The Three Pillars of Security

The security risk analysis is one of the big pain points for providers participating in meaningful use, but it doesn’t have to be. In fact, implementing a yearly security risk analysis is a good business practice, whether or not you are participating in meaningful use. While you will never be able to completely protect your practice from every security risk, you can take steps to minimize foreseeable risks.

Security risk analysis is like a three-legged stool. If any of the legs is missing, the stool will fall over:

  • Confidentiality —Keeping health information secure, preventing unauthorized disclosure or access
  • Integrity—Ensuring information is complete, current, and accurate
  • Availability—Making sure information is available when it’s needed

Confidentiality is typically the primary factor considered when conducting a security risk analysis. You must take reasonable steps to protect your patients’ information from unauthorized access, either intentional (hackers/theft) or not (untrained staff). To protect confidentiality, be sure to use secure computer passwords, encrypt data, put locks on doors, and train staff on properly handling patient records.

Integrity is the second leg of the stool and is equally as important as confidentiality. You must ensure that your patients’ data is a true and accurate record of their health. If a patient’s record is tampered with, intentionally or not, that unreliable record undermines your ability, and other providers’ ability, to properly treat that patient. Consider, for example, how disastrous it would be if someone accidentally deleted a documented allergy from a patient’s record. How would it affect your ability to care for your patients if you could not be confident in the correctness of your patients’ records? To protect the integrity of your patients’ records, implement role-based security and audit logs in your software to help ensure only authorized and qualified personnel have access to update patients’ health information.

The third leg of the stool is availability. Your patients’ records, no matter how secure and accurate, are useless if they cannot be accessed by authorized individuals when needed. Consider what would happen if your office were damaged by a fire or a flood. How would you restore and access your patients’ records and how long would it take? And how is health information accessed, if needed, while you’re unavailable? You need to take steps to ensure health information is accessible in a timely manner to authorized users when needed. To ensure availability, maintain current offsite backups, replace and update computer hardware, and enable emergency access features in your practice management and EHR.

In our next article on security, we’ll discuss how to determine what steps you must take to protect patient data given limited time and resources. In the meantime, check out the Department of Health and Human Services’ tools and videos to help you complete your security risk analysis

Have questions about meaningful use? Contact us at meaningfuluse@eyefinity.com

Did you enjoy reading this blog article? Receive an update for each new post by clicking on the “Follow” button in the upper right corner.

Get Out of the Fog – Solution Models for Every Need

Andrew H. Lee, Senior Product Manager fogblog

Let’s consider the main solution model categories in practice management and how to best accommodate workflow needs.

It’s not one-size-fits-all, so you need the right information to make the right decision for YOUR practice.

  • Paper—Exactly as it sounds, all records are maintained in paper files. This can allow vulnerability to a number of risks, from theft or loss, to disasters such as flood or fire.
  • On-Premise—Software is installed on a server in your office. This provides more efficiency than a paper system, but can be very expensive and it limits access to your data. Plus, it can still leave you vulnerable to theft and disaster, as well as computer viruses, hardware failure, required software updates, and dedicated staff for IT needs.
  • Cloud-Hosted—3rd party hosting can alleviate many of the issues associated with paper-based operations or maintaining software in your office. Vulnerabilities are reduced, but this option can still be expensive depending on the solution.
  • Software-as-a-Service—Monthly subscription-based solutions can provide a highly economical and efficient means of practice management, and allow flexibility to access patient records anywhere, at any time, from any device.

In upcoming posts, we’ll take a more in-depth look at each of the models outlined above, so stay tuned.

Interested to see how easy and efficient practice management can be? Request a demo for Eyefinity Practice Management.

Did you enjoy reading this blog article? Receive an update for each new post by clicking on the “Follow” button in the upper right corner.

Meaningful Use Incentives and Penalties Made Simple

oct1It’s October 1, and meaningful use is a hot topic. Here are the scenarios that you can expect:

First time Medicare providers who did not attest on October 1, 2014 will be assessed a 1% penalty in Medicare reimbursements beginning January 1, 2015. That penalty will increase by 1% every year, up to a maximum of 5% reimbursement adjustment.

What are your options?

  • Providers can stop the penalty by using a meaningful use CEHRT.
  • Providers who exercised the hardship exemption, which was available earlier this year, will NOT be assessed the penalty in 2015.
    • Those providers can start their attestation in 2015 and still receive an incentive.
      • Up to $8,000 in 2015
      • Maximum of $12,000 for their last two years of meaningful use participation

 

For more information, visit www.eyefinity.com/mu2

Did you enjoy reading this blog article? Receive an update for each new post by clicking on the “Follow” button in the upper right corner.

 

 

 

EHR: Streamline Staff Work Flow, Improve Patient Care

cooper

Michelle Cooper, OD

Electronic health records systems can eliminate duplications and streamline the daily routines of your staff—letting you concentrate on improving patient care.

Read the entire article: EHR: Streamline Staff Work Flow, Improve Patient Care

Reprinted with permission from Review of Optometric Business.

Request a FREE demo of Eyefintiy EHR today!

Get out of the fog Stay safe in the cloud – Part 1

Andrew H. Lee, Senior Product Manager fogblog_security_150px

How much risk of a security breach is there in maintaining personal health records?
“A data breach on par with last year’s retail sector calamity is a possibility for the health care industry…” according to a recent article on data security by The American Optometric Association.  Unfortunately these prophecies are coming to fruition. CNNMoney has just reported a major hospital network security breach, in which 4.5 million patients’ records were stolen, leaving patients at risk for fraud and identity theft.

Clearly the risk of a security breach is real.  Paper, laptops, and thumb drives can be stolen from your practice.  Network connections can be hacked into if you do not secure your Wi-Fi Hotspot.  However can you trust your cloud vendor? You need to know what to look for in a cloud-based solution to further mitigate your risk.

Stay tuned for Part 2 of Security in the Cloud.  We’ll tell you five key factors to consider when selecting a solution to fit your needs and stay safe in the cloud.

Shape the future of practice management!
See what’s up and coming, and let us hear from you about your vision for your practice. Learn more.

 Did you enjoy reading this blog article? Receive an update for each new post by clicking on the “Follow” button in the upper right corner.

On Task with Security Risk Analysis

17317DR_MU_core9_shadowCore Measure 9

It seems like every time you turn around, there’s another large security breach. The results can be devastating for not only the business that was hacked, but their customers as well. The risk isn’t limited to retailers – it exists anywhere customer information is used, accessed, or stored. With that in mind, core measure 9 was created and included in meaningful use.  As evidence of the gravitas of this goal, there are no exclusions to this measure.

We all know how important it is to protect electronic health information, and the utmost care must be exercised to protect patients’ medical records.

Defined and Deciphered
Core measure 9 seems like a simple concept, but can be deceptively complex. The goal is to protect patients’ electronic health information that was created or is maintained by certified EHR through the implementation of appropriate technical capabilities.

Per CMS, the provider must:

“…conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a) (1), including addressing the encryption/security of data stored in CEHRT in accordance with requirements under 45 CFR 164.312 (a)(2)(iv) and 45 CFR 164.306(d)(3), and implement security updates as necessary and correct identified security deficiencies as part of the provider’s risk management process for EPs.”

Huh? Exactly!

It seems daunting to decipher what the requirements are, much less figure out how to actually accomplish the task.  Essentially, you’re required to perform a security risk analysis to ensure that your patients’ medical records are secure, and to minimize the risk of a security breach.

The Challenge
Part of the challenge to this measure is the broad nature of the measure itself. Fulfilling the measure doesn’t rely on a simple security feature that can be enabled or disabled. Rather, practices must conduct—at least annually—a comprehensive security risk analysis in accordance with the requirements under HIPAA, and correct all identified security deficiencies.  There is a full list of security criteria that must be met and/or corrected, however, a simple checklist will not satisfy the requirements. Each of the criteria must be sufficiently documented, so that in the event of an audit, you will pass. Also, there are no exclusions allowed for this measure, and since it’s not a percentage based measure, there is no CMS reporting window to track your progress.

Success Can Be Yours
Core measure 9 is essentially the same as core measure 15 from Stage 1. If you’ve already succeeded at this measure in Stage 1, you’re well on your way to success in Stage 2. Unfortunately, because of the broad nature of the measure, it’s also one of the more difficult challenges to master. This is not a measure that can be conquered simply with your EHR system. Still, this is a measure that is attainable. Given the complexities, and myriad of factors to consider, we will take on the required tasks in Part 2 of “On Task with Security Risk Analysis.” Stay tuned.

In the meantime, if you have questions or need help with meaningful use, contact us at meaningfuluse@eyefinity.com.

Did you enjoy reading this blog article? Receive an update for each new post by clicking on the “Follow” button in the upper right corner.

Cloud Technology in a Flash

blog_stopwatchThe second installment in our series of posts about cloud technology. Now let’s look at speed and bandwidth.

by Eyefinity Senior Product Manager Andrew Lee

Better Use of Time
A cloud-based system can save you time, by removing hardware issues from your practice and providing readily accessible records, but what’s required?

The Need for Speed
Internet speed can be a significant factor. Before taking the leap to the cloud, ask providers about bandwidth requirements for their solutions. This is important when evaluating the cost of a practice management solution. If you’re required to subscribe to a very high-speed internet service, that’s a red flag. This could add hundreds of dollars every month, and suddenly what seemed like a low monthly cost for the practice management system, is drastically inflated.

We recommend a minimum of 3 Mbps (Megabits per second) download and 1.5 Mbps upload speeds. For optimal performance, you’ll want 3 – 6 Mbps, depending on the number of doctors and staff in your office.   Check your current speeds at www.speedtest.net.

Ask the Right Questions
Some practice management solutions require speeds up to 20 mbps, and have response times up to 30 seconds, so be sure to ask what’s required, and how fast the system will respond. A web-based system should respond within a couple of seconds, and an optimized system should average less than one second.

Up next, unlocking the secret to security in the cloud.

We want to hear from YOU.
With your input, the next level of practice management solutions will be everything you want and need it to be. Learn more.

Did you enjoy reading this blog article? Receive an update for each new post by clicking on the “Follow” button in the upper right corner.

Follow

Get every new post delivered to your Inbox.

Join 136 other followers