• linkedin
  • Increase Font
  • Sharebar

    10 steps to strengthen physician practice systems, safeguard patient data

    One of the knottiest challenges facing medical practices today is protecting the security of electronic patient information. For both operational and regulatory compliance reasons, practices must perform security risk assessments to find out where they are vulnerable so they can plug the holes. If they don’t,  they are much more likely to suffer a security breach that compromises patient data or locks them out of access to their vital records. They could also be fined for not complying with government regulations.

    For a security risk assessment, practices don’t necessarily have to hire a security consultant. They can learn much of what they need to know by downloading publicly-available security risk assessment tools. Read on to find out how to do that and how to use these tools.

    Security risk assessments are required by the security rule of the Health Insurance Portability and Accountability Act (HIPAA). In addition, the federal electronic health records (EHR) incentive program, popularly known as “Meaningful Use,” mandates them, as does the successor to meaningful use, the Advancing Care Information category of the Merit-based Incentive Payment System (MIPS). 

    Despite these requirements and the increasing threat of cyber attacks, many small practices have “huge gaps” in their security procedures, notes Lee Kim, JD, director of privacy and security for the Health Information Management and Systems Society (HIMSS). Some doctors and practice managers believe that if their system has a firewall and is password-protected, they’re secure, she says.

    Kim and other experts doubt that small practices can do adequate security risk assessments on their own, even with the help of online risk assessment tools available from HIMSS and the Office of the National Coordinator for Health IT (ONC). 

    “They can try to tackle it themselves, but there’s so much to sort through,” says
    Nathan Gibson, director of IT operations and privacy officer for WVMI Quality Insights, based in Charleston, West Virginia.

    Gibson and Kim both recommend small practices enlist the help of security consultants. But they recognize it’s expensive: hiring a consultant for a security risk assessment can easily cost several thousand dollars, Kim notes. And that doesn’t include the cost of repeat assessments—which should be done at least once a year—or the cost of mitigating security problems.

    Gibson says that a large group’s IT staff can handle security risk assessments on its own. That approach has proven successful for some groups. For example, Susan Harrington, IT director for Emerald Physicians, a 50-provider group in Hyannis, Massachusetts, has been doing risk assessments and writing security plans for her practice for the past five years. ONC’s security risk assessment tool has been invaluable, she notes. Since 2012, she has been assisted by Roland Stulsky, the group’s chief information officer.


    You must be signed in to leave a comment. Registering is fast and free!

    All comments must follow the ModernMedicine Network community rules and terms of use, and will be moderated. ModernMedicine reserves the right to use the comments we receive, in whole or in part,in any medium. See also the Terms of Use, Privacy Policy and Community FAQ.

    • No comments available

    Latest Tweets Follow