What must be done before you walk out of the office for the last time before the stroke of midnight Jan. 1, 2015? It’s a simple question with many possible responses. Each healthcare organization, based on its needs and priorities likely has a fix what it needs to do, though, perhaps those things are not necessarily what it wants to do. Like people, the final couple weeks of the year are different for everyone and practices are no different.
So, if you’re making a list and checking it twice, here are a few suggestions that you might want to add to it to be well prepared for the new year, based on your practice’s business needs, of course.
Review the ONC Federal Health IT Strategic Plan
At Health Data Consortium, we have three must-do items before we close the door to 2014. First, we urge the health IT community to review the recently released ONC Federal Health IT Strategic Plan 2015-2020. Public comments are open until February 6, but don’t let your response get lost in the start of the year flurry. Second, we are preparing for the arrival of the 114th Congress and the opportunity to share Health Data Consortium’s public policy platform for 2015. Our platform will have an emphasis on the key issues that affect data accessibility, data sharing and patient privacy – all critical to improving health outcomes and our healthcare system overall. Finally, on January 1 we’ll be only 150 days from Health Datapalooza 2015. We are kicking off the new year and the countdown to Health Datapalooza with keynote speakers and sessions confirmed on a daily basis. We’re already making the necessary preparations to gather the innovators who are igniting the open health data revolution. As 2014 comes to a close, we look forward to hit the ground running in 2015.
— Chris Boone, Executive Director, Health Data Consortium
Turn off the technology, and hire
Ideally, turn off not only your lights, but everything — I mean every piece of digital technology and every way digital technology can connect to your organization. That is the only way to assure there are no accidents, glitches, failures or breaches. Here are some other things you can do:
• Fill every open position you can. Have positions and people identified and include backups. The only thing worse than not having a position to fill is having one to fill and leaving it open.
• Address mobility, medical devices and patient engagement, and not just from a security perspective — this is everyone who provides access, information or uses these devices or systems.
• Address the culture and have a plan to include every individual in the organization, if the technology touches them, from BYOD to analytics to privacy to cloud storage.
IT, regardless of the industry, is ultimately about people. In healthcare, it is also about the data itself, which represents your patients. It has to be there, it has to work, it has to be secure.
— David Finn, CISA, CISM, CRISC, is a member of ISACA’s Professional Influence and Advocacy Committee, and the Health Information Technology Officer for Symantec
Safeguard against cybersecurity threats
Practices should take these steps to help safeguard against cybersecurity threats. Ensure that you have secure office processes in place to address all areas of potential vulnerability. This includes implementing sign-in sheets that ask for only minimal information, developing procedures for the handling and destruction of paper records, and detailing policies about which devices are allowed to contain protected health information, or PHI, and under what circumstances those devices may leave the office.
Encryption is the best way to prevent a breach. All devices that contain PHI, such as laptops, desktops, thumb drives, and centralized storage devices, should be encrypted. Make sure that thumb drives are encrypted and that the encryption code is not inscribed on or included with the thumb drive.
Audit and test your physical and electronic security policies and procedures, including your plan for what steps to take in case of a breach. Taking the proper steps in the event of a breach may help you avoid a fine. Also, make sure that your practice has insurance to assist with certain costs in case of a breach.”
— David McHale, senior vice president and chief legal officer, The Doctors Company
Thank your customers and document protection policies
As a health IT company the two biggest things we have to address before we close out 2014 are 1) thanking our customers for entrusting us as the stewards of their data and 2) completing several formal processes related to our information security management program. In terms of thanking our customers, we send hand written thank you notes along with small presents. The other work relates to our policies and procedures. These policies and procedures are in place to assure ongoing compliance with HIPAA regulations, and require updated documentation and risk analysis.
— Travis Good, M.D., CEO and co-founder, Catalyze, Inc.
Set up a thorough off-boarding process for employees leaving the practice
One thing that must be done before Jan. 1, 2015. is to set up a thorough off-boarding process for employees leaving the practice. Ex-employees have become a huge, overlooked risk for companies (especially in the healthcare industry with HIPAA compliance risks). A recent study found that 89 percent of workers actually retained access to a former employer’s sensitive cloud apps-including Dropbox, SharePoint, PayPal, email and others after leaving the company.
One example, Jason Cornish, a disgruntled former IT worker at the U.S. subsidiary of a Japanese drug-maker, logged into the network of his former employer and deleted numerous files and data — the equivalent of 88 different computer servers. The attack resulted in the freezing of the company’s operations for several days, including the ability to send emails, cut checks and ship products. This is not an isolated incident and the threat is surprisingly widespread, which is why companies need to have a system in place to avoid a potentially detrimental problem.
— Michael Gold, president, Intermedia