Tag Archives: strategy
LOGO-PhysBizTech

Introducing PhysBizTech and Mac’s Blogspot

January 24, 2012 by Stephanie Crabb Comments Off

From the publishers of Healthcare IT News comes PhysBizTech, a media resource designed to fill this information gap by offering business and technology intelligence to forward-thinking physician practices looking to increase their profitability while enhancing patient care.

We were delighted to accept PhysBizTech’s invitation for Mac to support on ongoing blogspot on issues of privacy and security.  We will try to “keep it real” (like we always do) for the subscribers, who as physician practices, have real challenges keeping up with the regulatory realities of HIPAA and HITECH, and the business of privacy and security in the practice operations.

So, read on and enjoy Mac’s inaugural post!

http://www.physbiztech.com/blog/make-healthcare-data-security-2012-priority

 

Articles, News
, , , , , , , ,

Can Healthcare learn from the Zappos Breach? You bet!

January 19, 2012 by Stephanie Crabb Comments Off

Some of you may be becoming numb to the reports of data breaches that seem to hit the headlines almost every week now.  Are we developing a mindset that these breaches are just going to happen and that they are just part of business in the digital age?  Boy, I sure hope not!  Because I care about my personal data, the data of my family members and really everyone’s data.  I fear the day that we become accepting of breaches as a business norm.

I read a lot of articles everyday from a variety of sources – blogs, industry press, etc.  I really appreciated Matthew Schwartz’s article in Information Week covering lessons learned from the Zappos breach this week.  It was nice to see an acknowledgement of the preparations and risk management steps that were in place, as well as the opportunities for improvement that exist for Zappos going forward.  It was also really nice to a simple, straightforward presentation and discussion of the points.  At CynergisTek, it is a core value to make security “accessible” to our clients, to relate security efforts to the business and to the people that make that business run.  For us, we are usually talking about hospitals, clinicians and the critical support staff that, 24 x 7 x 365, make healthcare happen.  Anyone can read Matt’s article, learn from it, and take something away from it, as an individual or as an organization.

Some of our healthcare clients might challenge the fact that Zappos or Amazon are a relevant reference point for them, that the business of retail is nothing like the business of healthcare.  For me, it always comes back to the ultimate arbiter – the denominator that is THE DATA and our responsibility for it.  I would argue that our industry assumes the stewardship for a much more significant amount of sensitive data than retail so the call to action or the sense of urgency to establish the technical safeguards and processes is even greater.

I don’t want to sound like a broken record, but there are things, even smaller things, that healthcare can do, which is why I really had an affinity for this article.  There are absolute takeaways for our industry here so read it.  Benchmark your current safeguards and processes against some of the positive attributes of Zappos’ program and response.  Then, make a plan to make ONE aspect of your breach risk mitigation program better.

We say it all the time in healthcare…”An ounce of prevention…”  We need take a healthy slurp of our own koolaid!

Enough of my musings, read Matt’s article here:

http://www.informationweek.com/news/security/attacks/232400457

Articles, News
, , , ,
LOGO-Advance for Health Information Professionals

Can Healthcare Do Security Successfully?

October 19, 2011 by Stephanie Crabb Comments Off

Advance for Health Information Professionals posed this question to our own Mac McMillan seeking his insight.  Mac, in his own words, answered the question with this:

I’m going to answer this question with what I believe to be the correct answer: Yes, the healthcare industry is capable of doing security successfully. I base that belief not only on my experience over the last 20 plus years, but also because of the many examples of organizations that are getting it right, and the many industry leaders who have proven that security can be implemented successfully. So why do I pose the question? Because many organizations are still lagging in the area of healthcare security. Perhaps the better question is, why do some organizations get it right and others struggle? There are several reasons for that, but what might be more interesting is to look at a couple of critical factors that have contributed to successful healthcare security programs.

Leadership

Leadership sets the tone for a successful security program. The most effective security programs have often been overseen by a business leader who makes patient privacy and data security a priority, and an experienced security professional that knows how to translate those priorities into practical action. Each executive is directly involved and ensures the information security program is realized through the provisioning of resources needed. They view patient privacy and data security as a responsibility, not just a cost center or necessary regulatory evil. In most organizations where there is struggle — or failure — it is usually traced back to a lack of focus at the top and/or insufficient resources to get the job done correctly. Survey after survey for the past few years has documented the shortcoming.

Objectivity

In addition to strong executive leadership that makes privacy and security a priority, another benchmark of successful programs is an appreciation for — and openness to –objectivity in measuring performance. One of the first tenants of data security is to never allow the same person who built or manages a system to also test or audit that system. Separation of duties, third party assessments and consulting with outside experts have always been important keys to successful data security programs. Information security is an extremely dynamic subject area in which expertise should be maintained. This is particularly true when talking about strategic design and assessing risk.

21Smart organizations seek external input when developing a security strategy, designing an enterprise security controls architecture or selecting the right technologies to enable their strategy. First, consultants come at the problem with the experience of having seen many environments. Second, they have already worked with many of the solutions/approaches in operation and tend to stay current in the technology. Third, there should be objectivity in the process; it is also important to consider the value of lessons learned elsewhere. The successful organization takes advantage of both knowledge and experience and reaps the benefits in cost avoidance, implementation successes and enhanced adoption.

The successful organization also takes advantage of objective measurement in assessing risk, both initially in determining which controls are needed, and on the back end by assessing effectiveness. One of the most informative tools employed in security management is the risk analysis. If done right, it will produce the roadmap needed for building, remediating or validating the security program. If done regularly, it will produce a honed awareness of where risk is enabled and support a better understanding of what security measures are most effective. Risk management is continuous. Risk analysis should be conducted at least annually in most environments, or when significant change occurs in the organization or information enterprise. Every regulated industry is required to conduct risk analysis — healthcare is no exception. The HIPAA Security Rule calls for conducting a risk analysis, as does HITECH in both its Breach Notification Rule for determining harm and its Meaningful Use Rule attestation requirements for receiving incentive funds.

My Answer

Can health care do security successfully? Absolutely, and many organizations are. But, unfortunately many are not. The two success factors that relate to the culture of an organization: leadership and objectivity. Establishing a culture that views security as a core business responsibility and embraces objectivity in measuring effectiveness enables an organization to learn and improve more rapidly. Using external third parties for conducting risk analysis is a security best practice and it allows organizations to avoid costly lessons learned.

Articles
, , , , ,
LOGO-South Dakota HIMSS eHealth Summit

South Dakota eHealth Summit 2011

October 2, 2011 by Stephanie Crabb Comments Off

Mac McMillan, National Chair of the HIMSS Privacy and Security Policy Task Force and CynergisTek CEO, will serve on the faculty of the 2011 South Dakota eHealth Summit, Navigating the Way to Meaningful Use.  The conference will be held November 7, 2011 at the Holiday Inn City Centre in Sioux Falls.

The Summit’s one-day seminar agenda will engage, motivate and educate providers and key stakeholders across South Dakota regarding meaningful use and the clinical value of using health information technology and exchange of clinical information between health care providers.

The Summit is bringing together the South Dakota HIMSS Chapter, Dakota State University, HealthPoint (South Dakota’s Regional Extension Center), ADSU IT Initiative, South Dakota Department of Health, and DSS.

The purpose of this year’s eHealth Summit is to provide a statewide vision and update on e-health initiatives to improve healthcare for all South Dakotans with the following specific objectives:

  • Describe the goals, objectives and strategies of South Dakota’s plan for HIT, including Health POINT, the Health Information Exchange (HIE), SD Medicaid, and HIT Workforce Development.
  • List the updated requirements of meaningful use and how to best achieve meaningful use goals.
  • Identify best practices for electronic health record adoption and implementation.
  • Gain an understanding of how Health Information Exchange can improve care.
  • Learn about Public Health reporting and how to participate.

Please visit http://healthpoint.dsu.edu/Summit2011/ for more information on the conference agenda, registration and sponsorship.
.

Events
, , , , , , ,

%d bloggers like this: