Patient safety is, or should be, a top priority in every health care facility in New York and the rest of the country. Safety can be at risk many different ways, as we pointed out in this blog earlier this year. One major threat that deserves particular attention is that posed by cyber attackers going after network-linked equipment and medical data.
To show just how significant this issue is, consider results of a recent survey by the American Medical Association. The AMA reports 83 percent of 1,300 doctor respondents said their practices have been targets of cyber attacks that threatened electronic data. The danger, of course, is that electronic health records could be altered. If that happens and the record is then shared, information that should aid treatment could be a potential hazard.
Steps to assess risk
Regardless of the size of a practice, the Health Insurance Portability and Accountability Act (HIPAA) requires keeping information confidential. It also imposes obligations for keeping information secure and for how to inform patients when breaches occur. The onus is on the industry to do all it can to eliminate concerns about compliance now and in the future.
HIPPA lists five basic steps to analyze security risks.
Identify all elements of your information technology system. This includes inventorying all stationary and portable computerized hardware that collects and stores data within the practice and that can transmit information elsewhere. All administrative processes should be reviewed, too, to make sure they comply with the law.
Identify potential vulnerabilities. This amounts to an audit of current security measures looking for weaknesses. You can do this through discussions with appropriate employees. Enlisting help from government agencies, professional associations and legal counsel can help, too.
Rank the risks. If you have unencrypted laptops that are used for patient home visits, this might be a critical risk. Rankings of medium, high and critical can be measured by gauging how likely an attack might be and how much damage could result.
Address the risk. Some might feel this job is done by having a plan in place, but many experts would agree that you have to go a step further and take action on the plan.
Don’t stop. Preventive care suggests the value of regular checkups. The same applies to patient information security. One AMA official recommends performing the above steps once every year.