By Diane Evans
A new federal case drives home an important point for healthcare leaders: Don’t assume your IT provider is doing everything right. It’s up to you, as a fiduciary for your organization, to require accountability.
In this new case, a subsidiary of the Centene Corporation agreed to pay $11.3 million to resolve claims that it falsely certified compliance with cybersecurity requirements, as specified in a contract to administer health benefits for the U.S. Department of Defense.
This should be a wake-up call for leaders of healthcare organizations of all sizes. Technology defenses and best practices need to be managed from the top down. And you don’t need to be a techie to set and enforce standards for IT. In fact, by leaving IT without checks and balances, you allow vulnerabilities to go unmanaged and undetected. And that invites an unwanted data breach.
Technology has evolved to a point where senior leaders must create management systems for holding IT accountable. That entails making assignments, knowing the questions to ask, and initiating routine progress reports that include system-generated validation of updates. Examples of IT functions to track and evaluate include:
Prompt application of software updates and patches;
Routine IT systems checks, including penetration testing;
Network segregation;
Routine checks on configurations and backups of configurations;
Routine offline data backups.
One more point to keep in mind: Even in the best of situations, you can’t expect IT to know all the technology-related requirements under the Health Insurance Portability and Accountability Act (HIPAA). The assurance that those requirements are carried out of course rests with top leadership.
Call to Action: Visit our homepage to download a Do-This-First list of IT defenses, based on federal recommendations.
#HIPAALong-TermCare
Comments