A task force assembled by the US Department of Health and Human Services (HHS) recently released Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HICP). This set of recommendations for health care providers offers ways to reduce cybersecurity risks. The group focused on such cybersecurity practices as email and end point protection, asset and access management, data protection, network and vulnerability management, incident response plans, medical device security, and cybersecurity policies.

KLAS Research and the College of Healthcare Information Management Executives (CHIME) recently worked together to survey organizations of all sizes to see where they stood in these areas. They found that many practices were doing what the task force recommended. Smaller organizations, however, frequently had room to improve cybersecurity measures. Possible reasons include financial constraints and lack of an IT workforce.

Allocating a budget

Jon Moore, Chief Risk Officer at Clearwater Compliance LLC, based in Nashville, Tennessee, said the survey essentially reflected what he sees in the industry. Practices that “have a higher level of sophistication and scale” tend to have a stronger cybersecurity program. “They have a better ability to address controls identified in HICP, which comes through clearly,” Moore said.

To improve their cybersecurity programs, practices should focus on the most effective programs they can implement for the dollars they have to spend, he said. Though that sounds relatively simple, it takes a solid understanding of regulations and how their organization functions.

“They should be proactively thinking about how best to allocate the budget they have to reduce their risk,” Moore said. “It requires knowledge of what their risks are and where they reside. This means doing a risk analysis, which is required, but not everyone is doing.” In other words, organizations should know their strategic objectives and compare those with HIPAA regulations and HICP recommendations.

HIPAA requires organizations to have a security official named—though not necessarily a chief information security officer (CISO)—who is responsible for the development and implementation of the policies and procedures required by HIPAA, but Dan Dodson, president of Fortified Health Security, of Franklin, Tennessee, said “a lot of physician groups still do not have one.” Practices can outsource the position of security official, but this can be quite costly for smaller organizations. The HICP survey found that small organizations are 4 times less likely than big ones to have a CISO.

Vulnerability testing is another HCIP-recommended cybersecurity measure. In the survey, about 90% of large organizations and 60% of small ones said they were scanning their systems at least quarterly. Dodson said the best practice would be to scan monthly, but executing consistently each month requires resources and buy-in. Groups must understand their options and associated costs and weigh that against their risk tolerance. “Most aren’t having that sophisticated a conversation about this,” Moore said.

Back to basics

For smaller practices wanting to save money, Moore said free online tools like HHS’ Security Risk Assessment Tool are an option. This will not guarantee a group is HIPAA compliant, but “it’s better than nothing,” he said. It provides a starting point for an organization to understand what they need to do to move towards HIPAA compliance and begin to understand their level of risk. Plugging the holes identified through the use of the tool can go a long way in reducing risk for the organization and its patients as well as preventing additional compliance problems should a breach occur.

Even though ransomware and phishing scams are changing constantly, organizations with good controls in place, such as encryption, decrease their vulnerability to whatever threats might come their way.

For instance, when HIPAA was new, Moore said there were constant reports of breaches related to stolen laptops. Those are happening less today because organizations are finally beginning to encrypt their data. Laptops are still stolen, but with encryption they do not have to be reported to HHS.