'Act and act quickly' on privacy and security concerns

BOSTON—If you apply privacy and security policies and procedures inconsistently, you will create problems, according to Lassaad Fridhi, information privacy and security officer for Commonwealth Care Alliance, speaking at Medical Informatics World.

Fridhi’s organization contracts with the state of Massachusetts’ Medicare and Medicaid programs.

“Really watch and identify risks,” he said, because it “becomes more compelling to do something about problems. If you just look away, you’ve got a bigger problem.”

While HIPAA requires providers to have an incident response plan, Fridhi said "a plan sitting collecting dust doesn’t do anything. Test it. Make sure it works for your environment.”

Examine your own environment, he said. “Conduct a history analysis. Learn from your past issues. Have a tally of what caused problems. Even if not a breach, worth learning from.” Providers should conduct risk analyses and gap analyses which is important to do because “you will see where you are in terms of regulations and with policies. When say you’re doing it, you better be doing it.”

Address the issues that led to your previous incidents, he said. Prioritize your assessment results and shrink the gaps.

Gauge your internal controls, he also said. Audit your policies and procedures and education and training. He advised conducting background checks on employees. “It’s a small thing that could make a big difference. Your termination process also is important, he said. “A lot of people don’t think about this. Make sure you terminate access.”

Investigate all incidents and counter risky behavior, he advised. “Address root causes and document your actions. Don’t be an ostrich. Act and act quickly. Test and test again.”