Meaningful Use is often a prickly conversation piece whenever I bring it up with hospital administrators and IT Support teams.
The problem?
It’s awfully confusing to figure out exactly what the document requires of hospitals to implement and when. Often, language seems vague or incomplete. It’s kind of like a beach by the ocean. It’s hard to define where it starts or stops. When the tide is constantly changing, you might have a real hard time to define what’s ocean and what’s beach. The same sentiment is true with Meaningful Use.
But one of the slightly more concrete—be it somewhat outdated to the changing demands—is on what specifically your hospital should have in place when it comes to protecting your protected heath information (PHI).
First, Meaningful Use has a couple of requirements you likely have been doing already. One of those was rolled out in Stage 2: the security risk assessment. While I’m not going to dwell on the security risk assessment in this discussion, I simply want to make one point regarding HIPAA assessments. Time and time again, I encounter hospitals that have passed their annual required HIPAA risk assessment, later to fall victim to ransomware and cyberattacks simply because they actually do NOT have their security patched up.
In several instances, I’ve seen HIPAA assessments passed with flying colors, but even basic patches weren’t applied on their servers and workstations. Even though you completed that compliance checkbox item, your security is far more important than simply meeting a compliance guideline. That’s why I’d strongly suggest getting a second opinion with a ransomware vulnerability assessment to see if your security infrastructure is actually keeping up with modern attacks—many of which devised well after HIPAA had already been in place for years (things HIPAA compliance is not even seriously considering in their requirements).
In Stage 3, you will be required to secure what we in cybersecurity call the triad: Technical, Administrative and Physical Security.
Technical Security—you’ll be expected to implement IT safeguards—applying them to software and hardware, alike—to secure your data. This encompasses data encryption, firewalls, data access methods, and other technological protections aimed at keeping data safe.
Administrative Security—while many folks already are keeping tabs on who is accessing what on their networks, many (nearly 80% of those folks we assess) don’t realize quite how many people have access to nearly every single piece of data on their network. By monitoring who has access to what and limiting access to sensitive information to only those people that require that access to perform their jobs, you are eliminating considerable risks in the potential for data breaches and even full blown ransomware attacks that could lead to your entire hospital network’s data encrypted (leaving no one able to treat and bill patients).
Physical Security—as an extension to Stage 2, you will be required to include device encryption to protecting access of data within your facility. You are also required to put access controls on workstation security. That means, when a nurse walks away from the nursing station or someone in medical records leaves his or her desk, no one should be able to have access to what is on their screen or what is on their computer.
The Good News? Many of the changes in Stage 3 are easily tracked and easily implemented, in regards to network security. There are an awful lot of companies that will perform checklist-driven assessments that simply look to see that your hospital is doing the basics.
The Bad News? Many of these assessments will give your team a false sense of security, given that there are hundreds of ways criminals are cracking through ‘HIPAA-Secure’ facilities, leading to breaches, ransomware attacks and patient identity theft.
The Ugly? I’ve had to help clean up dozens of hospitals that had passed HIPAA security assessments with flying colors. If your hospital’s entire network is compromised—often times including backups—you may be waiting nearly a month to recover to a point before the attack. You likely will still lose out on big chunks of AR that cannot be easily traced. And you for certain will have lost out on much needed cash flow between when recovery started to when it was wrapped up. That’s not to mention how expensive cyber forensic investigations cost!
What I propose is proactively understanding where your hospital stands from a ransomware vulnerability standpoint BEFORE you need help from a team like mine that specializes in ransomware recoveries. Consider a ransomware vulnerability assessment today to make sure (1) basic Stage 3 items are covered, but more importantly that (2) you are not an easy victim for criminal attacks.
