HIPAA Risk, Social Media, & Tough Love
June 8th, 2016
The Challenge of Improving HIPAA Compliance and Health Care IT Security (Part 2)
In part 2 of our 2-part series, Medicus Solutions interviews Bill Steuer of GSG Compliance, LLC to wrap up our discussion of the past, present and future challenges to IT security for healthcare entities.
In part one of our Health Care & Patient Information Security series, we interviewed Paige Joyner PhD, CIPP/US, a compliance industry veteran and industry-leader on challenges that face the health care industry as a whole as it tries to meet HIPAA compliancy expectations and best protect patient information security from accidents, theft and malicious internet-based attackers. Subjects touched on the threat that crypto-ransomware represents to the health care industry in 2016, HIPAA audits and much more.
Part 2 continues the conversation with a new interviewee: Bill Steuer of GSG Compliance, LLC, a full-service HIPAA compliance consulting and risk-management company with more than 30 years in the industry. We sat down with Bill to discuss the same topics we spoke with Paige about to get yet another perspective on what risks may loom in the future and how entities can get themselves ready to meet HIPAA standards and protect their patients.
Bill Steuer, GCG Compliance, LLC
Interviewer: In a report published by the California Attorney General, they found that from 2012-2015, personnel errors and Physical loss are the leading causes of data breaches at laikrodziai. At least in California. Have you found that to be the case in your experiences as well? What do you recommend for those looking to shore up those kinds of issues?
Bill: Yes, we have seen and heard stories on just about all types of situations. You and I can probably recount tons of personal stories were we or heard that someone did “bone-head” things such as leaving the garage door up after leaving for work or leaving the water on in the bath tub for hours. So, the human error stuff tends to be more common with data breaches both with physical and digital patient information.. There was the physician that sped away from the office forgetting he had left reams of patient files on the roof of his car. Then there was the practice administrator that took the unencrypted EHR back up hard drive offsite. After a quick grocery run, she returned to her car to find her windows broken and the drive nowhere to be found. The stories can go on and on. It is important for health care practices to understand that they cannot safeguard 100% against every possible situation. However, best practices in the technical, physical and administrative areas of patient information protection can be implemented.
Most health care providers believe that they have secure systems and procedures in place because they simply have their on-site server in a locked closet or they use a hosted EHR. Although protecting patient information is a much more then these items, it is well within practices’ capabilities. We have seen that Medicus’ stringent protocol for protecting information has made them a good partner. One key is taking as much potential human error and laziness out of the process. Remote backups and a formal password policy to name a few is simple. There are common sense things that can be done to improve security.
Interviewer: What security issues keep you awake at night the as we push through 2016?
Bill: There are many issues such as breaches, audits, and preparation to be concerned about these days but one that we are hearing more noise about lately is social media. Controlling the access to PHI (Protected Health Information) is a huge concern. Additionally, there is no surprise that social media is becoming more prevalent. Put those two issues together and you have a recipe for potential problems and many challenges. Recently we heard of an instance where a celebrity was on location shooting a movie and needed health care at a local medical practice. One of the practice’s employees posted inappropriate PHI on social media. Polices and proper training of medical practice employees can help reduce these type instances.
Business Associates are a becoming a bigger concern as well. As more medical practices, clinics and hospitals look to outsource more of their IT network management, EHR and other patient related touch points; there are now more “cooks in the kitchen”. This may result in a greater number of potential breaches or data loss vulnerabilities. Business Associates typically have remote access to the practice’s networks which again increases potential problems. Now that the same regulations and responsibilities are placed on Business Associates to protect PHI as there are on medical practices, my concern is that a lot of them are not following through on those responsibilities.
Interviewer: What do you recommend to the IT departments of these health care entities as they try to push these new security protocols and standards upon tech-resistant staff?
Bill: Give them tough love. At the end of the day, you have to protect the entire entity. Most people don’t like technology process changes, so we recommend finding a way to simplify it. We offer the “Eating an elephant one bite at a time approach”. The health care industry lags with regards to Privacy and Security as compared to other industries like Banking. Most of us have embraced and in fact, prefer the protocols and steps we have to abide by when we are using our on line banking services Protecting PHI is heading that way. As long as the operations teams and compliance teams are on the same page, they’ll get there.
Most health care providers believe that they secure systems and policies in place because they simply have their on-site server in a locked closet or they use a hosted EHR.
Interviewer: What would your top suggestion be for any healthcare entity that is under pressure to digitize everything to keep from putting themselves at risk for data breaches?
Bill: With regard to purchasing and implementing an EHR system, understand that if done right, it can be a lot of work to find the best fit. Be careful not to simply buy what the salesperson is selling (i.e Web-based, RCM, Hosted, etc..). Do your homework. Bigger doesn’t always mean better; inexpensive doesn’t always mean cheap. Finding the right EHR for your office work flow is important for providers and staff alike. Automation is good for healthcare in many ways, but as with any technological advancements, along comes additional responsibility. With some preventative measures, most vulnerabilities can be mitigated. For example, an IT company like Medicus will ensure that each computer has proper encryption in place and that each staff member at the practice is given the appropriate access rights to PHI.
As Bill indicated, developing the right security protocols and conduct standards for and around patient information access, carefully choosing business partners and helping health care staff understand that following proper order to keep information safe and secure is part of “doing no harm” are absolutely essential going forward. We also agree that letting a 3rd party do your health care entity’s security assessment will help ensure that vulnerabilities are seen and can be properly addressed. Medicus Solutions provides a fantastic service tailored to help health care entities evaluate and put in place necessary policies to meet HIPAA expectations and would be happy to evaluate your entity. Our biggest goal is for you to recognize the necessity of strong policies and assessments regardless of who you work with. Get your health care entity into HIPAA compliance and make sure you’re working with experts who are ahead of the curve on the threats and HHS expectations coming down the road.
About Medicus Solutions:
Medicus Solutions, LLC. is an Alpharetta, GA based company that specializes in providing IT management solutions to improve the efficiency, security and stability of your company’s operations. Medicus offers a range of IT services that work both independently and in unison to ensure your company operates securely, seamlessly and efficiently. Featuring secure email and backup services, virtual hosting services, HIPAA-approved file encryption systems, and much more. For more information about Medicus Solutions, please call our main office in Alpharetta at 678-495-5900 or visit our website.
Medicus Solutions writes about news, technologies, and educational topics that are defining the future of health care IT solutions and security issues at its blog: http://msinc.com/blog/