The security risk analysis is one of the big pain points for providers participating in meaningful use, but it doesn’t have to be. In fact, implementing a yearly security risk analysis is a good business practice, whether or not you are participating in meaningful use. While you will never be able to completely protect your practice from every security risk, you can take steps to minimize foreseeable risks.
Security risk analysis is like a three-legged stool. If any of the legs is missing, the stool will fall over:
- Confidentiality —Keeping health information secure, preventing unauthorized disclosure or access
- Integrity—Ensuring information is complete, current, and accurate
- Availability—Making sure information is available when it’s needed
Confidentiality is typically the primary factor considered when conducting a security risk analysis. You must take reasonable steps to protect your patients’ information from unauthorized access, either intentional (hackers/theft) or not (untrained staff). To protect confidentiality, be sure to use secure computer passwords, encrypt data, put locks on doors, and train staff on properly handling patient records.
Integrity is the second leg of the stool and is equally as important as confidentiality. You must ensure that your patients’ data is a true and accurate record of their health. If a patient’s record is tampered with, intentionally or not, that unreliable record undermines your ability, and other providers’ ability, to properly treat that patient. Consider, for example, how disastrous it would be if someone accidentally deleted a documented allergy from a patient’s record. How would it affect your ability to care for your patients if you could not be confident in the correctness of your patients’ records? To protect the integrity of your patients’ records, implement role-based security and audit logs in your software to help ensure only authorized and qualified personnel have access to update patients’ health information.
The third leg of the stool is availability. Your patients’ records, no matter how secure and accurate, are useless if they cannot be accessed by authorized individuals when needed. Consider what would happen if your office were damaged by a fire or a flood. How would you restore and access your patients’ records and how long would it take? And how is health information accessed, if needed, while you’re unavailable? You need to take steps to ensure health information is accessible in a timely manner to authorized users when needed. To ensure availability, maintain current offsite backups, replace and update computer hardware, and enable emergency access features in your practice management and EHR.
In our next article on security, we’ll discuss how to determine what steps you must take to protect patient data given limited time and resources. In the meantime, check out the Department of Health and Human Services’ tools and videos to help you complete your security risk analysis
Have questions about meaningful use? Contact us at firstname.lastname@example.org
Did you enjoy reading this blog article? Receive an update for each new post by clicking on the “Follow” button in the upper right corner.