Are you ready for an MU audit? Advice from Adventist Health System

Providers attesting to Meaningful Use are required to complete security risk assessments, but many may be falling short, said Sharon Finney during a presentation at the Privacy and Security Forum hosted by the Health Information and Management Systems Society and Healthcare IT News.

What a risk assessment?

“My position on risk assessments is that I don’t do risk assessments; I assess risks,” said Sharon Finney, corporate data security officer for Adventist Health System, a 44-hospital healthcare organization headquartered in Alamonte Springs, Fla. “This is something you do every single day as opposed to just one time. There is no beginning and no end.”

Too many so-called risk assessments are actually just audits, according to Finney. The distinction is an important one. Organizations that take stock annually or biannually of security measures aren’t actually assessing whether those measures will work when it’s crucial that they do. In other words, going from department to department asking whether the latest security software is installed is not enough. “People, processes and technology create risk,” Finney said. Risk can be found in the “breakpoints or joints where they intersect.”

Understanding risk at Adventist required understandingof  the organization’s technical architecture, according to Finney. Shortly after assuming her post, she embarked on an information-gathering mission, sending questionnaires to each department in each facility in language they understood. Next, she engaged departments that “don’t normally engage with security unless there is a problem.” Now there are liaisons at every facility to keep a focus on mitigating risk. Real assessments of risk require “understanding the organization and who you need to engage. It is not something you can do in a silo at all,” she said.

Securing leadership’s support

When Finney took the lead on Adventist’s security initiatives, there was an audit-like process for conducting risk assessments and she began communicating to leadership that the process had to change.

“It’s hard for people to conceptualize data as an asset,” Finney said. “One of the first things I did was get them to understand how much data we have. I had to find that out. I found out nobody actually knew the answer to the question.”

During her information-gathering mission, Finney determined that the organization maintained electronic records on approximately 18.5 million patients. She estimated that, if a breach occurred and all records were compromised, it would cost Adventist $100 per record for a total of $18.5 million. “Those are terms they understand,” she said.

Preparing for an Office for Civil Rights Audit

As part of the Meaningful Use incentive program, the Department of Health and Human Services Office for Civil Rights has been tasked with facilitating audits of providers who have attested to ensure they have met the requirements for receiving incentive payments. One requirement is that they have completed a risk assessment and are paying attention to risk.

Most important for providers expecting a visit from OCR auditors is to provide them with documentation. An anonymous auditor that came to an Adventist facility shared with Finney that some provider organizations had no documentation to support claims of Meaningful Use.

“You have to document what you do,” Finney said. “It’s instrumental that you demonstrate not only that you’ve done a risk assessment, but that you did something about it. They need to know you have a good process and give attention to the privacy and security of patient information.”

As there are plans and processes for natural disasters and downtime, provider organizations should have a plan and process for dealing with security threats. “The key is not to try and scramble,” Finney said. “You’ve got to start the process way before you get that letter. It’s not insignificant time and resources that we put into it.”