?
Answering these four questions will prepare you for the moment when you need to explain to stakeholders your intention to protect information at rest and in motion and to conduct regular risk assessments. You’ll be able to talk about your plan to use a single gateway to exchange with your partners all batch information that contains sensitive data. You’ll be able to talk about your plan to invest in a public or private HIE to consolidate real-time information exchange requests. You’ll be able to explain how your data-protection policy can be followed through investing in monitoring and risk-assessment tools. And you’ll be able to ask with confidence, “Can you help me get this funded?”