Was there something I could have done differently? I heard that question again this week. In fact, I have heard this question repeatedly over the past several years. I have heard this question in cases from hardware failures to ransomware attacks. At some point, usually the doctor, but sometimes the practice manager, will ask, "Was there something I could have done differently?"
My answer is always a resounding yes.
Yes! Create and implement a security management plan, which is an ongoing, ever-evolving process. A security management plan is the security strategy for the practice.
Debi Carr of DK Carr & Associates.A strong security management plan begins with identifying what information is critical to the operation of the business, such as accounting software and, of course, the practice management application. Often patient information is also housed in other applications as well, so it is critical to your plan to know where your information is created, transmitted, and stored.
Yes! A risk analysis is a good place to start. It is required under HIPAA, but it also provides an overview of your security posture. A risk analysis should be conducted annually or whenever there are changes to the environment.
Another facet of a strong security management plan is policies and procedures that direct your team on how patient and practice information should be processed. These policies and procedures should be written and available to all team members.
Yes! Team members should receive regular training on your practice's security policies and procedures, as well as awareness training. We know that most infections enter a practice through malicious emails. Training team members to identify these emails is critical to a strong security management plan.
Yes! Create and implement a backup protocol that allows for a quick recovery. Full-system onsite backups allow for the quickest recovery. Offsite backups preserve critical data but do not allow for a quick recovery time. Both are important to have, but both have different functions. There should always be a backup that is not connected to the network. Too often, when threat actors gain access, they delete the onsite and the offsite backups. Having a backup of the backups helps to guard against this scenario. Testing the backups should also be part of your security management plan.
A strong security management plan is required under HIPAA. Too often, private practices ignore HIPAA requirements, thinking they are too small or that it is just too expensive. Sadly, small practices are actually the prime targets of cyberattacks -- and those attacks can be very expensive.
On July 23, 2020, the Office for Civil Rights (OCR) levied a fine of $25,000 against a small practice for failing to protect the practice against a cyberattack. The OCR's investigation found "longstanding, systemic noncompliance with the HIPAA Security Rule," according to a statement. Specifically, the practice "failed to conduct any risk analyses, failed to implement any HIPAA Security Rule policies and procedures, and neglected to provide workforce members with security awareness training until 2016." In addition to the fine, the practice will be monitored for the next two years.
"Healthcare providers owe it to their patients to comply with the HIPAA Rules. When informed of potential HIPAA violations, providers owe it to their patients to quickly address problem areas to safeguard individuals' health information," said OCR Director Roger Severino.
Cyberattacks are up 120% since February. Small healthcare practices are prime targets. A strong security management plan can help protect a practice from an attack and, more importantly, help it to recover quickly.
"Was there something I could have done differently?"
Yes, you should have had a strong management plan.
Debi Carr is the CEO of DK Carr & Associates, a technology, compliance, and security consulting firm. She is a consultant and speaker and has more than 30 years of experience in technology and security.
The comments and observations expressed herein do not necessarily reflect the opinions of DrBicuspid.com, nor should they be construed as an endorsement or admonishment of any particular idea, vendor, or organization.
