The government's meaningful use initiative calls for healthcare providers to conduct risk assessments, but that's no easy task. The Health IT Policy Committee earlier this year noted the inability of many providers to perform such assessments. And a 2009 survey indicated that nearly half of the responding providers failed to conduct a risk assessment of their health information assets.
The problem is particularly difficult for smaller providers, such as federally designated critical access hospitals, that face financial and technical restraints. "The average security assessment is in the $40,000 to $50,000 range"in most cases outside their ability to handle," noted Mac McMillan, chief executive officer of CynergisTek, an IT security consulting firm based in Austin, Texas. "Yet they have the same requirements that the big guy does."
With that in mind, CynergisTek recently developed a security assessment service aimed at the small hospital market. The company's HIPAA/HITECH Security Compliance Review evaluates a hospital's performance against HIPAA and HITECH privacy and security requirements. The review is priced at $8,650 for hospitals with 49 beds or less.
CynergisTek took a page from a retail industry security compliance program to make health IT risk assessment feasible for smaller facilities. The limited budgets of small hospitals ruled out a lengthy onsite review, in which security consultants are dispatched to evaluate an organization's security measures. Instead, CynergisTek's service uses self-assessment questionnaires, a concept borrowed from the Payment Card Industry (PCI).
PCI uses targeted self assessment questionnaires to help smaller retailers meet its security requirements for handling customer credit card data.
The questionnaires cut down on the expense on site-review, but hospitals aren't entirely on their own. CynergisTek conducts a "live session" with hospital staffers, if they need help completing the questionnaire, McMillan explained.
CynergisTek also asks hospitals to produce IT security policies, network diagrams, and forms of documentation to help the consulting firm learn about the hospital's security environment. The company then performs an external scan of the hospital's IT operations, using Qualsys technology to search for security vulnerabilities.
The assessment concludes with a review in which CynergisTek meets with the hospital to discuss any security gaps it uncovered. The company also provides a report detailing what the hospital needs to address regarding HIPAA and HITECH compliance.
To keep travel costs down, CynergisTek uses a secure Web portal and teleconferences to communicate with customers. The company uses those methods when helping hospitals with the questionnaire and when reviewing findings.
McMillan said the assessment can take as little as two to three weeks, but added that CynergisTek will accommodate hospitals that need more time to complete the review.
CynergisTek initially looked to the federal government's Small Rural Hospital Improvement Program (SHIP) grants as the funding mechanism small hospitals would use to purchase its assessment service. SHIP grants target hospitals with 49 beds or less. The grant program, however, no longer supports HIPAArelated activities.
Nevertheless, CynergisTek said it will still honor its security offering and pricing for hospitals.
