- Healthcare organizations should have primary and secondary data centers for redundant operations in the event of a disaster or downtime, advised consulting firm Crowe.
These primary and alternative processing sites should be ready for use and have physical, environmental, and operational controls to promote secure and continued operation, Crowe explained in its Top Risks Areas for Healthcare Organizations in 2019 report.
If systems and data are not always available, patient safety, productivity, and revenue could be significantly impacted, warned Crowe.
To secure an organization’s information systems and meet regulatory requirements, organizations should have a well-designed access program and user provisioning processes in place, Crowe recommended
“Strong controls in this area protect data and systems availability, confidentiality, and integrity by limiting access to information and resources based on the concepts of least privilege and need to know,” the report noted.
If access processes are not well designed or implemented, sensitive information could be put at risk for disclosure or manipulation, leading to fines and penalties for regulatory noncompliance and brand damage.
Without strong access management controls, operating systems and business and clinical applications may be vulnerable to loss or failure from external or internal manipulation, the report warned.
Implementation of electronic health record (EHR) and other clinical and business systems can pose a significant risk to healthcare organizations. Implementing systems on time, within budget, and using industry standards for design, testing, training, and support are key to avoiding risks to the organization.
“IT risks include lack of security, poor change management, inadequate backup and recovery, improper segregation of duties, insufficient infrastructure to sustain and optimize the EHR systems after implementation, and lack of proper interfaces with other systems,” the report explained.
Crowe related that health information management is important to managing compliance and coding risks. Clinician documentation of patient visits and services should be timely, complete, and accurate to maximize healthcare reimbursement. Effective health data management also is necessary to ensure patient privacy, quality reporting, quality process improvement, and pay-for performance decisions.
“EHR systems play an important role as the origination point, secure repository, and vehicle for diagnoses and care documentation. To promote accurate and complete documentation and billing, clinicians must be trained to use EHR functionality to meet documentation requirements. System access must be managed in accordance with job function, and use of copy-and-paste functionality in the EHR must be limited and managed to promote clinical documentation integrity,” the report noted.
In addition, healthcare organizations often use third-party vendors for a range of operational, clinical, and technology services to reduce costs and improve efficiencies. Third-party vendors often have access to the hospital facility, data, and patients.
“Risks related to use of third parties for core services must be considered carefully before contracts are signed, and they must be managed throughout the vendor relationship,” the report advised.
Risks posed by vendor include failure to meet contracted performance requirements and financial terms of the contract, billing for services not provided, as well as compliance, patient safety, and regulatory risks. For example, if a vendor fails to comply with federal, state, and local laws, that can have immediate negative financial, legal, and reputational impacts. “This is especially true with regard to weak information systems controls where vendor vulnerabilities may result in a privacy or security breach. A thorough vendor management program with ongoing monitoring of third-party entities is critical to mitigate this risk area,” the report added.
In addition, joint ventures can pose risks to healthcare organizations. They are often used for ambulatory surgery centers, imaging centers, radiation therapy offices, urgent care centers, real estate investments.
Joint venture agreements can result in complex arrangements, including the sharing of revenues and expenses between the entities. This sharing can be difficult to monitor if appropriate processes are not established.
“Lack of preparation to mitigate risks can cost a healthcare organization money and its reputation at a time when it can least afford to lose either,” said Crowe Healthcare Risk Consulting Leader Sarah Cole. “In a value-based reimbursement environment, every dollar is at risk. If an organization loses that dollar to a compliance problem, it can’t make it up simply by adding a dollar of revenue elsewhere,” she concluded.