Top Six Questions You Should Ask Your IT Department About Cybersecurity

Guest post by Craig Musgrave, senior vice president, information technology, The Doctors Company.

Craig Musgrave
Craig Musgrave

Healthcare entities remain the top target for cyber criminals. Not only do over 50 percent of all cyberattacks occur in the healthcare industry, but there have been 4,000 daily ransomware attacks—focused mostly on healthcare entities—since early 2016, a 300 percent increase over the 1,000 daily attacks in 2015.[i]

All types of organizations must take steps to ensure they are protected. The following are six questions you should ask your IT department to evaluate your cybersecurity readiness, and some answers to these perplexing problems most industries face today.

  1. Does our organization use a security framework?
    • The National Institute of Standards and Technology Cybersecurity Framework is voluntary guidance, based on existing standards, guidelines, and practices, for critical infrastructure organizations to better manage and reduce cybersecurity risk.
    • The Framework will help an organization to better understand, manage, and reduce its cybersecurity risks. It will assist in determining which activities are most important to ensure critical operations and service delivery. In turn, that will help to prioritize investments and maximize the impact of each dollar spent on cybersecurity.
  2. What are the top risks I should worry about?

Continue Reading

Electronic Medical Records Increase Potential Liability for Physicians

Guest post by Keith L. Klein, MD, FACP, FASN.

The use of electronic medical records (EMRs) is increasing liability risks for physicians. We have not yet seen the full impact of EMRs, because cases take three to four years to be filed from the time of the adverse event. However, we are beginning to see data that show EMRs are a contributing factor in malpractice suits.

In a study by The Doctors Company of 97 EMR-related closed claims from 2007 to 2014, user factors contributed to 64 percent of claims, while system factors contributed to the remaining 42 percent. EMRs can result in a weak defense by casting the user—the physician—in an unfavorable light.

In a recent presentation I gave at HIMSS, I outlined malpractice cases that involved EMRs that resulted in cumulative awards of more than $30 million and reviewed areas where EMRs present the greatest risks.

Risk 1: Copy-and-Paste

Copying and pasting previously entered information can perpetuate any prior mistakes or fail to document a changing clinical situation. In The Doctors Company study, 13 percent of cases involved pre-populating/copy-and-paste as a contributing factor. While it may be OK to use the copy-and-paste function to save time, whatever is pasted must also be edited to reflect the current situation. Similar to copy-and-paste is the practice of using templates. Some of the biggest pitfalls in these two functions are lack of individualized information on the patient, gender confusion, lengthy notes for each encounter that look like they have been enhanced by the computer, lots of blanks, repeated typos and other errors, and use of similar phrases sequentially.

Risk 2: Informed Consent

Physicians must take care to capture the electronic signature of the patient when loading an informed consent into the EMR. Make certain the signature is legible. Also check to be sure the scanned document is in the record and that the informed consent is documented in the notes.

The following is from a case that involved problems with informed consent in the EMR:

Continue Reading

Healthcare Organizations: What Must Be Done Before Jan. 1, 2015?

What must be done before you walk out of the office for the last time before the stroke of midnight Jan. 1, 2015? It’s a simple question with many possible responses. Each healthcare organization, based on its needs and priorities likely has a fix what it needs to do, though, perhaps those things are not necessarily what it wants to do. Like people, the final couple weeks of the year are different for everyone and practices are no different.

So, if you’re making a list and checking it twice, here are a few suggestions that you might want to add to it to be well prepared for the new year, based on your practice’s business needs, of course.

Review the ONC Federal Health IT Strategic Plan

Chris Boone
Chris Boone

At Health Data Consortium, we have three must-do items before we close the door to 2014. First, we urge the health IT community to review the recently released ONC Federal Health IT Strategic Plan 2015-2020. Public comments are open until February 6, but don’t let your response get lost in the start of the year flurry. Second, we are preparing for the arrival of the 114th Congress and the opportunity to share Health Data Consortium’s public policy platform for 2015. Our platform will have an emphasis on the key issues that affect data accessibility, data sharing and patient privacy – all critical to improving health outcomes and our healthcare system overall. Finally, on January 1 we’ll be only 150 days from Health Datapalooza 2015. We are kicking off the new year and the countdown to Health Datapalooza with keynote speakers and sessions confirmed on a daily basis. We’re already making the necessary preparations to gather the innovators who are igniting the open health data revolution. As 2014 comes to a close, we look forward to hit the ground running in 2015.

Chris Boone, Executive Director, Health Data Consortium

Turn off the technology, and hire

David Finn
David Finn

Ideally, turn off not only your lights, but everything — I mean every piece of digital technology and every way digital technology can connect to your organization. That is the only way to assure there are no accidents, glitches, failures or breaches. Here are some other things you can do:

• Fill every open position you can. Have positions and people identified and include backups. The only thing worse than not having a position to fill is having one to fill and leaving it open.

• Address mobility, medical devices and patient engagement, and not just from a security perspective — this is everyone who provides access, information or uses these devices or systems.

• Address the culture and have a plan to include every individual in the organization, if the technology touches them, from BYOD to analytics to privacy to cloud storage.

IT, regardless of the industry, is ultimately about people. In healthcare, it is also about the data itself, which represents your patients. It has to be there, it has to work, it has to be secure.

— David Finn, CISA, CISM, CRISC, is a member of ISACA’s Professional Influence and Advocacy Committee, and the Health Information Technology Officer for Symantec

Continue Reading