Information Security Strategy

We have organized a strategic approach to meeting our obligations to protect the Patient Safety Work Product (PSWP) that is generated through the use of our services.  We have retained the services of Compliance Helper, a web application and consulting service provider to help us with policy and procedure documentation and adherence.  With the guidance of Compliance Helper and procedural documents from the NIST, we have completed a thorough review of the data that we collect, process, store, and disseminate (collectively “handle”); the processes by which we handle the data; the individuals providing and accessing the data; the facilities where the data is physically housed, the technical means by which we handle the data; the potential impact of a breach of our data system; the risks inherent to our processes; the active threats against our system; and the available controls and technical means for protecting our system.

Our main strategic approach to securing the data involves: 

1)   Restricting the data collected.  We only collect data which truly adds value to the analytical capabilities of our system.  Through doing this, we believe that we have been able to reduce the potential privacy impact of a data breach on individual patients to almost nil; however, we know that there remains an inherent potential for harm to the reputations of the providers that we serve.

2)   Promoting an attitude of security-mindedness.  Though we seek to minimize the impact of a security breach by minimizing the extent of the data collected, we emphasize to our associates and clients the importance of protecting PSWP.  We have labeled PSWP in the system with reminders of the potential for civil money penalties in the event of wrongful disclosure.

3)   Centralizing PSWP to our system.  We seek to consolidate PSWP to within the confines of our main system.  Through policies, procedures, training, notification, and use structure (including limited de-identification features), we work to convince and enable our associates and users to not distribute PSWP in either electronic or printed form beyond what is truly needed in the course of proper utilization of the information.   

4)   Controlling access to our system.  We have implemented a role-based user access system that allows the Account Administrator to properly restrict access to the data based upon the user’s specific sphere of involvement and access needs.  For example, MRI Supervisors are limited to accessing data related to MRI exams.

5)   Facilitating minimization of disclosure.  Due to the nature of the actual use of the information we provide to organize group efforts at quality improvement, we have incorporated a limited de-identification feature into our reports and analysis interface that serves to obscure the true names of the individuals directly involved (either as subjects, participants, or reporters) in the PSWP.  We convey to our users that this in no way is intended as a substitute for minimizing distribution of PSWP and this feature does not meet standards for true de-identification of the data.  It merely serves to enable users to present data without overt/obvious reference to specific individuals involved.

6)   Utilizing a state-of-the-art hosting service provider.  We currently use GoGrid resources to host our system.  The physical residence of our system and data is protected by their SAS70 Type II certified facility.

7)   Obtaining professional guidance for regulatory compliance.  We currently employ Compliance Helper to assist us with establishment and maintenance of our information security program.  Their services include a direct line of contact with a single consultant supported by a team of consultants.  They also provide an innovative online solution that helps us to stay current in maintenance tasks and with updates to regulatory requirements.

8)   Embracing transparency and accountability.  The HITECH Act requires our clients to obtain assurance that we remain compliant with HIPAA/HITECH regulations.  The Compliance Meter™ provided through our engagement with Compliance Helper allows our current and prospective clients to see at a glance the status of our regulatory compliance and our adherence to our policies.  If a client or prospective client seeks further assurance, we provide tiered access to our program documentation.  In the first tier, we will provide temporary access to our general security documentation, and in the second tier, we will show (not release) more specific documentation and answer direct questions.  We are glad to receive any input and will respond to reasonable suggestions for bolstering our security.

9)    Maintaining a Cyber-liability Insurance Policy. 

Thank you for taking interest in our security program.  Please do not hesitate to contact us if you have any questions.