An ACE up your sleeves . . . thoughts on Assessments from Nashville and other places
In addition to the Grand Ol’ Opry, Nashville recently hosted the Allscripts Client Experience 2011 (better known by attendees as ACE.11). You may know that Allscripts and Symantec earlier this summer released a Privacy and Security Risk Assessment (PRSA) to help Eligible Providers (Professionals, Hospitals and Critical Access Hospitals) complete and document the mandatory Risk Assessment in order to achieve Meaningful Use. This is a web-based tool that allows providers at all levels of expertise and maturity to collect and document their baseline security posture - - and then track and manage improvement, changes and updates to their overall security posture as well as the vulnerabilities discovered from the initial assessment.
From the provider’s perspective, the conference was certainly about getting the assessment done, documented and attesting to Meaningful Use so the money can start coming in. From the IT people I spoke to at the conference, the PRSA was an important beginning to what will become an on-going and expanding need in healthcare - - managing the risks around the security and privacy of patient’s data. The security risk assessment is a requirement under HIPAA but I am afraid many providers will ‘perform’ their risk assessments in order to comply with MU and they will never be looked at or used again. That is a big mistake.
First, if you read the regulation it says: “Conduct or review a security risk analysis per HIPAA, 45 CFR 164.308(a)(1) of the certified EHR technology, and implement security updates and correct identified security deficiencies as part of its risk management process”. Everyone is terribly focused on the first part of that sentence - - the security risk analysis. What they should be focusing on is the last part of that sentence, the part that refers to your risk management process. I understand getting the money; you have invested a lot in putting in an EMR and building the clinical objectives into that system. However, the point of the risk assessment is not to get the money - - it is to lay the foundation and begin building your privacy and security risk management function.
HITECH, like all laws, will come and go, the things you have to do to comply with it will be done and no one looks back. What will not ever go away is the need to constantly monitor and manage your privacy and security risks. In fact, I’m confident that it is going to get more complex. This is one case where the people from the Government really are trying to help - - if we look beyond the short-term requirements and look at the long-term needs of Health IT. If you have established a base line for security - - and that includes inventories of all that hardware and software, how systems connect, where ePHI comes in, moves through and leaves your organization - - you know what you have to do. If you add or remove systems, policies change, people turnover you have a place to monitor and adjust your security posture for those changes.
The PRSA is not the only assessment I have been talking to IT staffs about. Over the past month or so, I have had the pleasure of going into many hospitals and health systems. I haven’t finished one of these visits without talking about some of the other baseline measures that providers are thinking about doing - - Data Loss Assessment is always top of mind. Many providers don’t even know what data is being moved around or off their network until they have this little gem performed. Even if they aren’t going to implement DLP immediately, they have to know where they are in order to get where they need to be. Just like the PRSA. Same with the Malicious Activity Assessment. This particular assessment can be especially useful in the healthcare arena where IT may not even be responsible for biomedical devices with embedded systems that cannot be protected in traditional ways. These devices aren’t usually on the CIO’s radar until it is too late - - and these devices are particularly vulnerable to the new types and varieties of threats in the wild. These devices are not typically targeted but become collateral damage in any kind of attack.
Then there are things like our Mobile Security Assessment - - this maybe the least understood and managed technology area in healthcare. The Security Program Assessment can be critical for providers just starting to build a Security Strategy and Program. This brings me to my bottom line:
There are some critical risk considerations that providers have to look at - - from the perspective of the data. If an organization has a strategic plan or roadmap this is easier. If you have an IT Strategy that aligns with the business plan, it is even easier. What I seldom see is the last step - - a security strategy that aligns with IT strategy and thus the business plan:
- We will give our patients access to their data electronically. The business plan.
- We will provide a portal so that patients may access their information during normal business hours. An IT strategy.
- We will allow access to the patient portal only via SSL using 2FA with one time, self-expiring passwords. A security strategy.