From the September 2013 issue of HealthCare Business News magazine
By Derek Brost
This will come as no surprise, though it’s hard to admit:
Most U.S. hospitals are currently failing at electronic health data security. Despite the threat of multi-million-dollar fines and even jail time for HIPAA violations, hospital executives are still hesitant to invest financial and human resources in data security because there’s just no clear ROI. Many times, security is seen as a cost-avoidance strategy or “just” an IT function, rather than a necessary factor for growth.
Quest Imaging Solutions provides all major brands of surgical c-arms (new and refurbished) and carries a large inventory for purchase or rent. With over 20 years in the medical equipment business we can help you fulfill your equipment needs
In reality, hospitals that treat data security as a low priority are putting themselves and their patients at high risk for considerable personal and organizational fallout that will take a far greater investment of time, money and expertise to clean up. Aside from the HIPAA crackdown and the penalties that follow it, data breaches invariably snowball into patient care disruption, corrective mandates and a public-relations black eye. Patients, in turn, are particularly vulnerable to stolen identities, ruined credit scores, delayed or even incorrect diagnosis as byproducts of a data breach. In any event, it’s a steep and expensive climb to recovery.
If your hospital is guilty of neglecting data security, I’m not here to condemn or blame. It’s a complex topic, full of rules and regulations, and it’s tough to know where to begin to make changes. The following are strategies you can employ right now to increase your patient data security, at little to no cost:
1) Increase awareness and accountability throughout your organization.
If your organization lacks a program focused on electronic and medical device data security, now is the time to start one. Appoint a leader whose job will be to know the HIPAA Security Rule requirements and your organization’s responsibilities based on those requirements. In fact, having a privacy officer and HIPAA security officer is mandated under current HIPAA rules (though note, these two roles can be combined under one person). This will likely be someone already in the organization (legally, this role cannot be outsourced), and ideally someone with some clinical expertise in addition to business, informatics and/or legal know-how. As I previously mentioned, many times security is pushed off to an organization’s IT/IS group, but it doesn’t have to fall there.
Once you have your privacy/HIPAA security lead in place, give that person the authority to make organizational changes. This might mean they have their own budget, or it could mean they now report to executive management. Don’t make this person a figurehead: Give them the tools, training and title they need to be effective.