Blog

Sean Smith, Systems and Security Manager: Why am I writing this blog? There are others, right?

|

So what qualifies me to write this blog? I am currently the Systems and Security Manager for Geriatric Practice Management, developers of the GEHRIMED EHR software. For eight years I was a U.S. Navy Cryptologist dealing with Top Secret (and higher) classified materials. I’ve founded an IT Consulting company that focused on more than 100 small medical groups, especially HIPAA and Meaningful Use. I’ve lived IT security, need to know, HIPAA, Meaningful Use (MU), Risk Assessments, etc. for almost two decades. Sadly, information for the Long Term Post-Acute Care (LTPAC) medical group community is woefully lacking!

If you have ever looked for a good source of HIPAA Security information you have no doubt come across pages and pages of search results for HIPAA Security blogs. If you execute a specific search on LTPAC Security Blog you get back a much shorter list, all of which are either IT Company advertisements or results directed towards facilities, not LTPAC Medical Groups. It was this lack of LTPAC Medical Group information that led me to begin this blog.

One of the first things you will notice in other blogs is they don’t seem to understand the LTPAC Medical Group community. Those blogs talk about office ‘staff roles and functions’, and seem to assume that all providers are specialists with a ‘robust budget’ to deal with the regulations and programs required to stay in compliance. And speaking of budgets, the new MACRA rules currently being finalized are mandating that the HIPAA Risk Assessment is an integral part of the base Promoting Interoperability (previously known as Advancing Care Information) score impacting provider reimbursement in 2019. This year, the physicians who do not receive a hardship exception or who do not participate in Medical MU have a +/- 4% penalty on Medicare reimbursement in 2019. That penalty increases to +/- 9% by 2022**. So the MACRA ‘stick’ to accompany the MU stimulus money ‘carrot’ is here.

Another reason I wanted to write this blog was to address several questions I keep getting over and over in relation to HIPAA Security and HIPAA Risk Assessments. Questions frequently asked include:
When do you have to do your HIPAA Risk Assessment?

• What tool is the best?
• Where is the HIPAAA Compliance checklist?
• Do we really have to change passwords?
• How did you put all of this together and how much time did it take?
• How much does it all cost? (my emphasis added)

Managing an ever evolving cyber security program has driven home some good lessons on what to do and what not to do. Putting things into a blog to initiate an ongoing conversation about the who, what, why, where, when, and how (including costs) seemed like a better way to disseminate information. This is not a one-time discussion.
Over the course of the next several posts we’ll cover the basics such as:

• Why compliance does not equal security.
• Malware, Ransomware and all the ‘boogey man’ terms.
• Why your user training is not good enough.
• How much does this all cost?
• HIPAA Risk Assessment is just the first step.
• Are we being paranoid enough?

To end this first post, I’d like to leave you with some statistics and information so you know just how serious all of this is:

• Medical Records are considered a ‘holy grail’ on the black market because they contain all three types of information to be used for fraud: immediate financial information, medical plan identification and basic demographics (SSN, maiden name, etc.)
• A medical record is estimated to be worth $363 on the black market, with a recently deceased patient’s record more valuable since no one is watching the credit of that deceased patient.
• It’s not the kid in a basement anymore. It’s Organized Crime Syndicates which are paying unethical hackers to target organizations specifically to get medical information.
• National statistics tell us 75% of users have the same password on multiple systems, including personal items. 47% use passwords that are at least five years old. 20% of all users had a password stolen online in 2014.

These facts should put a chill down your spine. We’ll cover ways in this blog to set up good programs to put layers and layers of security and processes between the bad guys and your systems. We want the bad guys going after easier targets.

Sean Smith, System and Security Manager
Geriatric Practice Management, LLC
Follow Sean on LinkedIn and Twitter

 

 

 

**A very big Thank You to the Geriatric Practice Management Regulatory Team for the in depth explanation on the Proposed MACRA rules.  For detailed information on MACRA and MIPS, please attend the upcoming Webinar: Demystifying MIPS.

Top