- Business continuity and disaster recovery, cybersecurity, biomedical devices, IT governance, system access management, and system implementation will be the biggest IT risk areas for healthcare organizations in 2019, according to a report from Crowe, a global public accounting, consulting, and technology firm.
Crowe analyzed nearly 3,000 risk areas across 250 healthcare entities to determine the biggest risk challenges organizations will need to tackle in the coming year. In total, Crowe determined 23 risk areas for 2019. HealthITSecurity.com focused specifically on its IT challenges around security.
Business Continuity and Disaster Recovery
As health providers rely heavily on IT systems for patient care, data must be accessible at all times. As was seen with several IT outages across the industry this year, the need for business continuity and disaster recovery plans is paramount.
“To promote continuous availability of systems and the related data, healthcare organizations must have primary and secondary data centers for redundant operations in the event of a disaster or downtime,” the report authors wrote.
“Each of these primary and alternative processing sites should be ready for use and must have appropriate physical, environmental, and operational controls to promote secure and continued operation when needed,” they added.
Without these controls, revenue, patient safety, and productivity will be affected.
Cybersecurity has remained a top boardroom concern in recent years, which will continue into 2019. The authors explained that, for the coming year, providers should concentrate on bolstering controls to minimize risk, including authentication and other access controls, network controls, and encryption.
Biomedical device and IoT security will also remain a risk focus to ensure patient safety, HIPAA compliance, and network security risk.
For larger organizations, IT governance will be an important component around delivering tech services to support IT initiatives with security in mind.
“IT governance is critical to ensuring that the provision of information services is strategically aligned with the business and that adequate resources are made available to support achievement of technology and business goals,” the authors wrote.
A solid governance program will need to promote and monitor IT compliance with technology regulations, including HIPAA and the HITECH Act, according to the report.
Systems Access Management
As was seen with the recent Office for Civil Rights settlement with Pagosa Springs Medical Center, failing to ensure strong access control policies that revoke employee access after termination can lead to massive fines. Systems access management must be a priority in 2019 and beyond.
A strong access program will ensure data protection and system availability, while protecting the confidentiality and integrity of data. The authors explained that access should be based on concepts of least privilege and need to know.
“If systems access processes are poorly designed or incorrectly implemented, ePHI and other sensitive information will be put at risk for inappropriate disclosure or manipulation, potentially resulting in fines and penalties for regulatory noncompliance and damage to the organization’s brand,” the authors wrote.
“Without strong access management controls, operating systems, and business and clinical applications may be vulnerable to loss or failure due to external or internal manipulation,” they added.
Adding new technology and platforms, such as a new electronic health record system, can increase an organization’s operational, clinical, financial, and IT risks.
Organizations need to focus on shoring up security risks, as well as ensuring proper change management, adequate backup and recovery duty segregation and sufficient infrastructure support and optimize EHR implementation. New technology should also be checked to determine proper interfaces with other systems.
“Lack of preparation to mitigate risks can cost a healthcare organization money and its reputation at a time when it can least afford to lose either,” Sarah Cole, Crowe Healthcare Risk Consulting Leader said in a statement.
“In a value-based reimbursement environment, every dollar is at risk,” she continued. “If an organization loses that dollar to a compliance problem, it can’t make it up simply by adding a dollar of revenue elsewhere.”