In addition to meeting 14 core objectives and five menu set objectives, eligible hospitals have to attest to completing a risk assessment to achieve meaningful use. Furthermore, a proper risk assessment can ensure compliance with HIPAA and can minimize the risk of data breaches. Jared Rhoads, senior research specialist with CSC's Global Institute for Emerging Healthcare Practices, shares three steps for conducting a risk assessment for meaningful use.
1. Evaluate the risks and vulnerabilities. One of the first areas to evaluate for risk to data security is the electronic health record itself; hospitals need to ensure they are using a certified EHR. "But that's not the whole story," Mr. Rhoads says. "You can't just buy an electronic health record system and [think] as long as you're certified you're set. Security is really a 24/7 kind of thing."
Hospitals will also need to evaluate the data security and HIPAA risks staff present. Hospital leaders can minimize this risk by properly training staff, including physicians, nurses, technicians, pharmacists and anyone else who will be an end-user of the system. "If they have the proper training to recognize a risk and a threat, they can notice when something is not right and know the right thing to do. That will mitigate a lot of the risks," Mr. Rhoads says.
While all staff should be trained on the basic principles of data security and HIPAA, the most effective training is specific to different roles in the organization, according to Mr. Rhoads. Physicians, technicians and nurses should be trained on different processes "because they encounter data in different ways and in different contexts throughout the day," he says. He suggests developing several scenarios that are relevant to a certain position and training staff on how to respond. For example, a physician may take a laptop home if he or she works outside the hospital for part of the week. If the laptop contains patient data, the physician will need to know how to securely access and use the data. Nurses, however, may not need to take a laptop home and thus that training would be irrelevant to them.
2. Correct any deficiencies and document all decisions. Once the risks are identified, hospitals will need to take action to minimize or eliminate them. Although the meaningful use regulations do not specify whether the correction should address only the technology or the related process as well, Mr. Rhoads says extending remedial actions to the processes is a best practice. For instance, not following up with business associates about their stated security policies is a deficiency. To correct this problem, the hospital should look at the entire relationship with the business associate. A correction should include not only ensuring the associate has proper securities in place such as encryption, but also meeting regularly and conducting onsite reviews, Mr. Rhoads says.
3. Commit to a continuous process. Hospitals need to continue to maintain their technology and security processes beyond the risk assessment by updating the software and ensuring the most current security patches are in place. "Security is not something [where] you can buy a piece of software and forget about it," Mr. Rhoads says. "It's something you need to revisit and maintain a continual review of." He suggests hospitals conduct a risk assessment every four to six months to determine if there are any new risks and what corrective action to take.
Since maintaining data security and compliance with HIPAA is an ongoing process, hospitals should have the appropriate personnel who can dedicate their time to overseeing policies and practices. Mr. Rhoads says every hospital should have at least one security professional, and ideally a privacy officer and staff in a department designated to be responsible for data security. "Part of being a security professional is living and breathing this stuff: hearing about the latest attacks and viruses, running cyclic tests on the network and being in touch with vendors on a regular basis," he says. While data security should be led by an IT professional, preventing data breaches is a multifunctional effort, according to Mr. Rhoads. "It's a full awareness on the part of everybody about how to act appropriately with systems."
Read Mr. Rhoads' report on HIT privacy and security.
5 Steps to Minimize the Risk of Data Breaches
4 Things to Know in Case of a Hospital Information System Crash
1. Evaluate the risks and vulnerabilities. One of the first areas to evaluate for risk to data security is the electronic health record itself; hospitals need to ensure they are using a certified EHR. "But that's not the whole story," Mr. Rhoads says. "You can't just buy an electronic health record system and [think] as long as you're certified you're set. Security is really a 24/7 kind of thing."
Hospitals will also need to evaluate the data security and HIPAA risks staff present. Hospital leaders can minimize this risk by properly training staff, including physicians, nurses, technicians, pharmacists and anyone else who will be an end-user of the system. "If they have the proper training to recognize a risk and a threat, they can notice when something is not right and know the right thing to do. That will mitigate a lot of the risks," Mr. Rhoads says.
While all staff should be trained on the basic principles of data security and HIPAA, the most effective training is specific to different roles in the organization, according to Mr. Rhoads. Physicians, technicians and nurses should be trained on different processes "because they encounter data in different ways and in different contexts throughout the day," he says. He suggests developing several scenarios that are relevant to a certain position and training staff on how to respond. For example, a physician may take a laptop home if he or she works outside the hospital for part of the week. If the laptop contains patient data, the physician will need to know how to securely access and use the data. Nurses, however, may not need to take a laptop home and thus that training would be irrelevant to them.
2. Correct any deficiencies and document all decisions. Once the risks are identified, hospitals will need to take action to minimize or eliminate them. Although the meaningful use regulations do not specify whether the correction should address only the technology or the related process as well, Mr. Rhoads says extending remedial actions to the processes is a best practice. For instance, not following up with business associates about their stated security policies is a deficiency. To correct this problem, the hospital should look at the entire relationship with the business associate. A correction should include not only ensuring the associate has proper securities in place such as encryption, but also meeting regularly and conducting onsite reviews, Mr. Rhoads says.
3. Commit to a continuous process. Hospitals need to continue to maintain their technology and security processes beyond the risk assessment by updating the software and ensuring the most current security patches are in place. "Security is not something [where] you can buy a piece of software and forget about it," Mr. Rhoads says. "It's something you need to revisit and maintain a continual review of." He suggests hospitals conduct a risk assessment every four to six months to determine if there are any new risks and what corrective action to take.
Since maintaining data security and compliance with HIPAA is an ongoing process, hospitals should have the appropriate personnel who can dedicate their time to overseeing policies and practices. Mr. Rhoads says every hospital should have at least one security professional, and ideally a privacy officer and staff in a department designated to be responsible for data security. "Part of being a security professional is living and breathing this stuff: hearing about the latest attacks and viruses, running cyclic tests on the network and being in touch with vendors on a regular basis," he says. While data security should be led by an IT professional, preventing data breaches is a multifunctional effort, according to Mr. Rhoads. "It's a full awareness on the part of everybody about how to act appropriately with systems."
Read Mr. Rhoads' report on HIT privacy and security.
Related Articles on Health IT and Risk Assessments:
25% of Healthcare Organizations Do Not Conduct Security Risk Assessments5 Steps to Minimize the Risk of Data Breaches
4 Things to Know in Case of a Hospital Information System Crash