A path to cybersecurity

Practice Management
December 2021

by Brendan Gallagher

In the cybersecurity landscape, the only constant is change. There are new attacks and breaches every single day. How can a practice begin to keep up with ransomware, phishing attacks, vendor breaches, bad actors, and the regulatory environment? It feels like an overwhelming problem with no relief in sight, and it’s enough to make many practices throw up their hands and leave their fortune to fate. It doesn’t have to be this way. Taking an incremental, stepwise, practical approach, you can make a difference in cybersecurity posture and help protect your practice and maintain compliance.

Taking an incremental, stepwise, practical approach, you can make a difference in cybersecurity posture and help protect your practice and maintain compliance.

They say Rome wasn’t built in a day, and neither is cybersecurity. But how do you start and where to begin? You need a plan. There are many frameworks available to help facilitate cybersecurity plans and so much advice and material online that it can result in analysis paralysis. A good place to start is with a standardized, well-supported framework to give you a map and what to do along the way. The National Institute of Science and Technology Cybersecurity Framework (NIST CSF) is a well-recognized framework that has been adopted not only here in the U.S. but by countries all over the world. It’s good for security posture and provides a framework that identifies key areas that apply not only to healthcare but all businesses. Earlier this year, HR 7898 amended the HITECH Act. How does that affect a healthcare practice? By implementing the NIST CSF for at least 12 months, it provides a safe harbor to potentially reduce HIPAA fines and the duration of audits.

The NIST CSF has five core main functions: Identify, Protect, Detect, Respond, and Recover. The NIST CSF breaks down each of the core functions into categories and subcategories to provide focused objectives. This is not an all or nothing framework. Taking a one-step-at-a-time approach, it’s easier to implement and can be customized to meet the needs of the practice.

Identify

This step involves taking inventory of the organizational assets, which include personnel, systems, software, processes, and risk profile. While that sounds like a lot, much of the data required is available from sources that are probably already available. For instance, a physical inventory of computers or identifying the software utilized are common in many management software systems. Human resources and accounting can provide data regarding personnel and vendors. This is also the step where risk priorities are established. As the saying goes, fish where the fish are. The same goes in assessing risk. Phishing is by far the most common method of entry for cybersecurity breaches. Identifying phishing as a higher risk affects the strategy of the organization and what protections are put in place. Be aware of what the biggest risks are and focus efforts on those risks. Identifying systems outside the practice walls is also something to consider in this step. Websites and other external portals can affect patients’ personal devices and practice reputation if breached or compromised.

Protect

Protection is where many organizations focus their efforts. This includes the “techie stuff” of user management, training, and data security and protection. Most practices have software and hardware protections in place such as security software, hardware devices such as firewalls, and implement data encryption and backups of critical data. While technical protections are often in place, many times physical security is overlooked. Easy access to critical pieces of infrastructure can negate the best technical protection mechanisms. Another neglected critical piece of security is user training and awareness. In a busy practice it’s difficult to implement one more training or in-service. Taking the time to educate users on the basics of cybersecurity practices is one of the best mechanisms to protect against common threats that carry the highest risk.

Detect

You can’t manage what you can’t measure. Detection involves monitoring activity regarding systems, software, and personnel. This stage can be difficult. The bad actors of the world are very good at avoiding detection and covering their tracks. Malware and other malicious software can stay hidden for long periods of time without raising suspicion. Establishing a baseline of normal system activity is important. The software and hardware that are implemented to protect assets many times also provide monitoring and alerts to malicious behavior. Defining what constitutes an alert and defining the staff and systems who receive notification is critical in this step. Practices must find the right balance and make sure that notifications receive the attention of the right people. Risk priority is important and individual to each practice. The NIST CSF includes profile definitions for prioritization of goals and what means the most to your practice. That allows practices to focus on high-risk items first and decide how to allocate limited time and resources. The NIST CSF also provides different tiers that can be identified for each step of the way. These tiers let the practice define the goals based on what it’s able to handle and can afford.

Respond

What would you do if you walked into your practice and all systems were encrypted? Who do you call? How did it happen? How are you going to mitigate the issue? Scenarios like this one need to be planned for ahead of time. Having a fully developed response plan and knowing what to do in an emergency can make all the difference to restore normal practice function. The Respond phase includes identifying these questions surrounding communication, analysis, mitigation, and improvements to detection processes. The response is more than just IT analyzing what happened or trying to stop the technical reason for a breach. Management must be involved to determine the proper communication messaging and communication to authorities and patients. Third-party companies such as digital forensics may also need to be involved depending on the incident and what is required.

Recover

The Recover phase restores business functions, but this involves more than IT teams and technical processes. Management teams must be involved regarding how to effectively communicate and restore trust and reputation among vendors and patients. Recover also includes planning and adapting for the future. Implementing lessons learned into existing plans can be beneficial to the entire organization in preventing future incidents.

“I don’t have time for this,” “A breach won’t be that bad,” or “This costs too much” are commonly heard statements regarding cybersecurity. The average cost per healthcare record stolen or lost in 2019 was $429.1 That can be devastating to practices and patient safety and makes the time and effort worthwhile.

No one thinks a breach will happen to them, and there is no such thing as a perfect cybersecurity system. It’s an on-going process to find the right balance based on the individual needs of an organization. Take the steps to start the journey and put the necessary items in place to protect your practice and your patients.


About the author

Brendan Gallagher
Information Systems Specialist
Medical Consulting Group
Springfield, Missouri

Reference

  1. The Ponemon Institute/IBM Security published its 2019 Cost of a Data Breach Report.

Contact

Gallagher: bgallagher@medcgroup.com