Don't overlook these five best practices for cybersecurity at your specialty group.
Private equity-backed specialty provider groups like dermatology, gastroenterology, ophthalmology, women’s health, and dental care offer a progressive model for patient care that helps alleviate the administrative burden of running a medical or dental practice while helping providers maintain autonomy and focus on patients. These groups tend to grow quickly through strategic acquisitions, the implementation of sophisticated management practices, and economies of scale.
But mergers and acquisitions often leave what Kemba Walden, the Former acting National Cyber Director, describes as “cracks” where vulnerabilities can hide, waiting for an attacker to exploit them.
Some of these cracks form from the challenges of adding new practices, often with multiple locations and various information systems, programs, and digital assets. It’s typical for these systems to lack foundational cybersecurity controls and unknown risks. And it’s not only technology that creates risks. Lack of mature and well-implemented policies and procedures coupled with lackluster workforce cybersecurity awareness frequently impedes the cybersecurity posture of a quickly growing provider group and, in countless cases, has been the root cause of ransomware attacks and breaches.
While there are more than five best practices that specialty provider groups should have in place, the following are commonly overlooked or completed haphazardly.
Comprehensive risk analysis
It’s common to find that a medical practice’s risk analysis is inadequate, often because they opt to perform a high-level assessment of security controls instead of a comprehensive asset-based risk analysis. A high-level assessment doesn’t include specific assessments of unique vulnerabilities, threats, and mitigating controls that may exist with individual information assets, for example, EHR systems, patient portals, telehealth apps, and imaging systems. There have been hundreds of attacks on practice groups that have exploited unprotected vulnerabilities, leading to highly preventable breaches. It’s also important to note that a risk analysis that doesn’t include all an organization’s information assets and their components puts it at risk of non-compliance with HIPAA.All organizations that have reported a breach of 500 or more records are automatically investigated by the Office for Civil Rights, which has publicly stated that compliance with its Final Guidance for risk analysis is its number one focus.
Tailored employee training
Phishing and other forms of social engineering are still the number one initial threat vector in cyberattacks, meaning untrained or careless workforce members remain your #1 vulnerability. Social engineering attacks are more sophisticated, often using a combination of vishing (voice), smishing (text), and phishing (email) communications.Your employees need to understand that it is someone’s full-time job to trick them into giving up their credentials, clicking a malicious link, or otherwise opening up access to your network. Create a culture where everyone understands that they are members of the security team.
Leverage a recognized cybersecurity framework
Healthcare providers should leverage recognized cybersecurity frameworks like the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework (CSF) and HHS’s 405(d) Health Industry Cybersecurity Practices (HICP), which offer best practices to create strong and resilient cybersecurity practices that reasonable and appropriate for their organizations, are known to safeguard organizations from the rapidly changing threat landscape, and beneficial for demonstrating conformance with cybersecurity practices with regulators or if subject to litigation.
The Cybersecurity Framework (CSF) 2.0 is designed to help organizations of all sizes and sectors to manage and reduce their cybersecurity risks. The NIST CSF describes desired outcomes intended to be understood by a broad audience, regardless of their cybersecurity expertise.
405(d) HICP is another recognized security framework developed to address the top five cyber threats to healthcare. It is broken out by small, medium, and large organizational size, so it is reasonable and appropriate for each.
An additional benefit of leveraging (and documenting!) recognized cybersecurity practices is the legal benefits that may be afforded to your organization in the case of enforcement action by OCR.Public Law 116-321 mandates that OCR consider the organization’s implementation of recognized security practices, which can mitigate fines, shorten the length of an audit, or mitigate other enforcement actions.
Ongoing vulnerability detection and remediation
It’s common to acquire hundreds of technical vulnerabilities with each acquisition and location, though not all of them will pose a critical threat to the organization. The best approach to vulnerability management is a holistic one in which, through a continuous process, organizations gain visibility into which vulnerabilities pose the greatest risk. New vulnerabilities are identified constantly and quickly exploited by cybercriminals. This means that healthcare providers must be adept at scanning and remediating vulnerabilities within days, not months.
Threat monitoring, detection, and response
Despite how good cybersecurity protections are, no one can eliminate all risks. There is always the potential for a new vulnerability, access to stolen credentials, insider threat who has access to ePHI, or some other way of getting in. Healthcare providers must have ongoing monitoring in place to detect indicators of compromise. This involves accumulating information from log files, having end-point protection in place, and orchestrating and escalating events based on rules or indicators of attack to a security analyst. Additionally, minutes can matter when responding to and containing an attack.
Steve Cagle is the CEO and a board member of Clearwater, assuming the CEO position in May 2018. Mr. Cagle is responsible for leading Clearwater’s strategic growth plan and managing the company’s overall operations. He has extensive experience leading, innovating, and scaling healthcare and technology businesses, including guiding numerous companies through critical transformation periods.
Scott Dever is a highly accomplished technology executive with over two decades of experience driving growth and innovation in the restaurant, healthcare, and dental industries. Currently serving as the Chief Information Officer (CIO) of Gen4 Dental Partners, he is responsible for leading the company's technology strategy and operations, overseeing data analytics, infrastructure, and cybersecurity.