Healthcare Organizations: What can get you into [costly] hot water?
For healthcare organizations and the businesses that support them, regulation and legislation too often turn into lawsuits and settlements. What’s happening to get you into trouble in the first place? How can you avoid the serious costs they bring – to the bottom line and to reputation? Here’s what Julia and I often see from a “from the trenches” perspective.
Policies & Procedures Misalignment
In other words, either you didn’t do what you said you were going to do, or you have serious gaps in what should be written down and followed. Here’s the thing about policies and procedures, they have to be accurate, yes, but they also should say what you will do, not just what you can do.
Do you say you’re going to test and check your firewall every 30 days? Better have that proof ready to show that you did it. Do you state that your mobile device use includes information security standards for mobile device hardening to protect PHI? Prove the steps you take – encryption, remote wipe capabilities, device tracking, etc.
If healthcare organizations or business associates don’t or can’t produce proof, and there’s a PHI breach, any legal action will include turning over privacy and security policies. You want to be able to do that with confidence.
Here are our Policy and Procedure Quick Tips, in a short video format. Feel free to share.
Breach Incident, No Security Incident Response Plan (IRP)
Naturally, if you do experience a PHI breach or any type of breach incident, you want to be able to take action. The thing that stinks is that even a not-so-bad breach can bring the wolf to the door, lawsuit-wise. At one point, if there was no proof of harm (e.g., identify theft), then there was a chance the courts may show leniency. That happens far less often these days. Especially when you can’t demonstrate that your security Incident Response Plan is reliable (or if you don’t have one in place).
Think about what the courts will want to see – or better yet, what a security risk analysis would reveal about your security IRP. Can you show that everyone knows what they’re doing and how they need to respond to a breach? If you’re not sure, talk to us about your organization’s security Incident Response Plan – we have a short motion graphic on that here.
Obviously, there’s no way to 100% guarantee you’ll never have a breach. What you can guarantee is that you have the right safeguards in place, that there’s a provably in-practice set of policies and procedures, and that when the breach did happen you had a super-viable security IRP to make things right as quickly as possible.