Organizational Security - Threats to Healthcare Providers and Prevention Measures

Page 1

Organizational Security – Threats to HealthCare Providers and Prevention Measures Lisa McElhaney

Disclosure  Speakers Bureau: National Association of Drug Diversion Investigators, Inc.

Learning Objectives Explain how to conduct a Threat Assessment of your medical practice Describe how you can integrate strong prevention practices into your business module Identify when you should develop a review(s) of your prevention plan

What Is A Threat Assessment (TA)? A detailed risk assessment of a particular business/practice A collective process to: –Identify vulnerabilities in security to the business’s physical structure, assets, data, personnel, & reputation –Provide recommendations to minimize recognized vulnerabilities

Why Is A TA Important? It is the first step in a plan to: –Protect your interests –Provide a Safe & Secure working environment •Duty to protect patients as far as “reasonably practicable”

–Fulfills several government requirements –Assists in the development of a strong continuity plan

Who Can Perform A TA? Professional Security Firm Self Fragmented participants –Technical –Financial

TA Team Approach  Define the Scope  Review current security policies/procedures  Have a good understanding of: – Your risk management policy/strategy – Federal requirements for HHS, etc

 Interview key employees/stakeholders  Technical review & testing of internal systems

What is a Hazard? A situation(s) that has the potential to cause harm For every hazard identified, it is essential to decide whether: –It is significant –If appropriate and sufficient controls or contingencies are in place to ensure that the risk is properly controlled or minimized

Example of Potential Hazards…  Slipping/tripping hazards caused by poorly maintained floors or stairs  Fire due to improper storage of flammable liquids  Fire/Electrical shock due to poor wiring  Chemical exposures due to the improper use of cleaning materials  Ergonomic issues related material handling  Lax security safeguards for physical structure, internal systems, or personnel

What is a Risk? The probability that a specific adverse event will occur in a specific time period or as a result of a specific situation The combination of likelihood and consequence of a hazard being realized

Example of a Potential Risk… Unsecured medications, supplies or patient records Low level firewalls, passcodes, or lack of encryption measures Environmental location: prone to wildfires, hurricanes, or earthquakes Pain management practices

Steps in a Threat Assessment Who/What needs to be protected? Who/What are the potential threats and vulnerabilities? What are the consequences of any damages or losses? What can be done to minimize exposure to any loss or damage?

Take Into Consideration Environment Mandated regulations Current Trends & Activities Past occurrences Impact of damage or losses Personnel that can assist in identifying risk and the ways in which risk can be minimized

Step 1: Identify Who/What Needs To Be Protected? Physical Assets Data & Data Systems Personnel & Patients Reputation, Principles, & Integrity

Physical Assets Building/Office Structure Equipment Stock/Inventory –Pharmaceuticals, Medical Supplies

Financial Assets –Cash, Equity, Credit

Steps to Secure Physical Assets Locks, safes and video surveillance Access control systems: prevent unauthorized entry and limit access for patients, employees, suppliers and others ID cards: that swipe upon entry/exit of all doors that lead to back-office areas, storage areas for medicine, supplies, and patient charts Monitor: supply inventories by using sign-out sheets or electronic monitoring devices

Steps to Secure Physical Assets (cont’d) Ensure that managers and physicians are role models for employees Perform routine equipment maintenance Set up audits and other controls to ensure that no employee has the opportunity to steal from the practice Learn how to do surprise auditing, and where to concentrate your attention

Data & Data Systems Patient Information –HIPAA

DEA Number Electronic Records Banking Information and Accounting Procedures

Black Market Value of Data Is estimated at $50 for a medical identification number compared with $1 for a Social Security number Identity Theft Medical Identity Theft –uses another person's medical benefits or prescription drug card information to receive medical services or drugs

HIPAA HIPAA's Security Rule issued the health care industry's first risk assessment requirement Health Information Technology for Economic and Clinical Health Act (HITECH Act) more stringent requirements HHS Meaningful use qualification -- Hospitals and eligible professionals must "conduct or review a security risk analysis" to qualify for Medicare and Medicaid incentive payments

Security Concerns for IT  Physical security to systems and devices  External access to systems – Security in the design – Security in the implementation – Security in the support

 Use of special systems/devices outside of the infrastructure  Security auditing controls, procedures1

Steps to Secure Data & Data Systems Invest in experienced IT company/staff Employee awareness –Train them on the risks of leaking out patient information over the phone, in person, on paper

Limited access, audit trails, date/time stamps Institute Admin, Physical, & Technical safeguards –Stringent software compliance policy for employees

HIPAA & the HITECH Act  Enforcement of healthcare data privacy provisions – Aggressive with violations & fines

 Security Rule deals specifically with Electronic Protected Health Information (EPHI)  Privacy Rule pertains to all Protected Health Information (PHI) including paper and electronic  Requires the report of data breaches (500+) to the patients, HHS & the media HIPAA/HITECH Enforcement Action Alert". The National Law Review. Morgan, Lewis & Bockius LLP. 2012-03-22. http://www.natlawreview.com/article/hipaahitech-enforcement-action-alert. Retrieved 2012-04-16.

Personnel & Patients  Employees  Support Staff (In/Out)  Patients – Consider Physical & Emotional deficits

Steps to Secure Personnel & Patients  Background Checks = Better employees  Create a Secure physical environment – Install & train on equipment

 Institute safety procedures & training – Evacuation Plans

 Provide response procedures & training – Burglaries, Robberies, Violence, etc.

 Training increases confidence and reduces human error

Reputation, Principles & Integrity Healthcare Providers –Name –License –Community acceptance

Quality of Business

Steps to Secure: Reputation, Principles & Integrity Prevention practices to reduce adverse incidents Do not participate in questionable activity Do not make misleading statements or misrepresentations Develop procedures to identify & report scams Stay on-top of your business

Step 2: Who/What Are The Potential Threats And Vulnerabilities? Staff Patients Unknown(s) –Persons –Environment

Patient Threats Thieves Liars/Drug Seekers You have a professional responsibility to: –Prescribe controlled substances appropriately –To protect your practice from becoming an easy target for drug diversion

ID Characteristics of Drug Abusers  Assertive personality  Gives medical history with textbook symptoms  Evasive/vague answers to questions  Often has no health insurance  Request a specific controlled drug and is reluctant to try a different drug  Generally has no interest in diagnosis  Cutaneous signs – tracks marks, sores, scars

Steps to ID/Handle a Questionable Patient/Suspect Drug Abuser  Education on current trends  Perform a thorough examination  Document examination results and questions you asked  Request picture I.D./Social Security number (Photocopy)  Call previous practitioner(s) to confirm patient's story  Write prescriptions for limited quantities  DO NOT "take their word for it" when you are suspicious  DO NOT prescribe/dispense/ administer controlled substances outside the scope of professional practice

Unknown Threats/Vulnerabilities Persons –Burglars, Robbers, Crimes of Opportunity, Wrong Place @ Wrong Time –Weapons

Environment –Fire, Water, Wind –Spills (Hazmat)

Steps to Handle Unknown Threats or Vulnerabilities Security Measures Continuity Plan –Backup Data • Contacts, Patient History (maintenance)

–Generators • Phones, Equipment, Chillers

–Response Plan • Do employees know where/what to do?

Step 3: What Are The Consequences Of Any Damages Or Losses?  Loss of personnel  Loss of Income  Replacement costs of assets  Legal Costs  Civil, Regulatory, or Criminal penalties  Loss of License  Loss of Life

Step 4: What Can Be Done To Minimize Exposure To Any Loss Or Damage?  Evaluate Risks – Consequence/Degree & Frequency – Reevaluate

 Develop remediation strategies  Review your risk assessment: – On an annual basis or before – When you are planning a change – When a significant change has occurred

Ask Yourself Are you prepared for an adverse incident? Can you/your business survive a major incident? What can I do better?

Questions

References  Alliance for Enterprise Security Risk Management, “Convergent Security Risks in Physical Security Systems and IT Infrastructures”, USA, June 2005  Morgan, Lewis & Bockius, The National Law Review. LLP. 201203-22. "HIPAA/HITECH Enforcement Action Alert". http://www.natlawreview.com/article/hipaahitech-enforcementaction-alert. Retrieved 2012-04-16.

Turn static files into dynamic content formats.

Create a flipbook
Issuu converts static files into: digital portfolios, online yearbooks, online catalogs, digital photo albums and more. Sign up and create your flipbook.