There aren’t many healthcare organizations these days that can afford a $9.44 million bill. Yet that’s the average cost of a data breach in the U.S.—and organizations of all sizes are at high risk.
The 2022 IBM Cost of a Data Breach Report brings news that healthcare leaders, providers, and IT pros are all too familiar with: Healthcare now ranks as the #1 targeted industry for data breaches for 12 years in a row.
The never-ending threat of data breaches are why HIPAA and regulatory compliance in healthcare evolves so quickly—and SAFER Guides are emerging as the newest risk mitigation tool. They started as voluntary self-assessments in 2014. Now, they’re required.
Let’s take a deeper dive into the SAFER Guides, explore how they protect patients, providers, and healthcare organizations, and explain how they fit into your overall cybersecurity plan.
What are the SAFER Guides?
SAFER stands for Safety Assurance Factors for EHR Resilience. SAFER Guides are checklist-based self-assessments designed to promote EHR optimization and keep patients safe. At the end of 2021, the Centers for Medicare and Medicaid Services made it a requirement for all healthcare organizations that participate in the Merit-Based Incentive Payment System (MIPS) to complete their SAFER Guides during the 2022 Performance Period.
The SAFER Guides aim to support providers. They’re designed to help optimize workflows, prevent adverse safety events and improve provider productivity. There are nine SAFER Guides in all. Clinicians must complete one of the nine guides. Hospitals must complete all nine guides.
The guides fall into three groups:
1. Foundational Guides
- High-priority practices – This assessment asks hospitals to identify high-risk and high-priority safety practices. To accomplish this, we recommend organizations create a multidisciplinary team that includes providers, pharmacists, administrators, and clinicians. It also may include your EHR vendor.
- Organizational responsibilities – This assessment focuses on human behavior and relationships. It asks how individuals interact with your EHR, how employees are trained in it, and how policies and procedures can help safeguard PHI.
2. Infrastructure Guides
- Contingency planning – Given the increases in ransomware attacks, contingency plans should be in place and practiced regularly at all healthcare organizations. One big area of consideration: How do you handle unexpected system outages that create EHR downtime.
- System configuration – This guide assesses the resiliency of an organization’s software and hardware configurations The multidisciplinary team you form to assess high-priority practices will play a role in this and several other SAFER guides, too.
- System interfaces – This assessment explores system integrations and interfaces between your EHR and ancillary systems. When done effectively, this assessment can help you identify potential cost savings.
3. Clinical Process Guides
- Patient identification – Ensuring proper patient identification and matching goes beyond your technology configurations. That’s why this guide also assesses the human element, including how well staff is trained on avoiding risks like duplicate patient mix-ups.
- Computerized provider order entry with decision support – This SAFER guide is all about optimization from start-to-finish. Evidence suggests that well-designed patient decision support systems enhance quality of care and decrease medication errors.
- Test results reporting & follow-up – This assessment requires organizations to talk through all the elements that will create the safe and accurate communication of diagnostic test results with both providers and patients.
- Clinician communication – This last SAFER guide is designed to prevent communication breakdowns that can lead to patient harm in three additional areas: consultations and referrals, discharges, and clinician messaging relative to patients.
What other tools can help me prevent a healthcare data breach?
While SAFER guides represent a major step forward in improving interoperability and patient safety, they’re just one tool that hospitals and health systems should have in their cybersecurity toolbox. Three other must-haves:
Business Associate Agreements
Under HIPAA, all covered entities must enter into a Business Associate Agreement that defines each of your vendor’s PHI-related responsibilities. This should include nearly everyone, from the software companies you contract with all the way down to the company that refills your water coolers.
Without a Business Associate Agreement—or with murky agreements—your PHI is at serious risk. One example: Conifer Revenue Cycle Solutions, which manages revenue and administration for healthcare providers, suffered a hack on January 20 that exposed patient information across six hospitals.
Accidental PHI Exposure Prevention
PHI exposure can happen almost anywhere—and bring with it expensive consequences. Novant Health recently notified 1.3 million patients of an accidental breach attributed to the faulty configuration of a Meta pixel that inadvertently accessed data collected during a Novant Health patient portal promotional campaign that ran on Facebook in May 2020.
With the cost-per-stolen record hitting a seven-year global high ($164) in 2022 according to IBM, these types of accidental PHI exposures can add up quickly.
Corrective Action Plans
You don’t want to wait until a data breach happens and the Office of Civil Rights (OCR) imposes a Corrective Action Plan on your organization. Such a situation recently happened to a dermatology practice in New England regarding a case of improperly disposed PHI.
Creating your own proactive Risk Management Plan will shore up your overall IT security. It also will show the OCR and other regulatory bodies that, in the event of a breach, your organization has made cybersecurity an ongoing priority.
How can Medcurity and DeliverHealth help with cybersecurity?
While SAFER guides are now mandatory, CMS didn’t offer any guidance on how to do them the right way. DeliverHealth and Medcurity can give you the technology and expertise you need to complete your SAFER Guides in a way that will also drive improvement.
Your organization may also benefit from other Security and Risk Management solutions. We can help you perform a Security Risk Assessment, review your policies and procedures, and develop quarterly action plans to make your organization fully compliant.
Cybersecurity is mission critical. So, arm yourself with knowledge. To get the full details about the SAFER Guides and healthcare data breaches, watch the full Explaining the SAFER Guides webinar. And if you want expert guidance from Medcurity and DeliverHealth, let’s talk.