07/30/2013    Mark J. Tuccio, DPM

Security Risk Analysis Cost (Michael Brody, DPM)

Dr. Brody is spot on with his assessment. I
posted many months ago that attestation to MU
was a huge trap with regard to meeting core
measure 15. It seems that the chicken has come
to roost for many who were unlucky enough to be
selected for a MU audit.

For those who are now concerned with this
measure, Practice Fusion has a “Privacy and
Security Toolkit” that will help with the
documentation needed for conducting an EHR
security and risk analysis. The government web
site also contains this information in a
somewhat verbose form.

This document was what we provided to the
auditor when we were audited for stage 1 MU. I
would strongly recommend to those who are
concerned with the needed documentation for this
core measure to find this tool kit and use it.
This document, along with a long list of others,
saved our group from having to pay the feds back
what was given to us for our successful
completion of stage I MU.

For those that have not been audited, FYI...any
future MU money is held up until the audit is
completed. Our stage I MU audit took over 23
weeks. If you rely on MU money for cash flow, be
careful that you don’t count your chickens
before they are hatched.

With regard to penetration testing, this is a
must at some point and as far as I am concerned
the sooner the better. As I have said in the
past, if you have a static IP address and think
a fire wall is sufficient to keep the hackers
from entering to your network from the outside,
you my friend have just showed up to a gun fight
with a knife.

These folks are very, very skilled at what they
do. Their entry is silent. They ALWAYS leave a
back door open for re entry and what they want
is information contained in your patient
database. Specifically social security numbers
and other demographic information. They can suck
your ENTIRE data base off your servers in less
than an hour and you will never know it.

Let’s face it, these folks are not really
interested in Mrs. Jones meds, medical
conditions or HIV status. They want demographics
and identity theft is want makes ever security
expert’s knees shake. Why do you think that when
a breach occurs, the responsible party usually
offers the victims some gratis form of credit
reporting gift?

Has anyone else noticed that MU money really
doesn’t cover the true costs of EHR in the long
term?

Hardware cost, software costs, hardware support
costs, software support costs and recurring
charges attendant to these items seem to be
eating up MU funds in the short term and will
NEVER cover the recurrent nature of these costs.
MU funds helped defray the initial costs of EHR
implementation but pale in comparison to the
ongoing and never ending cost associated with
EHR maintenance.

I said this before and I say it again. They set
the trap, we took the bait and now we are
hooked. The trap was eloquently constructed and
pretty much fail proof.

Why? Because:

1) There was no way to avoid it unless you
happen to be 5 or 6 years from retirement.

2) The veil covering the trap and the scent
smeared all over the veil was that of MONEY.

Mark J. Tuccio, DPM, Jamestown, NY,
drtuccio@netsync.net

There are no more messages in this thread.