The vulnerability of computer systems has been front and center in the headlines over the last few weeks.
In addition to healthcare providers that have been directly impacted, suppliers of healthcare-related services have also been tangled up with malware, which in turn has had a significant adverse impact on the hospitals of many of our colleagues.
Trying to keep up-to-date with all of the reports on various forms of malware can make one’s head spin, with technical jargon quickly clouding the issues. It’s not really important to most users and hospital administrators to understand the significance of your Master File Table, Master Boot Record, or the workings of a “killswitch.” Focus has been appropriately directed at increasing awareness about the dangers of opening emails from unknown sources and other ways to avoid infection. While that is all well and good, there are two basic steps that are being overlooked that can significantly help protect your computers and your hospital enterprise.
● Make backup copies of your important files: One strategy that is often-quoted is “3:2:1,” which means that each original file has a total of three copies, 2 of which are “local,” and 1 of which is offsite in a remote, unconnected storage facility. Restoring data can be facilitated by using an online backup service such as iDrive, Carbonite, or BackBlaze (to name just a few). Modern online backup services make restoring even badly infected computers a very easy process, even for non-technical home users.
● Keep up-to-date with software patches: Both of the recent large malware attacks would have been totally prevented if software patches and updates had been regularly applied (in this case, through “Windows Update”). The Information Technology (IT) department at companies and hospital enterprises can (and should) set system-wide policies that periodically install the latest updates and patches, thereby helping keep information safe.
When considering software (and especially “Software as a Service”) for your hospital, how can you help assure that the supplier is taking all reasonable steps to protect your data, confidentiality and security? To answer that, we need to look at something called Service Organization Controls (SOCs), and more specifically “SOC 2.”
A SOC 2 compliance report is the result of an audit of security processes established by the American Institute of Certified Public Accountants (AICPA). It helps to evaluate a service organization’s compliance with the five Trust Services Principles (TSPs) for Service Organization Controls, including:
● Security: Logical and physical protection against unauthorized access
● Confidentiality: All information designated as “confidential” is protected
● Privacy: The collection and use of personal information conforms with the privacy notices of the Service Organization
● Availability: The system is operating and available for use
● Processing Integrity: Processing of information is complete, accurate, timely and authorized
SOC 2 compliance not only requires comprehensive policies and procedures related to the TSPs shown above, but also requires periodic technical audits to review hard evidence that the policies and procedures are being followed.
Hospital IT departments should ask for the SOC 2 “Management Assertion” and audit report of every vendor with whom they are doing business or with whom they planning on working. This is where, for example, you can review policies for data backup and for operating system patches and updates. And, very importantly, there should be something that indicates consideration for Business Continuity, to keep data and functionality intact in the event of network or system failures.
Can you ever really “expect the unexpected” and avoid an incident such as the ones we’ve seen in the past few weeks? Reading over each SOC 2 Management Assertion will help you see how each vendor answers that question.
Dr. Jonathan Elion, MD, FACC, is a practicing board-certified cardiologist in Providence, RI and an Associate Professor of Medicine at Brown University. With over 40 years of experience in computing and more than 25 years of experience in medical computing and information standards, Dr. Elion has committed his career to innovations in high value services and healthcare delivery to maximize efficiency and cost effectiveness. Jon is the founder of ChartWise Medical Systems, Inc., a Rhode Island based company that recently introduced ChartWise 2.0. It is the first-to-market interactive software system designed to improve precision in quality clinical documentation and to support revenue assurance through its web-based, comprehensive built-in expertise, electronic queries and robust on-demand reporting.
The views, opinions and positions expressed within these guest posts are those of the author alone and do not represent those of Becker's Hospital Review/Becker's Healthcare. The accuracy, completeness and validity of any statements made within this article are not guaranteed. We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with them.