One of the most frequently asked questions that I receive is “What should I really be worried about?” Everyone wants to know what the two or three things they really need to focus on, address and then move on to their jobs of providing quality healthcare to their patients. Everyone worries about an inadvertent Protected Health Information (PHI) disclosure, or the infamous “400-pound guy” trying to hack their network and access their data.
My answer is always the same which no one really likes. My answer is to follow your risk assessment process.
A doctor advises you to eat healthier and exercise regularly, but this is not a quick fix. I believe humans want quick and easy solutions for most things. That one pill to solve your ills and then move on with life. One procedure and everything will be resolved. No one likes hearing about mundane things to be done day in and day out.
Cyber security answers are not quick fixes either. A resolution to a high risk item may be a quick fix, but the risk assessment process needs to be reviewed and addressed forever.
When the HIPAA Privacy regulations were enacted 20 years ago, no one really paid attention to the risk analysis (assessment is the process, analysis is the written documentation of the process) requirement. With the additional HIPAA Security regulations added and updated since, the risk analysis requirements were again mostly ignored.
The enforcement fines levied were for some other ‘unlucky’ group to deal with. Most medical practices, including Long Term Post-Acute Care (LTPAC) Medical Groups, ignored them or did a once a year superficial risk assessment to ‘check the box’. But now there is a very real threat of losing money every day without having the risk analysis for MIPS. A risk assessment process is now a MUST!
Why is there no ‘check list’ for HIPAA Risk Analysis? What constitutes a high risk for one practice is not a risk for different practice. An example: If a practice was completely paper-based, then the storage for the paper-based PHI is a risk. But a practice that is entirely electronic does not have a risk for paper-based storage, nor does the paper-based practice have to worry about electronic backups of their systems. Therefore, the government decided a risk assessment process was needed by each group to identify their individual risks specific to their unique situation.
The Office for Civil Rights (OCR) is now responsible under the HITECH Act for HIPPA enforcement and have been actively auditing medical groups. Every fine levied by OCR identified a missing or inadequate risk assessment process as the first audit hit. One special note here: The HITECH Act gave OCR the ability to self-fund their enforcement division. The fines levied against Covered Entities and Business Associates pay for the auditors. I will let you draw your own conclusions on the efficacy of that decision.
Which brings me back to the ‘just how paranoid’ question. You need to be paranoid in making sure your risk assessment process is in place, consistently reviewed by staff throughout the year, and remediate risks when they are found. A good risk assessment process will identify things like anti-virus software, firewalls, offsite backup checks, high-risk vendors, etc. which will help protect your business and fulfill the MIPS mandate.
Treat your risk assessment process like your accounting process. Have your staff working conducting the risk assessment process as an ongoing task and use outside consulting resources when you feel the need to get proper answers. Not everyone has a certified accountant on staff, and most medical groups will never have a cyber security certified person on staff. Have your consulting resource provide correct information for you to base decisions on.
Be most paranoid about your risk assessment process not being taken seriously and not being accomplished and then you can sleep at night.