Assessing security: How one health care provider stepped up its security outlook
When the federal government offers incentives to support a change, many organizations sprint to meet the benchmarks that trigger the payoffs. That was the goal when, in 2009, the government offered grant money to spur the adoption of electronic medical records (EMRs). Since 2009, 80 percent of doctors and 60 percent of hospitals have converted to EMRs, and $28 billion has been paid out to health care providers for converting paper files to digital.
A large health care provider in the Midwest was among them. Serving more than 200,000 patients, the organization had thousands of medical records on file that needed to be digitized. The company ramped up the push for electronic records to meet the government incentives, including its requirement to use only electronic records for Medicare and Medicaid patients by the end of 2013.
But as the company, like many providers, rushed to meet these new EMR requirements, it found the cyber security requirements were changing far faster than other technologies.
The organization knew it needed to ramp up security — and quickly — to continue to meet its responsibility to its patients and their privacy, and to continue to meet health care privacy rules and HIPAA requirements, while maintaining the security of the entire system. But with IT resources tied up in the switch to EMRs, how could the organization best upgrade its security?
One of the first challenges the organization faced was discovering the underlying issues and problems with the IT environment. Simply put, the company struggled to pull together full and complete answers about the enterprise and its potential vulnerabilities.
At a basic level, IT needed more than just a list of challenges. It wanted insight into what process, policy, and technology improvements were most pressing, and how to implement them.
The organization hired a firm to conduct an assessment, but found the resulting report only pointed out potential issues, not how to solve them. The assessment lacked scope, depth, and knowledge of the health care industry. The company wasn’t looking for a vendor but a partner that would work hand-in-hand with its own employees to develop a more secure IT infrastructure, providing constant feedback and suggestions along the way to prioritize security efforts. The search brought them to SHI, which began researching and examining the organization’s IT environment.
SHI worked closely with its customer’s officials, including senior management, to identify the root of the organization’s security deficiencies. After many discussions – including some after-hours conversations and briefings for the especially busy – SHI completed a new HIPAA Security Risk Assessment, one more conscious of its industry and concerns. One of the areas of focus SHI stressed was the understanding of the resources needed for true risk management, which includes technology and privacy of confidential electronic protected health information (ePHI). This framework became the basis for the provider’s security initiatives moving forward.
SHI went one step further, and showed senior leadership and management a presentation detailing why human capital and asset capital were critical components of a larger security focus. By having these conversations and in-depth discussions, SHI helped the organization move forward with key enhancements to the security program. The assessment and presentation identified important points of interest and offered industry best practices on how to solve them. As a result, company officials better understood the practices required to mitigate and resolve those issues.
SHI’s HIPAA Security Risk Assessment provided the provider with a clear, two-year roadmap for the path to more responsive security. This guiding document permitted company officials to move faster, and with more insight, to address security issues that were once unknown, not anticipated, or not fully understood. For example, knowledge discovered during the assessment led upper management to invest in additional advanced security hardware and software. Plus, the organization’s leadership better understood the value of hiring IT professionals in order to maintain the new infrastructure and security processes.
By upgrading its security infrastructure and developing a long-term strategic plan, the health care provider reinforced its commitment to the thousands of patients that place their confidence and trust in its ability to safeguard their medical histories and personal information.
Now, the organization remains focused on security, and with another assessment underway, it will be better equipped to secure its IT infrastructure in the future.
If you’ve found your organization in a similar situation, contact your SHI account executive today to learn more about SHI’s professional services.