Medicare Compliance & Reimbursement

Tip: Make disaster planning a team effort.

The critical importance of steady healthcare is essential to combat disaster, but what happens when the electricity is out, the infrastructure is broken, and the systems are down? Action plans are well and good— but, the most important protection might be staff education.

Auxiliary and clinical staff are your most important resource when you work offline, but they can also be a liability if not properly educated on the federal and state rules, systems, and paper trail necessary to run a medical operation in a catastrophe. They remain the frontline against fraudsters, social engineers, and thieves hungry for your patients’ information.

Vital: “Successful HIPAA security, after a disaster has occurred, comes down to training and the ability of your workforce,” says Kurt J. Long, founder and CEO of FairWarning, Inc. in Clearwater, Florida. “If employees received extensive training on security protocols and thwarting cyber attacks before the disaster occurred, then you’re going to have a powerful team to secure patient data.”

He continues, “For an untrained workforce, the road is going to be bumpy. If this is the case, leadership must act quickly to train their employees as best they can after the disaster has occurred. Either way, security must become an executive priority during a disaster, and employees must be held accountable.”

Remember Long’s checklist below for reference after a disaster:

• Put your plan in motion. “Execute off your business continuity plan,” advises Long. “As you are rebuilding your infrastructure, elevate the priority of security.” 
• Lead by example. “If you don’t have a business continuity plan, then you must rely on strong leaders to unite departments such as information security, compliance, and IT,” he encourages. “United they can forge a path forward that will enable all departments to secure patient information and thwart attacks.”
• Protect your physical components. “Ensure the physical security of your hospitals, your employees, and your data,” he cautions. “During a disaster, some security protocols are left ignored, but it’s important to hold employees accountable for physical security of systems.”
• Get the word out. “Communicate with the public realistically what your plans are during the crisis,” says Long. “And, what to expect afterward.”

Smart and detailed preparation from staff training to encryption to offsite storage ensures less of a headache in the aftermath of a hurricane like Harvey or Irma. Strong compliance plans, back-up systems, and office mandates keep pandemonium at bay in these types of crises. Though things may still get bumpy, having a path to follow allows you to concentrate on the most important job — caring for your patients.

Caution: “Your ‘bad days’ present massive advantage and opportunity to the bad guys,” warns Brand Barney, HCISPP, CISSP, QSA, security analyst with Security Metrics in Orem, Utah. “Malicious entities everywhere are looking to take advantage of, harm, and rob you and those you care for by watching for critical openings in your defenses.” He adds, “During a disaster, your attention will be drawn to so many other pressing matters. I highly encourage you to consider the confidentiality, availability, and integrity of your PHI environment before, during, and after the disaster.”