Brace yourselves, it’s Halloween time folks. Be afraid of all those things that go bump in the night. What will happen if that black cat crosses your path? Pranks will abound and you’ll want to be on the lookout for some errant vampire ready to feast. These are scary days indeed, so perhaps you’ll do what most people do and load up on some of those tasty treats to ease your fears.
Like those ghosts and goblins lurking in the dark, navigating the waters of information technology security standards can be frightening, especially as it relates to health care IT standards. The rules, regulations, sanctions, and best practices can certainly haunt you day and night. Just thinking about the mountains of information out there on the topic of security and health information can be terrifying. Many questions should immediately pop into your head…
- What is HIPAA and how does it apply to me and my company?
- What is “protected health information” or “PHI” as it is commonly referred?
- What information is considered protected?
- What happens if PHI is breached?
- What are the necessary steps to prevent PHI from getting into unauthorized hands?
Are you scared yet? If not, you’ve got nerves of steel and none of the spookiness of Halloween is going to bother you. If you are like the rest of us, the scope and magnitude of preserving the security of your patient data is a monumental task and one that is taken very seriously.
If you’re following our blog you’ve already heard about the need to secure equipment, protect passwords, encrypt devices, and prepare for disasters. Mindful of all of these details, have you taken a serious look at what internal safeguards exist to safeguard your agency’s PHI? Have you measured your risk? If so, do you think an independent analysis of your risk is in order? In some cases, outside eyes may provide a more objective assessment of the lay of the land in your current security environment. With all of the data and advice out there, it is hard to determine what is fact or fiction. For some insight, check out the “Top 10 Myths of Security Risk Analysis” posted on the HealthIT.gov website. These comments may help you debunk what you may have heard or assumed. The website also provides guidance in developing a risk analysis and action plan, as well as the resulting risk management considerations.
Obviously, the key to your efforts needs to be a meaningful review of your entire operation. This assessment can include but not be limited to your workflow structures, your internal policies (or the lack thereof), and the physical safeguards you have in place to manage equipment internally and externally. As explained in a Center for Medicare & Medicaid Services (CMS) brief entitled “Basics of Risk Analysis and Risk Management” a thorough analysis will “identify potential threats to and vulnerabilities of information systems and the associated risk.”
Clearly, as we move toward recording more and more patient data through electronic means, the security and integrity of our computer systems is critical. The resources provided in this article include a wealth of information on how to assess your IT infrastructure, as well as measures to improve internal systems. However, IT systems are not the only risk you will find. As mentioned before, risk can also be found in the least likely places. For example, don’t forget to check out those staff cubicles where you might find that handy list of passwords conveniently posted on a cubicle wall. Scarier yet, let’s not forget those super photocopiers our companies all have with superior internal brains that we love so much – did you know they are so smart they capture and retain all of that data they are inhaling? Sometimes the most innocent and inadvertent acts can prove to be the most costly.
Have we got your pulse racing yet? Don’t be tricked by those that will tell you that you don’t need to worry about taking a serious look at your internal operations. You might be spooked by what you find, but the treat at the end of the day will be that through your hard work you’ve identified weaknesses and set the stage for a much more secure environment.