With the help of third-party security experts, a 25-bed facility in rural Texas has a first-class IT security program that rivals some of the largest healthcare providers in the nation.
Sometimes big things come in small packages.
Red River Regional Hospital (RRRH) is a 25-bed Joint Commission accredited Critical Access facility located in Bonham, Texas, that provides inpatient, outpatient and emergency services to Fannin County and the surrounding communities. With 125 employees, RRRH cares for approximately 1,500 inpatients annually and 1,200 to 1,400 outpatients each month.
RRRH was preparing to transition from paper records to electronic health records (EHRs) and was seeking to qualify for funding support under the Health Information Technology for Economic and Clinical Health (HITECH) Act. However, under the HITECH Act, providers will have to pay more attention to the security of electronic protected health information (ePHI) in order to remain in compliance. As RRRH had recently become independently owned and operated, it no longer had an information technology (IT) department to oversee security policies and procedures.
Like many smaller healthcare provider organizations, RRRH did not have a clear understanding of its information security exposure, especially as a result of the split from its former corporate overseer. In addition, RRRH had not undergone an independent, third-party risk assessment in five years. David Conejo, RRRH CEO, knew it was time to address this long-overdue issue and ensure that his organization's sensitive information was being protected at all costs.
As a small rural hospital with fewer than 49 beds, RRRH qualified to receive $8,640 from The Office of Rural Health Policy's Small Rural Hospital Improvement Program (SHIP) Grant, which is aimed at helping small hospitals comply with recent HIPAA provisions. Conejo received notice from CynergisTek, a third-party authority in healthcare information security management services and solutions, that hospitals that qualify for SHIP Grant funds could use the money for the company's HIPAA/HITECH Security Compliance Review solution, but they only had until June 30, 2010 to use the money for this purpose. Conejo quickly brought the news to the attention of RRRH's Terri Gibson, director, health information management, and Matt Gunnoe, director, IT, and advised that the hospital undergo a risk assessment immediately.
Without a dedicated security department, RRRH needed an expert third party to assess the current state of the hospital's information security in order to ensure ongoing compliance and successful transition to EHRs.
"On the one hand, security threats are becoming more and more frequent and sophisticated. On the other hand, you're almost afraid of what you'll find and how much work will have to be done to get up to speed," says Gunnoe. "Beyond that, we were also concerned about the reaction from our providers who always worry that increased security will make their jobs more difficult."
Prior to the assessment, RRRH provided the team of experts from CynergisTek, the third-party IT security organization, with information about the hospital's current state of security. According to Gunnoe, the process was simple and the questions were clear, which allowed the CynergisTek security team to begin the risk assessment soon thereafter. The team handled the entire risk-assessment process remotely using virtual teams that would respond immediately to questions from RRRH. Upon completion of the risk assessment, the team presented the findings to RRRH.
"We actually preferred the remote method that the security organization took for the risk assessment," says Gibson. "The virtual teams were always available when we needed them, so we felt comfortable that everything was handled remotely. As a small hospital with limited resources, it was more logical to keep our teams in-house while testing and evaluations of our security posture were done remotely by a third party."
The risk assessment, which took about six weeks, identified two key areas of focus for RRRH: documentation and end-user encryption. In order to increase security within the organization, policies and procedures needed to be documented in a formal manner and electronic information needed to be encrypted to ensure appropriate access to sensitive information by authorized users.
In an hour and a half, the CynergisTek team provided findings that outlined for RRRH where the hospital was meeting compliance standards and where it was falling short. From these findings, RRRH was then given a detailed plan for moving forward and meeting all security compliance regulations. The plan was tailored in such a way that RRRH, although lacking resources for a dedicated IT security department, could still take all necessary steps to ensure privacy and security of all sensitive information.
The analysis showed that prior to the risk assessment, RRRH was at 40% compliance with HIPPA/HITECH requirements. According to Conejo, the hospital is currently at 75% compliance and expects to reach 100% by the end of summer 2010. By taking the advice of the security experts, RRRH has not only documented its privacy and security policies and encrypted all information, but it has implemented complex passwords for safe log-ins and timing out of work stations to guarantee authorized access. In addition, the third-party's presentation of findings helped justify the need for heightened security and validated future security initiatives for everyone in the organization.
"We were extremely impressed by the recommendations provided," says Gunnoe. "Not only do we now have a clear plan for security moving forward, but now our entire organization is engaged in a discussion about the importance of security. People have become more accepting of the necessary procedures after the experts explained the benefits of these security measures for our organization."
Although RRRH is a small rural hospital, its CEO is a strong proponent of patient privacy and security. With the help of the third-party security experts, RRRH - a small, 25-bed facility in rural Texas - has a first-class IT security program that rivals some of the largest healthcare providers in the nation.
For more information on CynergisTek, click here.