Last week, President Biden announced the implementation of the Cybersecurity National Action Plan (CNAP), his efforts to further improve the nation’s approach to cybersecurity. According to a White House statement, the CNAP is a long-term strategy designed “to enhance cybersecurity awareness and protections, protect privacy, maintain public safety as well as economic and national security.”
What does CNAP mean for the healthcare industry, particularly small medical practices who are already struggling to keep up with ever-changing compliance regulations? If you ask the Health Information Trust Alliance (HITRUST), their belief is that an increase in information sharing could be a very good thing for the industry in general.
While it’s unclear how healthcare cybersecurity will be directly impacted by these latest federal measures, it seems this “all-hands-on-deck” approach to improve data security is an important first step. Physicians and their IT vendors must keep themselves up-to-date on the latest federal, state, and local regulations when it comes to data security.
Device Manufacturers and Healthcare Providers Must Work Together
Beyond keeping up-to-date with regulations, these new security measures call for more collaboration between health IT vendors, device manufacturers and healthcare providers. Together these entities can work through issues and develop new standards and guidance for the entire industry.
Physicians will have to don another hat, that of advisor, participating in as many industry groups as they can manage in order to provide feedback to the vendors and device manufacturers.
Steps Providers Can Take to Increase Their Security
Moving forward there will be even more pressure on physicians and staff to ensure they are staying compliant with evolving NCAP measures. The following steps with help healthcare providers keep patient data as secure as possible.
Confirm Your “Covered Entity” Status
The majority of healthcare providers are covered entities and with this status have HIPAA responsibilities to keep their patients’ individual health information private and secure.
Be a Leader in Your Practice
Physicians can no longer rely on vendors to take the reins when it comes to IT security. They must take on a leadership role within their office to emphasize the importance of protecting patient data. HIPAA requires providers to designate a privacy and security officer on your staff. If you haven’t done so already – now is definitely the time.
Document Everything
Though doctors barely have time to grab a second cup of coffee these days, they will now have to spend even more time on documentation. And not just documenting patient interactions – no – documenting all security measures that are in place including how you created them and what steps you take to monitor them. It’s a good idea to keep this documentation organized either in a paper or electronic folder for your records.
Conduct Security Risk Analysis
Make sure the privacy and security officer you assigned on your team conducts security risks analysis often. This will allow you to compare your current in-house measures to what is legally required to safeguard private patient data as well as identify high priority threats and vulnerabilities.
Develop Your Own Action Plan for Addressing Security Issues
With each risk analysis you and your staff conduct, take the results and study them to develop an affective and affordable strategy that addresses any uncovered security issues. Determine how you can best mitigate the identified risks.
The plan you develop should cover administration, physical and technical safeguards, policies and procedures, and organizational standards.
Manage and Mitigate Risks
Once you and your staff have come up with a comprehensive plan of how you will address your security vulnerabilities, you will need to begin implementing that plan immediately. You’ll also want to outline how your practice will stay up-to-date with policies and procedures.
Provide Workforce Education and Training
HIPPA requires all covered providers offer comprehensive training to their staff on policies and procedures. In other words, it’s not enough to develop strategies and stay up-to-date yourself, you must ensure every member of your staff also has this information and understands it to a proverbial “T”. Your staff must also receive formal training on breach notification.
Communicate with Patients
It’s normal for patients to feel concern about whether or not their health information is confidential and secure when being transmitted through a best EHR system. Talk to your patients and emphasize the numerous benefits of EHRs and let them know you and your staff are taking every measure to keep their information safe.
Talk with Vendors and Payers about Compliance
As the saying goes, one weak link in a chain will weaken the whole chain. It’s not enough that you are taking all the precautions you can, you must also make sure those third parties like IT vendors and payers are also compliant and up-to-date on security measure.
Do Not Attest for MU Until You Have Assessed Risk
HIPPA’s security measures require healthcare providers conduct their security risk analysis and correct any vulnerabilities identified during the analysis BEFORE attesting to any incentive programs. Be sure and remember to document the changes you make because all physicians participating in an EHR incentive program can be audited at any time.
Be forewarned, anyone who attests to Meaningful Use is giving a legal statement that they have met specific security standards.
What does the Cyber Security Action Plan mean for small medical practices? In a nutshell it means more work coming down the pike in the form of new reforms and compliance issues. This makes it even more important to partner up with an EHR provider that will make your life easier, not harder.