The very last component of achieving meaningful use of EHRs is to “Conduct or review a HIPAA security risk analysis … and implement security updates as necessary and correct identified security deficiencies as part of its risk management process.” It’s not nearly as cut-and-dried as the other meaningful use objectives, and requires a bit of unpacking to fully understand. There are three elements in that sentence, each required to achieve meaningful use:
1. Security risk analysis: This is already required by the HIPAA Security Rule, so it should come as no surprise to providers. That said, just how thorough was your risk analysis? What methodology did you use? Was it a few IT guys in a room discussing risk, or did you involve clinicians and management? Did it cover just your organization, or did you look at key third parties? Did you look at threats to the integrity and availability or your information, or did you focus solely on confidentiality? A security risk analysis should cover all aspects of security, involve all stakeholders, and address any organization that handles your information.
2. Implement security updates: How many providers have a risk analysis that’s been update in the last year? The last five years? It might be time to dust it off and see what’s changed since you last performed a risk analysis. Health IT, and the processes it supports, are very dynamic and security is not a one-and-done topic. At the very least, a vulnerability management program should be in place to find, test, and deploy needed security fixes.
3. Correct identified security deficiencies: Risk Management is a familiar concept in healthcare. Patient safety risk, financial risk, and performance risk are all currently being managed, albeit with greater or lesser degrees of sophistication. The same, or better, discipline should be applied to security risk management. While risk will never go away – nothing is ever 100% certain – there are a range of measures that your organization can do to manage that risk, and more importantly, know what risks are being accepted. It’s important to note that not all risks can or should be managed via technical measures; managerial oversight, redundancy, or extra training are often more effective (and cost-efficient) than the latest whiz-bang application.
The risk management piece of meaningful use, while somewhat obscured by technical jargon, is at its heart a simple and sound measure. Your organization faces risks to its information. These risks must be intelligently measured, managed, and monitored to ensure the safety and privacy of your patients..