Search Guidance for a Chief Medical Security Officer

Posted on March 22, 2011 by Dr. David Edward Marcinko MBA MEd CMP™

A Business Case Model

By Richard J. Mata MD MS CIS

Dr. Mata

Join Our Mailing List

The Mighty-Soft Hospital is a futuristic 1,500 bed fortress-like facility operating with a state-of-the-art dual wired-wireless infrastructure complete with computerized physician order entry  system, radio frequency inventory device (RFID) control tags, and integrated electronic medical records (EMRs) that are the envy of its competitors and vendors, and offer a formidable strategic competitive advantage in the marketplace.

Now, imagine the potential liability, PR disaster and chagrin when its enfant terrible CEO is told of a massive security breach similar to the ChoicePoint and Lexis-Nexis fiascos.  The ID theft involves release of critically protected healthcare financial, employment, clinical, and contact information for all of its patients, employees, physicians, business associates, and affiliated medical personnel.

Suddenly, senior management is charged with the task of establishing the new position of Chief Medical Security Officer (CMSO) for Mighty-Soft, and navigating a crisis management dilemma never previously faced by the formerly HIPAA-compliant electronic giant.

The CMSO is to be a senior level management position responsible for championing institutional security.  Awareness of electronic and HIPAA policy and procedure developments, while working to ensure compliance with internal and external standards related to information security, is vital.  The CMSO is to report directly to the CEO and the CIO.

The Search Committee developed the following list of CMSO duties and responsibilities:

  • Chair the hospital’s Information Security and Privacy Committee in its policy development efforts to maintain the security and integrity of information assets in compliance with state and federal laws, and accreditation standards.
  • Provide project management and operational responsibility for the administration, coordination, and implementation of information security policies and procedures across the enterprise-wide hospital system.
  • Perform periodic information security risk assessments including disaster recovery and contingency planning, and coordinate internal audits to ensure that appropriate access to information assets is maintained.
  • Work with the financial division to coordinate a business recovery plan.
  • Serve as a central repository for information security-related issues and performance indicators.  Research security or database software for implementing the central repository, and note that a server based system could be useful for a Wide Area Network (WAN), so this information can be shared with the enterprise-wide hospital system.  Develop, implement, and administer a coordinated process for response to such issues.
  • Function when necessary as an approval authority for platform and/or application security and coordinate efforts to educate the hospital community in good information security practices.
  • Maintain a broad understanding of federal and state laws relating to information security and privacy, security policies, industry best practices, exposures, and their application to the healthcare information technology environment.
  • Make recommendations for short- and long-range security planning in response to future systems, new technology, and new organizational challenges.
  • Act as an advocate for security and privacy on internal and external committees as necessary.
  • Develop, maintain, and administer the security budget required to fulfill organizational information security expectations.
  • Demonstrate effectiveness with consensus building, policy development, and verbal and written communication skills.
  • Possess the clear ability to explain information technology concepts to audiences outside the field.
  • Become the public face for the Mighty-Soft Hospital’s legacy security system.

Minimum Qualifications:

  • MD, DO, DPM, DDS, DMD, with bachelor’s/master’s degree in computer science or related field or equivalent experience.
  • Three or more years of experience in the healthcare industry.
  • Five or more years of experience in information security.
  • Eight or more years of experience in information technology.
  • In-depth understanding of network and system security technology and practices across all major computing areas (mainframe, client/server, PC/LAN, telephony) with a special emphasis on Internet related technology.

Preferred Qualifications:

  • Experience with electronic medical devices.
  • Specific experiences in the healthcare industry.
  • Familiarity with legislation and standards for PHI and patient privacy.
  • Demonstrated successful project management expertise.
  • Professional certification, e.g., CISSP, CISA, PMP.
  • Experience with student record/higher education laws.

Key Issues:

  • What is your IT hardware infrastructure and how are security-related devices deployed?
  • What security requirements are imposed by federal and state authorities on your institution?
  • What would you consider the most important criteria for choosing a CMSO?
  • What relationship will the CMSO have with the CIO, CMIO and CEO?
  • What level of security education/training do you consider necessary for your hospital community?
  • What are the key security issues your CMSO will have to address?
  • What are the key privacy issues?
  • What are the key risk management issues?
  • What are the pros and cons of EHRs for your institution?
  • What do you see as the EHR priorities for your CMSO?
  • What are the security issues of EHRs for your institution?

Assessment

How would you select a CMSO?

Conclusion

And so, your thoughts and comments on this ME-P are appreciated. Feel free to review our top-left column, and top-right sidebar materials, links, URLs and related websites, too. Then, subscribe to the ME-P. It is fast, free and secure.

Speaker: If you need a moderator or speaker for an upcoming event, Dr. David E. Marcinko; MBA – Publisher-in-Chief of the Medical Executive-Post – is available for seminar or speaking engagements. Contact: MarcinkoAdvisors@msn.com

OUR OTHER PRINT BOOKS AND RELATED INFORMATION SOURCES:

Product DetailsProduct DetailsProduct Details

Product Details  Product Details

   Product Details 

Filed under: "Doctors Only", Career Development, Experts Invited, Information Technology | Tagged: , , , , , , , , , | 2 Comments »

Are You Prepared for a HIPAA Dental Audit?

Posted on February 26, 2010 by Dr. David Edward Marcinko MBA MEd CMP™

Why – or Why Not?

By D. Kellus Pruitt; DDS

If you are a dentist and pay ADA dues year after year to be kept better informed about protecting your patients as well as your practice, your ignorance of HIPAA is not entirely your fault. The ADA clearly dropped the ball. Nevertheless, you could still suffer fines as high as $1.5 million for what our leaders failed to emphasize.

It’s time members accept the shameful truth about the ADA Department of Dental Informatics, headed by Ms. Jean Narcisi. Narcisi, working under the direction of ADA Sr. Vice President Dr. John Luther, has been abysmally negligent in preparing members for HITECH HIPAA, and now the compliance deadline is only days away. It’s been months since any information about HIPAA has been published in any ADA publications. Why?

HIPAA Avoidance 

Why do ADA leaders avoid discussing HIPAA? They are ashamed, not unlike embarrassed scam victims. About six years ago, Newt Gingrich visited ADA Headquarters and “lied” to ADA Delegates about the future of eHRs in the US. Then he bribed the ambitious career bureaucrats in the crowd with millions of dollars in federal grants to play along with the scam. I can only imagine that the Delegates must have been star-struck by the former Speaker of the House, because nobody dared asked the tough questions.

Newt’s Slick

So here I am, Ms. Jean Narcisi. I’m again doing your job because your mistakes I pointed out years ago now have you frozen in shame. If you disagree, and consider self-respect as something worth defending, let’s discuss your innocence in front of everyone – including the ADA members who pay your salary. Or, you can continue to hide from your responsibilities. This crap will catch up with you soon enough, Ms. Narcisi, and Dr. Luther no longer has the courage to stick his neck out to protect you. He’s also scared of me. You are alone.

Newsletters 

Dom Nicastro, senior managing editor at HCPro, edits the Briefings on HIPAA and Health Information Compliance Insider newsletters. He posted an informative article on HealthLeadersMedia.com today titled “HIPAA Compliance Questions to Ask as HITECH Date Nears.”

http://www.healthleadersmedia.com/page-1/TEC-246514/HIPAA-Compliance-Questions-to-Ask-as-HITECH-Date-Nears

The article features Chris Apgar, CISSP, president, Apgar & Associates, LLC, in Portland, Oregon. Mr. Apgar notes that “many covered entities and business associates have consistently failed to comply with the HIPAA Security Rule.” Apgar adds, “I find this over and over when conducting compliance audits.”

The lack of compliance described by Apgar is consistent with the results from my study in 2008, “HIPAA Rules and Dentistry.”

https://medicalexecutivepost.com/wp-content/uploads/2008/08/hipaa-survey-dentists4.pdf

Study Abstract

A survey of 18 dentists was performed using the Internet as a platform. The volunteer dentists’ anonymity was guaranteed. The dentists were presented with ten HIPAA compliancy requirements followed by a series of questions concerning their compliancy as well as the importance of the requirements in dental practices.

The range of compliancy was found to be from 0% for the requirement of a written workstation policy to 88% for that of password security. The average was 49%, meaning that less than half of the requirements are being respected by the dentists in this sample.

Frustrated at Mandates

Frustration with the tenets of the mandate, as well as open defiance is evident by the written responses. In addition, it appears that a dentist’s likelihood of satisfying a requirement is related to the dentist’s perceived importance of the requirement. Even though this is a limited pilot study, there is convincing evidence that more thorough investigation concerning the cost and benefits of the requirements need to be performed before enforcement of the HIPAA mandate is considered for the nation’s dental practices. 

HIPAA

Questions to Consider

Apgar says that the security rule requires covered entities to consider these questions:

  • Has a risk analysis been conducted lately? Was it properly documented? Were damages mitigated and were the risks acceptable?
  • Is privacy/security training current? Have new workforce members who will have access to personal health information (PHI) been adequately trained? Has refresher training for all staff been accomplished? Have security reminders been provided?
  • Are the office policies and procedures complete, current and enforceable? Are workforce members trained on the policies and procedures they are required to respect?
  • Has a comprehensive audit program been implemented? (The security rule requires three periodic audits and an “evaluation” or compliance audit). Are evaluations current? Have audit findings been addressed and documented?
  • Have up to date disaster recovery and emergency mode operations plans been communicated and recently tested?
  • Are CMS’ remote access guidelines being followed? (These are not part of the rule, but CMS earlier indicated remote access management would be included as audit criteria).
  • Are data in transit and data at rest encrypted? Are non-electronic PHI being protected?

Office of Civil Rights

Mr. Apgar adds that even though the Office of Civil Rights isn’t saying when audits will start, if a complaint is filed with OCR alleging ”willful neglect,” OCR is mandated by statute to investigate. The fines for “willful neglect” are much more devastating than fines for simple carelessness. And “willful neglect” is a subjective judgment call made by inspectors … who work on commission.

Assessment

Unfortunately for the nation’s dentists, the statute invites disgruntled patients and employees to celebrate revenge via federal inspectors. And, the more dentists are fined, the more the inspectors make. That can’t end well. Where are you hiding, Jean Narcisi? You’ve been silent far too long. Let’s talk. Don’t make me come get you.

Editor’s Note: The applicability of this post to all medical specialties is obvious.

Conclusion

Your thoughts and comments on this ME-P are appreciated. Feel free to review our top-left column, and top-right sidebar materials, links, URLs and related websites, too. Then, subscribe to the ME-P. It is fast, free and secure.

Link: http://feeds.feedburner.com/HealthcareFinancialsthePostForcxos

Speaker: If you need a moderator or speaker for an upcoming event, Dr. David E. Marcinko; MBA – Publisher-in-Chief of the Medical Executive-Post – is available for seminar or speaking engagements. Contact: MarcinkoAdvisors@msn.com

OUR OTHER PRINT BOOKS AND RELATED INFORMATION SOURCES:

DICTIONARIES: http://www.springerpub.com/Search/marcinko
PHYSICIANS: www.MedicalBusinessAdvisors.com
PRACTICES: www.BusinessofMedicalPractice.com
HOSPITALS: http://www.crcpress.com/product/isbn/9781466558731
CLINICS: http://www.crcpress.com/product/isbn/9781439879900
BLOG: www.MedicalExecutivePost.com
FINANCE: Financial Planning for Physicians and Advisors
INSURANCE: Risk Management and Insurance Strategies for Physicians and Advisors

Product Details 

Filed under: Health Law & Policy, Information Technology, Practice Management | Tagged: , , , , , , , , , , , , , , , , , , | 14 Comments »

Interview with Jack Levy of Securebill, Inc

Posted on June 1, 2009 by Dr. David Edward Marcinko MBA MEd CMP™

President – Securebill, IncMeeting

What: An Interview and Special Report Exclusively Prepared for the ME-P
Who: Mr. Jack Levy, CISSP [President – Securebill, Inc]
Topic: Physician Selection of eHRs
Reporter: Amaury Cifuentes; CFP®
Where: Internet Ether

Although skeptics of eHRs abound, President Barack H. Obama’s signing of the American Recovery and Reinvestment Act [ARRA] of 2009 has created a massive push for their implementation. The Act provides $19.2 billion, including $17.2 billion for financial incentives to be administered by Medicare and Medicaid. This assistance of up to $40 to $65 thousand per eligible physician, and up to $11 million per hospital, begins in 2011.

Link: https://medicalexecutivepost.com/wp-content/uploads/2009/05/jack-levy-interview.pdf

Conclusion

And so, your thoughts and comments on this Medical Executive-Post are appreciated. Feel free to review our top-left column, and top-right sidebar materials, links, URLs and related websites, too. Then, be sure to subscribe to the ME-P. It is fast, free and secure.

Link: http://feeds.feedburner.com/HealthcareFinancialsthePostForcxos

Speaker: If you need a moderator or speaker for an upcoming event, Dr. David E. Marcinko; MBA – Publisher-in-Chief of the Executive-Post – is available for seminar or speaking engagements. Contact: MarcinkoAdvisors@msn.com  or Bio: www.stpub.com/pubs/authors/MARCINKO.htm

Get our Widget: Get this widget!

Our Other Print Books and Related Information Sources:

Practice Management: http://www.springerpub.com/prod.aspx?prod_id=23759

Physician Financial Planning: http://www.jbpub.com/catalog/0763745790

Medical Risk Management: http://www.jbpub.com/catalog/9780763733421

Healthcare Organizations: www.HealthcareFinancials.com

Health Administration Terms: www.HealthDictionarySeries.com

Physician Advisors: www.CertifiedMedicalPlanner.com

Subscribe Now: Did you like this Medical Executive-Post, or find it helpful, interesting and informative? Want to get the latest ME-Ps delivered to your email box each morning? Just subscribe using the link below. You can unsubscribe at any time. Security is assured.

Link: http://feeds.feedburner.com/HealthcareFinancialsthePostForcxos

Sponsors Welcomed

And, credible sponsors and like-minded advertisers are always welcomed.

Link: https://healthcarefinancials.wordpress.com/2007/11/11/advertise

Filed under: Breaking News, Career Development, Information Technology, Interviews, Practice Management | Tagged: , , , , , , , , , , , , | 1 Comment »