Cyber Security Assessments

At a time when health information exchange sustainability is on everyone’s lips, and with NeHC report sharing case studies on sustainable HIEs and a recent KLAS study showing a doubling of live HIEs from last year, new revenue streams are being sought to keep these entities afloat. At the eHealth Initiative 2011 National Forum on Health Information Exchange at the Omni Shoreham Hotel in Washington, D.C., I heard a unique revenue generator that piqued my interest from Christopher Henkenius, program director at Nebraska Health Information Initiative (NeHII).Henkenius says NeHII will be offering cyber liability and security assessment services that provide security consultative audits and services to stakeholder participants. Deb Bass, NeHII’s executive director says that a NeHII consultant will assess each participant’s needs and perform a GAP analysis and then assist the stakeholder with the implementation of the necessary policies and procedures to address any gaps that might be identified.NEHII has contracted with different vendors so a variety of pricing levels and processes, onsite vs. online assessments, will be offered. The audit will be conducted on an ongoing basis to be determined by the provider and the NeHII consultant. “It’s an ongoing assessment rather than a snapshot in time which most of the assessments have been in the past. You do it once and then a year or two later you start from square one, so there’s a lot of wasted energy and that was our thought around some of these solutions that are more innovative,” Bass says.NeHII’s initial focus for these assessments is physician practices. Two practices, a nursing home and a surgical practice, have been identified for a pilot phase that will start soon. “Many times they don’t have IT staffs,” Bass says. “It’s the office manager that assumes this role. The idea behind this is that we’ll be that resource to them, so they don’t have to hire additional bodies to address this.” NeHII plans to offer these assessments with other states, just as it shared its HIE security and privacy practices with 16 other states. She says that these policies are open source to create a more collaborative environment, so if other entities add on to them, NeHII will be able to access those ideas. Bass says that Arkansas recently published its privacy policies and recognized NeHII’s contribution.In the future, NeHII plans on adding to its security offerings to help organizations meet future meaningful use requirements and HIPAA compliances. One idea is to assist providers with creating “access reports” to patients indicating who has accessed data in a designated record set. NeHII also plans to continue partnering with Metropolitan Community College in Omaha on its HIT curricula and adding a cyber security course in the future.“With all of the new initiatives with health information technology—ICD-10, meaningful use, and HIE—many of our stakeholders are feeling extremely overwhelmed and resource-constrained,” Bass says. “And believe me, cyber security and these assessments are a major responsibility.”