If you are a healthcare provider that accepts Medicare, then you have likely seen and heard the acronyms MACRA, MIPS, and EHR hundreds of times in 2017.
You may have chosen to attest to MIPS for the entire calendar year, or perhaps you are gearing up to begin reporting in the final 90 days of 2017. You also may have chosen to begin reporting in 2018. Whichever path you have selected, are you aware that before medical practices participate in MIPS they must prove that patient health information contained in EHR and elsewhere in their practice is protected by performing a security risk assessment (SRA)?
You wouldn’t take a road trip without first checking your oil and tire pressure, or fly in an airplane that hasn’t had its regular safety check. Similarly, you shouldn't initiate company culture change without first assessing your current security posture. The initial assessment will expose critical risk factors and set the course for policy and procedure updates. Some organizations embark on a program to strengthen their security infrastructure without first performing a comprehensive assessment. That’s a mistake. They risk misallocating resources and failing to address their most critical vulnerabilities.