TECHNOLOGY RISK

TECHNOLOGY RISK
Do You Know Yours?  

WHILE TECHNOLOGY AND INFORMATION RISK are not new areas of exposure, they are no longer limited to technology providers. Healthcare organizations — including ambulatory surgery centers (ASCs) — are collecting and disseminating more personal and clinical patient information than ever before. As the amount of information that ASCs collect, centralize, and transmit increases, so too does their dependency on the technology and their exposure to liability when things go wrong. 

The purpose of this article is to provide a checklist that can be used to identify some areas where an ASC may be exposed to information and technology risk, and to provide some practical risk management suggestions for mitigating that risk. DOES YOUR ASC: 

• Use computers? 
• Have a Web site? 
• Submit bills for patient care electronically? 
• Accept credit card payments? 
• Allow patients to pay their bills online? 
• Communicate with patients by e-mail? 
• Use an electronic patient registration system? 
• Use electronic medical records? 
• Create or receive digital X-rays or other imaging studies? 
• Collect or aggregate adverse events with an electronic system? 
• Give surgeons remote access to medical records, labs, or other reports? 
• Permit surgeons or anesthesia providers to use CPOE? 
• Give employees remote access to either patient information or the facility network? 
• Conduct human resource activities — such as background checks — electronically? 
• Credential surgeons and anesthesia providers using the Internet or other electronic media? 
• Conduct business with vendors electronically? 

If you answer “yes” to any of the questions above, your ASC is at risk for technology liability. 

Because protection of patients’ information, as well as claims, financial, and personnel data, is critical to the success of your ASC, great care should be taken when developing and implementing policies and procedures for handling the information. Policies should be created not only to ensure patient privacy, but also to protect the financial assets of the organization. The following list is representative of the areas for which policies and procedures should be developed, and it also includes some tips on implementing controls. It is by no means all-inclusive; rather, it is intended to be a starting point for mitigating technology risk. ASCs are well advised to engage the services of a security or privacy expert for a comprehensive risk assessment and/or network vulnerability scan. 

CONSIDER INCLUDING THE FOLLOWING IN YOUR INFORMATION PRIVACY AND SECURITY PROGRAM 

• Designate an individual as the head of information technology or chief information security officer. 
• Develop a formal policy regarding privacy and the security of information. All employees and providers should receive training on the policy and be required to sign codes of conduct that include the protection of confidential information. 
• Give each employee and provider an individual network password and require that it be changed at least every 90 days. 
• Immediately change default settings and revoke passwords for employees and providers who are no longer employed by or doing business with your ASC. 
• Face computer screens away from patient view and program them to automatically shut down when not in use. 
• Perform periodic data and technology audits. 

ENSURE THE SECURITY OF YOUR NETWORK 

• Invest in a system that provides appropriate access to internal and external networks. 
• Build appropriate Internet firewalls. 
• Encrypt all data that is transmitted. 
• Invest in anti-virus software that is updated regularly. 
• Implement a disaster recovery plan. 
• Ensure redundant systems. 
• Include a backup system that is stored off site, in a secure location. 
• Intermittently test redundant and backup systems. 
• Create a policy for responding to the theft or loss of information. 
• Develop algorithms for investigations. 
• Include how and when individual patients will be notified. 

CONTROL YOUR VENDORS 

• Educate vendors on your center’s policies. 
• Query all vendors about their information security systems. 
• Include indemnification provisions in all contracts with vendors. 
• Require all vendors and consultants to sign confidentiality agreements. 
• Develop a compliance checklist for vendors. 
• Review your insurance coverage to determine if it covers contingent bodily injury, the cost of patient notification, fines, fees, and penalties, and replacement of stolen hardware. 

You can begin to build an estimate the financial impact a data loss might have on your ASC by visiting Darwin’s data loss cost calculator, which can be accessed at www.tech-404.com/calculator.html. ASCs that use information technology are at increasing risk for claims and technology losses. Policies and procedures that contemplate and manage risks such as identification theft, network outages, and data privacy and security should be significant components of your ASC’s risk management program. 

Darwin Professional Underwriters, Inc. provides specialty liability insurance solutions to the healthcare industry. Its healthcare experts provide tailored insurance programs to niche segments of the industry, like ASCs, that address specific coverage challenges and areas of exposure. Darwin provides general risk management information as a service to its clients; this information is not meant to be legal advice. Consult your legal counsel or other professional in connection with insurance, claim, risk management, or other legal issues specific to your organization. Technology Risk