Think back to the last time you went to the doctor. Did they have a tablet in hand? Were they half-turned away clicking around an electronic health record (EHR) program as you answered questions at the back of their head?
Every aspect of health records has been digitized, and one group, in particular, is playing close attention: hackers. A report in Modern Healthcare predicts everyone in the United States will have their healthcare data compromised by 2024 if online theft keeps its current pace. That's why there's no time like the present for a compliance crash course. Strong security management and adherence to compliance regulations will be key to securing data and protecting patients in 2018—and beyond.
Know the history of hacking healthcare
In 2008, a mere 17 percent of physicians and 9 percent of hospitals used advanced EHRs. This fact inspired the Obama administration to roll out a five-year plan to move doctors and hospitals to digital systems. By 2013, the White House reported that more than half of US doctors adopted EHR.
This was a major step toward innovation for healthcare, but innovation in healthcare is never simple. Digital records make it easier for healthcare providers to share data with patients and other doctors, but there's a major downside: security. The more digital health records there are, the easier it is for hackers to target healthcare data—which is exactly what they're doing. The last benchmark study from Ponemon Institute found that 90 percent of healthcare organizations have suffered security incidents.
Hospitals, doctors' offices, imaging centers, labs, outpatient surgical facilities, and insurance providers are all vulnerable, and yet, healthcare organizations are struggling to prevent huge attacks. To overcome these challenges, it's critical for healthcare IT leaders to be up to date with current compliance regulations and the latest in security management while also looking out for future updates, challenges, and more.
As healthcare organizations look to the future and explore new ways of serving their patients, compliance regulations and security management need to be top of mind. Healthcare businesses need to take steps to protect themselves and ensure their entire team is on board.
Create a HIPAA crash course
Developing a compliance crash course is a great way for healthcare organizations to make security a priority. Why? Because HIPAA's complicated, and maintaining compliance requires everyone in the organization to understand the fundamentals of HIPAA. To be HIPAA compliant, providers need to understand:
- The appropriate patient rights and controls on the uses and disclosures of protected health information (PHI)
- The policies and procedures put in place to reduce vulnerabilities and prevent data from slipping through the cracks
In the event of an audit or compliance review, organizations must provide documentation proving they're safeguarding PHI and demonstrating how they're addressing all required security safeguards. None of these standards can be met without all parties first grasping what's required for protecting health records and making sure current safeguards can withstand government scrutiny. A crash course should start off by answering these general questions:
- Why was HIPAA created?
- Who must comply with HIPAA requirements?
- What are the HIPAA security and privacy rules?
- What are the penalties and fines for noncompliance, and how do you avoid them?
Those questions set the stage to go into specifics.
Prioritize security management
No two healthcare organizations will have the same risks, vulnerabilities, and threats, which is why it's key to conduct a HIPAA risk analysis and create a risk management plan. Both should center around the flow of PHI: Where does PHI enter the system? What happens to it in the system? Where does it leave? Where are potential leaks? Oft-overlooked sources of leaked data could include weak passwords, failing to shred physical records, a disgruntled former employee who can still access the system after leaving your company, or an unsecured printer.
Once you have a clear sense of vulnerabilities from a risk assessment, detail how your organization will implement measures to plug holes, improve security, and stay above board on all administrative, technical, and physical safety requirements. For example, if printers represent a security vulnerability, your plan of action could include investing in printers with embedded security features, like self-healing capabilities.
In a perfect world, a crash course combined with a thorough risk assessment would lead to a bulletproof security and compliance system, but you should still anticipate what would happen in the event of a breach. If—and when—an attack hits, you don't want to be left scrambling. This could mean designating one team to ferret out the source of the attack while another focuses on locking down data.
Strong security management isn't a one-and-done proposition. It requires constant vigilance and an ongoing commitment to keeping shady characters at bay. However, creating a crash course and performing a risk assessment can get everyone on the same page and build a culture of compliance that integrates HIPAA into the day-to-day work life of healthcare employees, executives, providers, and more.