Technology Tests for Meaningful Use Payments & HIPAA Compliance
COMMENTARY
Mike Semel
Semel Consulting
Every day doctors order labs, X-rays, MRI’s, ultrasounds, biopsies, endoscopies, and other tests to find out what is going on under a patient’s skin. Vulnerability testing can identify what Meaningful Use compliance risks lurk below the surface of your network.
Recently a university was fined $ 400,000 for a data breach caused by a firewall not working properly—for over 10 months. Many medical and dental practices don’t even have a firewall, but use a consumer-grade router designed for a home where your only security risk is losing some embarrassing pictures. Even if you do have a firewall, is it configured properly, is it really blocking intrusions, and are the security features current? Does anyone on your staff know how to check for HIPAA compliance, required for Meaningful Use?
What operating systems are on the computers in your office? After April, 8, 2014, no practice or hospital using Windows XP or Microsoft Office 2003 will achieve Meaningful Use compliance because both will lose their security updates. While a HIPAA compliance violation may not make your hair stand up, practices and hospitals continuing to use Windows XP systems will not be able to qualify for Meaningful Use money. You won’t pass the Meaningful Use Core Measure to protect patient data. Even if your desktop computers and laptops are new, you may have Windows XP imbedded in a diagnostic device in your office. If you continue to use Windows XP systems and attest after April, 2014, you risk having to return your Meaningful Use incentive payment, or, worse, face government action through the federal False Claims Act.
If you use low-cost leader computers purchased at a local retailer or on-line store you won’t be compliant with HIPAA and Meaningful Use. Consumer-grade operating systems do not have security features.
HIPAA’s Audit Controls requires that logs be kept of system activity for six years. Do you have logging turned on? Are you archiving them? Are you reviewing logs as required by the HIPAA requirement for Information Systems Activity Reviews? That is the section of the HIPAA Security Rule referenced in the $ 400,000 penalty for the firewall breach.
Security is a moving target, which is why software and hardware vendors regularly release patches and updates, and firmware updates for hardware devices. Endpoint Protection software guards against viruses and other malware, and must be kept current and functioning for HIPAA compliance. Without these tools your systems are vulnerable to malicious software and hackers. Just like food poisoning or a virus, you may not immediately know that you have been infected, until someone silently takes over your bank account or gains access to your patient records.
A Network Vulnerability Assessment is a complete check-up. It includes the “lab tests” and imaging required to identify weaknesses to your network security, far beyond anything identified in a basic Security Risk Analysis.
Monitoring
Just like an intensive care patient wired up for monitoring, there are systems that can monitor your network 7×24, and alert your IT staff or outsourced IT provider, often before you feel any pain or interruption. These systems monitor your online data backups to make sure they are working; your systems to ensure that patches and updates are installed; Internet connectivity; hard drive issues before they interrupt your work; and a lot more. These tools also allow for remote management of many problems, so your problem is solved in less time that it would take for a tech to drive to your office.
Never Audit Yourself
Instead of waiting for a HIPAA compliance violation or data breach to occur, would you like an independent party’s opinion—without a fine? Would you like to know that the work your IT staff or outside provider is doing meets HIPAA compliance requirements? If there are problems, would you like a chance to fix them without the pressure of a federal HIPAA compliance investigation?
Think you can do this yourself? According to guidance provided for the EHR Incentive Program Meaningful Use attestation, “doing a thorough and professional risk analysis that will stand up to a compliance review will require expert knowledge that could be obtained through services of an experienced outside professional.” (ONC Guide to Privacy & Security of Health Information)
Mike Semel is certified in HIPAA and has been the CIO for a hospital (Covered Entity) and has provided IT support for healthcare providers (as a Business Associate.)