Meaningful Use: Part of a Perfect Storm of RiskBy: SecureWorks
For me, The Perfect Storm is one of those movies that, no matter what you're doing, if it's on, you end up watching all the way through.
It's like watching a car wreck - you just can't take your eyes away from the disaster as it unfolds. I keep thinking about those poor guys in the boat with their fate long-since sealed, and they don't even realize it until they're in the thick of it.
In the movie, The Perfect Storm is just that. Three storms, each dangerous in their own right, come together into something more than the sum of its parts. While various characters were considering the risk that any one of the storms posed, no one was looking at the combined effect until too late - they were already committed to a calamitous path when the real danger became apparent.
It seems to me that a perfect storm now seems to be brewing in healthcare security. First, you have Meaningful Use incentives and penalties creating urgency for healthcare providers to get online with Electronic Health Records. Next, HHS' breach notification rule creates a huge incentive to avoid getting your name in the media. Finally, the recent contract for KPMG to begin HIPAA security audits this year is underway. All of these factors are coming together at once, and creating an unpredictable landscape for what the digital healthcare landscape will look like in another ten years.
If you're going to survive this storm, you need to consider all three of these factors together. For security professionals, the best way to plan and prioritize in complicated circumstances is a risk assessment. But a recent HIMSS survey of large healthcare organizations found that just 47% currently conduct annual risk assessments (despite it being a part of the original HIPAA requirement). This suggests that there isn't a security strategy at many providers- just a list of tasks driven by various business needs. This isn't particularly surprising - fifty-eight percent of the respondents had no staff members dedicated to security, and 50% spent 3% or less of organizational resources on security.
The point is - you're certainly not alone if you have yet to implement and conduct periodic risk assessments. In fact, only 2% of providers had attested to meeting Stage 1 of the Meaningful Use requirement by 2009. Approximately 90% of hospitals have expressed an intent to meet the Stage 1 requirements by 2012, which includes a measure for protecting electronic health information under requirement 45 CFR 164.308(a)(1) , including conducting a risk analysis and implementing security measures as appropriate, and correcting identified security deficiencies as part of an overall risk management process.
What this illustrates is that providers have a strong incentive to begin adoption of EMR according to Meaningful Use guidelines by 2012. Under the Medicare EHR Incentive Program, Medicare eligible professionals who demonstrate "meaningful use" of certified EHR technology can receive up to $44,000 individually over 5 years. But to receive the maximum EHR incentive payment, the eligible professionals must begin participation by 2012. For 2015 and later, Medicare eligible professionals who do not successfully demonstrate meaningful use will have a payment adjustment to their Medicare reimbursement, starting at 1% and increasing each year that a Medicare eligible professional does not demonstrate meaningful use, to a maximum of 5%.
So the key takeaways here are that: as a hospital, you will have to eventually meet the Meaningful Use requirements. And the sooner the better, since the incentives require you to act quickly to buffer enough time to implement the strategies, hardware, processes, and controls that will be required.
Some key questions that all providers need to answer regarding risk include:
- Have you identified ePHI within your organization?
- What are the external sources of ePHI? For example, do vendors or consultants create, receive, maintain or transmit ePHI?
- And, what are the human, natural, and environmental threats to information systems that contain ePHI?
And if you're already performing risk analyses, some of the critical questions are:
- How thorough was the initial risk analysis?
- What methodology was used?
- Did it just cover your organization, or were third parties also examined?
- How often have you updated your risk analysis in the past year?
As we can see in the news every day, constant threats are emerging of an always-increasing scale and sophistication, so having a process in place to proactively monitor these threats in real-time is essential. While a risk analysis is a necessary component to reach and achieve the Meaningful Use requirements, it's also an asset that's valuable for ongoing planning and prioritization as new business needs, regulations and threats emerge.