In many organizations, cyber security is perceived as one of those “important-but-not-urgent” issues that keep getting put off in deference to the pressing issues of the day – insurance denials, staffing, readmissions, patient no-shows, supply shortages…the list goes on. It’s not that organizational leaders are doing nothing. In most organizations, the basic pieces, such as a HIPAA-compliant EHR, firewall, anti-virus software, and staff training, are all in place. It is these very safeguards, though, that can give leaders a false sense of security, making them complacent about day-to-day risk management. For instance, how vigilant are you about each of the following:
- Reviewing the audit log from your EHR system for suspicious activity – and following up?
- Reviewing the network activity log and addressing any suspicious patterns?
- Ensuring that system and facility access for all departing employees is completed at the time of departure?
- Ensuring that all software patches are implemented asap after release?
- Regularly reviewing and addressing the issues identified in your Security Risk Assessment (we recommend at least monthly)?
- Conducting ongoing security training for all members of the workforce (not just once per year)?
- Applying sanctions to members of the workforce – including physicians – who put information security at risk with unsafe practices?
- Ensuring the security of new medical devices before deploying them on the network?
- Documenting and periodically reviewing all “security incidents”?
- Completing a new Security Risk Assessment after a major organizational, facility or IT change?
Don’t get me wrong – I know it’s hard to do all of this! It requires time, money, and knowledgeable staff.
Here’s my take on overcoming these three very common roadblocks to risk management.
Time – “I don’t have time…My staff doesn’t have time.”
Ask yourself, “When I am breached, where will I find the time to deal with the fallout?” Spending 1-2 hours per week (e.g., first thing every Fri morning) delegating and following up on the issues above could greatly minimize your risk of a breach, the extent of a breach if one happened, and the OCR fine should a breach or random audit occur.
Money – “It costs too much…Those costs shouldn’t come out of my budget – that’s IT’s responsibility.”
Whose budget will pay the breach remediation costs? One medium-sized medical practice (20+ providers) spent more than $1 million on patient notifications alone after experiencing a breach. Cyber insurance will cover some of the costs, but most organizations are under-insured and find themselves paying legal fees, increased operational costs, and fines while experiencing decreased revenues due to the negative reputational impact. Don’t be penny wise and pound foolish. Find the money to invest in information security before a breach occurs. And if the accounting system is a barrier, lobby your peers and CFO to make “information security” a line item in everyone’s budget.
Knowledge/Skill – “I don’t know how…My people don’t know how.”
The OCR adheres to the general legal guideline that “ignorance is no excuse.” Numerous free resources are available on the OCR’s website, and multiple vendors offer relatively low-cost HIPAA training courses for clinical staff and compliance officers. There are also service providers that can provide monthly or quarterly cyber security support services if your own IT staff lack that expertise. Teach yourself, go to training, or find someone knowledgeable to help you. Don’t let ignorance keep you from protecting some of your organization’s most valuable assets – your patients’ information and your professional reputation.
Contact us today – 512.310.0020 or info@thirdrock.com for more information on completing a security risk assessment, developing a risk management program, or becoming a Partner to make these or related services available to your clients.