September 2013 – RISC Management and Consulting

The Healthcare Information and Management Systems Society(HIMSS) Summit focused on the clinician community which included physicians and nurses where they met with senior staff of their counterparts in Congress last September 19th, 2013. “Dr. Carol Steltenkamp, Vice Chair of the Board, from Kentucky, and Dr. Paul Kleeberg, Board Chair-elect, from Minnesota, and other physician Board members and HIMSS members—met with House Doctors Caucus staff to explain physicians’ view of health IT, Meaningful Use, and HIMSS’ recommendations to optimize health engagements and care outcomes using information technology” according to the HIMSS News. The House Doctors Caucus is chaired by the Honorable Phil Gingrey, MD, (GA/11th) and the meeting was organized by David Pulliam, Legislative Assistant to Dr. Gingrey.
At the same time, HIMSS sent nurse members to meet with the staff of professional nurses in Congress. “The meeting was hosted by the Honorable Eddie Bernice Johnson, RN (D-TX) who represents a district that is part of the Dallas area. Carrie Palmer, Legislative Assistant to Congresswoman Johnson organized the meeting” as mentioned by the HIMSS News.

The 2013 HIMSS Congressional Asks were:
1. Consistent Nationwide Patient Data Matching Strategy
2. Alignment of Healthcare Quality Reporting Requirements Across Federal Programs
3. Consistent Adoption of Health IT Exchange Standards and Implementation Guidelines

For more information on all three 2013 Policy Summit Congressional Asks Recommendations click:
1. http://www.himss.org/files/HIMSSorg/Congressional_Asks_1%202013_InteroperabilityPatientID.pdf
2. http://himss.files.cms-plus.com/HIMSSorg/CongressionalAsks_2_2013_AlignmentClinicalQualityMeasures.pdf
3. http://himss.files.cms-plus.com/HIMSSorg/Congressional_Asks3_2013StandardsInteroperability.pdf

When your organization is building a security program, clear direction must come from the Executive level to guide management and staff in implementing the right solutions. Without a greater understanding of the organization’s direction, management lacks the proper knowledge to make decisions in the best interests of the organization. In much the same way, a security program needs the proper structure of controls in place to guide the organization at the lower levels of the workforce.

A security control is “any administrative, management, technical or legal method that is used to manage risk.”¹ Once your organization has identified areas of need, whether because of security or compliance concerns, controls are the tools used to correct the problem or fill the gap. These tools can consist of staff members, physical or technical measures, procedures, or governance. As Kim Sassaman explains, “Implementation of information technology security controls is how the Security Program is put into operation.”¹ When deciding on a control to deploy, the decision needs to be part of a risk analysis or risk management process; each type of control must exist for a specific reason, hopefully filling multiple needs at once.

Some examples of controls include door locks, ID badges, firewalls, encryption, policies, procedures, and oversight committees. One of the most glaring results of the OCR KPMG Audit Program was that nearly 80% of Covered Entities were lacking a formal risk analysis, the very first step in determining the proper controls for your organization!² And if you haven’t heard about some of the most recent data breaches, many of them have been caused by a lack of encryption or media disposal controls. These issues and more can be resolved with a proper security program supported by security controls outlined in organization policies.

Contact RISC Management if you need help developing a security program or implementing controls. Remember, the first step is always a Risk Analysis. If you don’t identify, analyze, and document your risk, you’ll never effectively manage it.

References