|
|
|
Search
07/30/2013 Mark J. Tuccio, DPM
Security Risk Analysis Cost (Michael Brody, DPM)
Dr. Brody is spot on with his assessment. I posted many months ago that attestation to MU was a huge trap with regard to meeting core measure 15. It seems that the chicken has come to roost for many who were unlucky enough to be selected for a MU audit.
For those who are now concerned with this measure, Practice Fusion has a “Privacy and Security Toolkit” that will help with the documentation needed for conducting an EHR security and risk analysis. The government web site also contains this information in a somewhat verbose form.
This document was what we provided to the auditor when we were audited for stage 1 MU. I would strongly recommend to those who are concerned with the needed documentation for this core measure to find this tool kit and use it. This document, along with a long list of others, saved our group from having to pay the feds back what was given to us for our successful completion of stage I MU.
For those that have not been audited, FYI...any future MU money is held up until the audit is completed. Our stage I MU audit took over 23 weeks. If you rely on MU money for cash flow, be careful that you don’t count your chickens before they are hatched.
With regard to penetration testing, this is a must at some point and as far as I am concerned the sooner the better. As I have said in the past, if you have a static IP address and think a fire wall is sufficient to keep the hackers from entering to your network from the outside, you my friend have just showed up to a gun fight with a knife.
These folks are very, very skilled at what they do. Their entry is silent. They ALWAYS leave a back door open for re entry and what they want is information contained in your patient database. Specifically social security numbers and other demographic information. They can suck your ENTIRE data base off your servers in less than an hour and you will never know it.
Let’s face it, these folks are not really interested in Mrs. Jones meds, medical conditions or HIV status. They want demographics and identity theft is want makes ever security expert’s knees shake. Why do you think that when a breach occurs, the responsible party usually offers the victims some gratis form of credit reporting gift?
Has anyone else noticed that MU money really doesn’t cover the true costs of EHR in the long term?
Hardware cost, software costs, hardware support costs, software support costs and recurring charges attendant to these items seem to be eating up MU funds in the short term and will NEVER cover the recurrent nature of these costs. MU funds helped defray the initial costs of EHR implementation but pale in comparison to the ongoing and never ending cost associated with EHR maintenance.
I said this before and I say it again. They set the trap, we took the bait and now we are hooked. The trap was eloquently constructed and pretty much fail proof.
Why? Because:
1) There was no way to avoid it unless you happen to be 5 or 6 years from retirement.
2) The veil covering the trap and the scent smeared all over the veil was that of MONEY.
Mark J. Tuccio, DPM, Jamestown, NY, drtuccio@netsync.net
There are no more messages in this thread.
|
|
|
|