This ExecSense article outlines the challenge of an effective balance between robust risk management and healthcare service delivery.
My lesson – Regulatory Reality in Healthcare (HIPAA Audits): How to Align Risk Management with Service Delivery – sorts through the various layers of regulatory compliance being directed at healthcare executives. This is done chiefly for organizations that hold sensitive patient health information (PHI). These mandates originate from federal, state and local governments. The legal and regulatory compliance burden have increased tremendously over the last decade, with HIPAA, Sarbanes-Oxley, PCI DSS, HITECH, Gram-Leach-Bliley Act and Dodd-Frank impacting healthcare in the U.S.
With the advent of HIPAA and the HITECH Act, healthcare providers are ramping up their efforts to protect electronic and physical medical records. This is primarily due to the significant fines an organization can face if records are lost or stolen and also to avoid the negative publicity accompanying such a breach of confidence.
It is expected of HIPAA/HITECH audits to ramp up significantly in the near future due to the added enforcement policies with HITECH and the Final Rule. As an example, healthcare provider Cygnet received the first penalty ($4.3 million) under HIPAA due to HITECH regulatory enforcement. HHS OCR has continued to levy penalties on other healthcare institutions who fail to follow HIPAA guidelines.
Organizations who have complied with government and industry regulations are far more likely to be protected from lawsuits and penalties based on “due diligence” clauses built into many industry regulations. PCI DSS is an example of this with its “get out of jail free”. “Safe Harbor” clause or the HIPAA Final Rule with “reasonable” privacy and security precautions is another.
The most significant hurdle to overcome with sensitive data or protected health information (PHI) is user behavior. Educating the enterprise in the proper way of treating PHI in multiple scenarios will be far more challenging than implementing new technology. We take up this challenge. During our presentation, we will focus on the following points that organizations will have to address:
- Where users can store and access sensitive data securely
- What devices (iPhones, iPads, Androids, etc.) are allowed on the network
- How systems with PHI data are going to be encrypted
- What policies are to be put in to place to enforce these mandates
Healthcare organizations are increasingly becoming targets for malicious actors who utilize a variety of techniques and tools to compromise systems and staff to gain access to PHI. The latest ransom-ware outbreak in healthcare institutions is a top story in today’s news cycle. Crafting and implementing an effective risk management strategy in this hostile environment is of critical importance. This will be a topic which will be covered in depth during the webinar.
The best way to modify user behavior is effective training with simple, enforced and monitored security policies. Unfortunately, organizations have cut back training activities significantly or never invested appropriately in the process. Organizational policies are also an issue. In many cases these policies are lengthy, unread and unenforced tracts that languish in the appendix of the New Employee Handbook and can be used as leverage against a healthcare organization during an OCR audit.
To sum up, Regulatory Reality in healthcare will provide a high-level framework for an effective cyber security training program that will add a significant component to a risk management portfolio.
About The Author
- Mike Meikle
- CEO, secureHIM
- IT Management
Mr. Meikle is a nationally known speaker on IT, Risk, Security and Healthcare topics. He regularly presents for Fortune 500 companies and organizations including Intel, McAfee, HIMSS, ADAM, and NCHICA.