Attesting to Security Risk Remediation


By David Kovel
Chief Technology Officer
Sage Growth Partners

I’ve been through a number of security risks assessments now and physician practices are slowly awakening to how porous their information system defenses have become. The ONC published a rudimentary SRA tool (download found here) to guide offices through the process of taking stock of their systems that hold or exchange personal health information (ePHI). Most practices look to their EMR vendor for assistance, but health data exists outside their scope on staff workstations, medical devices, operating systems, internally developed spreadsheets and databases to name a few. And are easily accessible by staff members, vendors, and subcontractors – ostensibly to facilitate timely, quality care and revenue generating services.

Collecting where ePHI resides is eye opening; determining who has access to it, daunting; assessing the risk of misuse, almost futile. But someone inside the organization is responsible if ePHI is compromised. Often the assigned individual is not well equipped in understanding the privacy and security regulations nor the practical implementation of their requirements.

Breach of privacy incidents are sure to increase in the coming months. It is time to further educate those identified as Security Officers. They must review their attested to SRAs and begin remediating their office’s weaknesses and attending to improving their health IT defenses.