It cannot be a one-time snapshot, or a one-time risk assessment. It has to be a continuous, ongoing process." - Navin Balakrishnaraja, National Practice Director, Healthcare IT Services for All Covered (IT Services, Konica Minolta)
All organizations are guilty of just “going through the motions” at times.
A client services specialist leaning too heavily on his company script. The sales representative who meets her quota but fails to concentrate on continued professional development (aka, the learning zone). There are countless scenarios within a work place where crucial tasks are tackled without enthusiasm or a particular level of involvement.
But few, if any, carry the level of risk of a healthcare facility just going through the motions with its cybersecurity plan. The organization must navigate this landscape carefully, and with a trusted map that leads to long-term security and compliance for the unpredictable journey ahead.
After all, those healthcare organizations who believe that all compliance and security requirements are met by a single cybersecurity risk analysis should think again.
“Many healthcare organizations are always thinking about checking that box, saying ‘Yes I did that assessment,’ Navin Balakrishnaraja, National Practice Director, Healthcare IT Services for All Covered ( IT Services, Konica Minolta) said. “It cannot be a one-time snapshot, or a one-time risk assessment. It has to be a continuous, ongoing process. My intention is to move away from the idea of putting a check in a box, and instead adopting a (compliance) framework and moving toward a dedicated program that is able to give them visibility into their risks, and how to remedy them.”
It does all start with the risk analysis. The process, originally mandated by HIPAA and further enforced by government programs such as Meaningful Use and now the Medicare Access and CHIP Reauthorization Act (MACRA), is a vital (and required) component to healthcare organizations’ compliance livelihood.
A Thorough Risk Analysis Includes:
- Data collection on document workflow
- Identification of potential risks and threats
- Assessment of current security measures
- Determination of the likelihood of security threats
- Determination of the level of risk
- Final documentation of risk assessment
But, in many ways, as mentioned above, this process is just the beginning.
3 Items to Consider When Constructing a Secure and Compliant Healthcare Environment
1. Navigate Your Current State of Security... And Those Around You
A Risk Analysis will certainly shed light on where your facility is at in keeping information secure, current risk of breach, and the direction you must seek moving forward.
However, Balakrishnaraja says that while many organizations consider their own risks, they fail to consider the same for suppliers and other partners. For instance, are your Business Associate Agreements ensuring that they are keeping compliant with HIPAA?
In the end, you are the party responsible for keeping patient secure, or pay the financial consequences.
2. Visualize Beyond the Technology Itself
While many organizations accurately track technical vulnerabilities, policies and procedures must be put into place that address both physical safeguards and administrative safeguards. In other words, Patient Health Information could be breached under non-technical circumstances; something as simple as an employee printing information and leaving it at a printer, or someone going into a patient record and seeing information.
It all comes down to communication – from boardroom stakeholders to end users –when addressing these non-technical safeguards.
3. Again… It all Comes Down to Communication.
Facilities must reinforce their policies and procedures internally to ensure successful implementation of any model. If everyone is not speaking the same language, it’s difficult to follow a common process.
The most robust hardware, policies and procedures in place mean little without continued workforce training. With a legitimate framework in place, and the proper education continually enforced, employees can universally identify both risk levels and types and, more importantly… understand exactly what these findings mean.
The heavy responsibilities of keeping patient information secure, paired with the onslaught of data breaches, requires a long-term cybersecurity strategy that involves everyone within your organization. We’d love the opportunity to help you begin to understand the full breadth of risks in and around your facility, and then begin to assess, analyze and mitigate threats with robust management tools and models.
Are you ready to construct your cybersecurity roadmap, blazing your route to HIPAA compliance and security? Let's start with a laser-focused technology assessment!