/cdn.vox-cdn.com/uploads/chorus_asset/file/23962442/acastro_STK067__03.jpg)
/cdn.vox-cdn.com/uploads/chorus_asset/file/24247717/lp_logo_3.0.jpg){kind=logo}
/cdn.vox-cdn.com/uploads/chorus_asset/file/24016885/STK093_Google_04.jpg)
/cdn.vox-cdn.com/uploads/chorus_asset/file/24808816/Starfield__The_Settled_Systems___Supra_Et_Ultra_____Starfield__The_Settled_Systems___Su)
[ad_1]
Given the ever-changing landscape for healthcare privacy regulations, that’s a tall order, but hospitals and health systems should take a more proactive approach to regulatory compliance, says Michelle Garvey Brainflake, healthcare corporate and regulatory shareholder at Buchanan Ingersoll & Rooney PC.
Through his work supporting health care organizations “when compliance efforts fall short,” Garvey Brainflake has developed some useful insights about how providers can better manage their regulatory challenges while protecting their patients’ data.
she offered Healthcare IT News Readers made a number of recommendations on how healthcare organizations can respond appropriately and quickly to reduce risk.
Q. In the event of a potential privacy and security incident, many health systems will go to their workbooks. Yet, some may fail to implement or neglect to update the procedures necessary to ensure compliance with procedures to keep pace with emerging threats. What are some of the most common areas or pitfalls you see where providers fall short?
A. Having a properly designed playbook for the organization is the first step.
Many organizations adopt “off-the-shelf” template playbooks that are not specific to their organizations. Organizations with the best playbooks have incorporated both internal and external resources to produce robust, customized playbooks that are practical, easy to understand and widely disseminated to the organization’s workforce through education and training initiatives.
Q. In your work, you recommend tabletop drills to practice cyber security incident response. For clients who are just starting to develop training programs, what resources do you point them to and what advice do you have for setting up an effective program?
A. Because tabletop exercises can be time- and resource-intensive, we often recommend that organizations work with outside resources, such as legal counsel or consultants, to begin pilot tabletop exercises that, again, are tailored to a particular organization.
Involving an organization’s chief information security officer, privacy officer, chief legal counsel and other key personnel allows for a “trainer-the-trainer” option, where internal teams conduct future tabletop exercises for other workforce members, reducing the need to engage external resources for each tabletop exercise.
Q. When it comes to insurance, covered entities are required to perform a number of mitigation practices in order to obtain coverage. But what should hospitals and health systems look for to ensure they have the proper cyber security coverage for their needs, and how can they ensure this?
A. Contractual and other third-party arrangements often require hospitals, health systems, and other organizations to maintain an appropriate level of cyber security coverage. These organizations can work with their insurance brokers to assess the appropriate level of cyber security coverage based on organizational activities.
We further recommend that organizations work with their insurers to identify legal counsel who is on a particular insurer’s panel of approved legal counsel to ensure appropriate legal assistance in the event of a cyber security incident or incident.
Q. What can healthcare organizations, working with their insurers and their business partners, do to prepare themselves should an incident occur? How can they best prepare for exposure to potential third-party vulnerabilities?
A. Healthcare organizations that have relationships with third-party vendors are often pressured to use their “form” data use agreements or business associate agreements that include healthcare organization-friendly terms.
For example, notification is required in the event of a security “incident” involving a vendor, whereas notification is required only in the event of a “breach”. This gives the organization greater access to information in the event of a security issue involving a third-party vendor.
On the other hand, we recommend that vendors maintain a log of key terms of data use agreements and business associate agreements, so that they can respond quickly to a security-related incident and provide necessary notifications.
From an insurance perspective, as suggested above, health care organizations should review their insurer’s approved panel of legal counsel to ensure seamless involvement of legal expertise when needed.
Andrea Fox is a senior editor for Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.
