Education, HIPAA / HITECH Enforcement, Meaningful Use

HITECH Meaningful Use – The Past is not Behind Us

ImageMany healthcare providers have said goodbye to HITECH’s meaningful use stage 1 to pursue the stage 2 requirements.  However, the future is not a stranger to its predecessor, requiring a better realization of concepts and metrics of many standards in stage 1.

Stage 1 was the beginning of HITECH’s transformative approach to health care, requiring movement to electronic health records (EHRs) and more efficient transmission and use of the EHRs, which is proving to be beneficial to patients and their care as evidenced by the ease of e-prescribing.  To ensure continuous progress of realizing the vision of greater health information effectiveness, care providers must continue to raise the bar and push for increasing processes such as e-prescribing and introducing processes that share care information with other relative providers while still maintaining the privacy and security standards for patient information.

This stage also solidifies new requirements such as bringing patient health records to the world of internet accessibility and giving the patients greater insight into their own health information.  This increases the potential risks for the providers despite the convenience and usefulness of the program as a whole.  Incurring this additional risk will require organizations to perform additional risk analysis to stay in front of the threats and ensure that best practices are followed while encrypting information in storage and transit as well as working with clients to raise awareness of information security.

Stage 2 will bring a new planning phase, but also a new cycle in the life of what should be a living process.  If you are struggling to optimize your process, let RISC Management help you maximize the potential of meaningful use stage 1 while developing a secure plan and foundation for the new requirements in stage 2.Image

Sponsored by: RISC Management,


Education, HIPAA / HITECH Enforcement, OCR HIPAA Audits

Re-posting of Lunch and Learn Educational Link

Lunch & Learn – Part 1 Office for Civil Rights & the KPMG HIPAA Audit Program with RISC Management and Consulting
Part One
Part Two


Data Breach, Education, HIPAA / HITECH Enforcement, Tip of the Week

Physical Security – First Line of Defense, First Point of Failure

When an organization is developing or maintaining their information security program they often cruise through the physical security portion.  It is fairly straight-forward to have locks, cameras, and guards.  However, the simple requirements can often be deceivingly complex in their implementation in each organization.

One specific common point of failure is the security personnel and front desk staff.  Many times an organization will contract externally for security staff, and while this can be beneficial in multiple ways from an administrative standpoint, there are considerations that must be made for it to truly be a success.  Vendor staff receives training through education and training on general security tasks, but may not receive training on the importance of information security.   The vendor resources are meant to be transportable, or able to fill roles in various industries.  Therefore an organization outsourcing for security resources must be prepared to train for industry and company specific best practices and requirements.  It must be ensured that the personnel are performing as expected to evaluate the effectiveness of training and focus of the staff.  Contracting for social engineering testing is an effective way to test the penetrability of an organization’s physical defenses.  Will your staff know the boundary of a visitor taking camera phone pictures near a sensitive environment?  

Information security is everyone’s responsibility.  It is crucial each individual understands and follows through with their part to ensure an organization’s information, their most valuable asset, is protected.  Physical security modifications are often brought about in response to an incident.  When it is approached holistically and proactively, as are other compliance standards, there is more assurance and reliability in the program as a whole thereby reducing the risk of compromise, loss of compliance status, and loss of reputation.

A security program is not meant to be stand-alone components – it is meant to be an organized program where each process is intertwined and lends strength to the other pieces.  Physical security is a first line of defense, and training staff appropriately will strengthen that defense when designed to relay content efficiently and demonstrably.

For assistance in evaluating and improving your physical security program, including social engineering penetration testing, please contact RISC Management and Consulting at:, 800.648.4358


Security Rule Standards – 164.308 & 164.310