Risk management

Phil McVey tells EHM the importance of security of health information.

What issue or topic do you see as most important to the healthcare industry today?
Phil McVey. We see the greatest level of interest by far in understanding regulatory compliance. This has always been an area of concern, but what's different today is the staggering complexity the industry has to deal with. To date, a total of 48 states and territories have breach notification laws in place, every state mandates some form of background screening, but it's not just maintaining compliance with existing regulations that's of concern; organizations also have to keep their eye on what's on the horizon. Of course, right now everyone's talking about the upcoming enforcement of the FTC's Red Flag Rules as of November 1. But there's also the HITECH act that will require covered entities to notify individuals within 60 days that their unsecured personal health information has been breached. And then we have an increase in the civil monetary penalty that can be levied due to HIPAA violation. Clearly, healthcare organizations are going to have to spend considerable time and resources just preparing to meet these new requirements.

Certainly compliance is important, but what are some other focus areas for healthcare organizations?

PM. With good reason, the healthcare industry has indeed fixated on the new laws and regulations, but it's also true that compliance doesn't necessarily equate risk mitigation. Under fear of penalty, many organizations point resources toward compliance with state and federal law, resulting in bare measures that aren't necessarily focused on minimizing the risk of a catastrophic event like a data breach. It can be a tricky balance for larger providers - you're typically responsible for very sensitive and valuable health information that often exists in numerous areas within the same facility, making it difficult to keep tabs on where it's stored, who's using it and how it can be exposed. Despite the difficulty of doing so, it's crucial for you to account for all the different areas of risk in maintaining this information. And one major area of risk management is to know who in your organization is accessing this data - that's why we stress the importance of workforce screening. To minimize impact to your resources, it'll be increasingly important to work with a trusted risk management partner that can not only build a compliant incident response program, but also help you implement an effective screening program.

You've mentioned background screening a couple of times. Why do you consider it such a crucial practice for the healthcare industry?
PM. I see background screening as a fundamental step in protecting any healthcare organization from risk. It's pretty elemental - you want to know as much as possible about the people working for you and should make every reasonable effort to identify and manage threats before they can actually affect your business or the quality of your care. Background screening is an affordable, widely accepted, and relatively simple practice that's easily integrated into any internal process. A successful screening program can help you avoid costly fines, reduce the risk of employee malfeasance like data theft, and shore up public confidence. I should also mention that screening is much more than just running a baseline check on a prospective employee. Effective background screening is ensuring you're doing everything within your power - and your budget - to ensure that employees, vendors, volunteers and business partners aren't presenting you with unnecessary risks.

Does a healthcare organization really need a breach preparedness program?
PM. Absolutely. Despite lofty claims from some within our industry, there simply is no way to guarantee that an organization will not experience a data breach. Regardless of how good an organization's security program is, there is always the possibility of a breach, because the threats are so diverse. Rogue workers, hackers, recently terminated employees and even the absent-minded can lead to a data breach. Implementing a breach preparedness program is about security awareness and training, not preventing a data breach. If an organization recognizes the importance of having a plan in place before an event occurs, not only does it lessen risk, it also minimizes downtime and confusion should an event occur.

As president of the background screening division of Kroll, Phil McVey leads the company's global pre-employment screening, identity management, data breach/fraud solutions and corporate integrity verification businesses. Previously, McVey was President of the commercial services division of USIS, setting direction for and supporting the company's mergers and acquisitions activity. He has extensive experience in operations management, service delivery innovation and quality assurance.