IT Risk Assessment For Healthcare Providers
A practice that fails to secure its data, or doesn’t make any attempt to secure it, could face some serious consequences.
Taking protective measures will only become more important to practices, as technology evolves and threats to data security increase.
A growing number of medical practices and hospitals are getting audited and being fined hundreds of thousands of dollars. They are seeing their organizations’ reputations ruined as a result of not taking adequate measures to secure their data. If that’s not enough, practices face less-serious consequences, such as being stalled in the process of attesting for CMS’ meaningful use EHR incentive program.
The Health Information Technology for Economic and Clinical Health (HITECH) Act, part of the American Recovery and Reinvestment Act of 2009, supports HIPAA by imposing stiff penalties on healthcare organizations found guilty of data breaches. Among the penalties: fines up to $1.5 million and the burden of notifying the media (as well as patients) if the breach involves more than 500 records. The Ponemon Institute conducted a study (commissioned by Symantec), of 51 company breaches that revealed the cost per compromised record (a data breach involving a malicious or criminal act) averaged $318 in 2010, up $103 from 2009.
If you are audited, would your organization satisfy the criteria listed below?
Security risk assessment defined
Under the Health Information Technology for Economic and Clinical Health Act,  “meaningful use” means that healthcare providers and organizations must:
- Perform a security risk analysis in accordance with the requirements of 45 CFR 164.308(a)(1). A security risk analysis means that you must identify the potential risks and vulnerabilities to the confidentiality, availability and integrity of all electronic personal health information that your organization creates, receives, maintains or transmits.
- Implement security updates as necessary and correct identified security deficiencies as part of the risk management process.
We have observed that many healthcare providers and organizations do not know how to perform a security risk analysis and do not even know what those terms mean. Moreover, in many instances, providers do not understand the risk of failing to perform a risk analysis. As explained above, and as many providers have learned recently this failure can be costly, not only in the loss of federal stimulus dollars, but also in the potential subjection to fines and penalties.
Consider the following:
- Rising data losses — Breaches of protected health information nearly doubled between 2010 to 2011, according to Redspin‘s 2011 PHI Breach Analysis;
- Government oversight — HHS’ Office for Civil Rights last year kicked off a pilot program in which it will conduct 150 audits to assess health care facilities’ privacy and security compliance; and
- Meaningful use qualification — Hospitals and eligible professionals must “conduct or review a security risk analysis” to qualify for Medicare and Medicaid incentive payments under Stage 1 of the meaningful use program.
Dr. Heiman has been a customer of Data-Tech for the last 9 years. Data-Tech has been providing Managed IT Services as well as maintaining his entire network. Dr. Heiman states “It is very important that our network is up 24/7 and secure, since partnering with Data-Tech i have not had to worry about that. They are always a phone call away and have been very responsive to my needs. Security and reliability are the two most import elements in my practices network, and Data-Tech has taken care of both of those for me.”