One of the biggest struggles we see healthcare professionals experience nowadays is the understanding of their current level of security risk and how to manage security in a way that makes economic sense to their practice while reducing risk to an acceptable level.
While HIPAA compliance and abiding by the rule are one of the main reasons a security management plan comes to the forefront of the discussion, the truth is that the real concern for many is how much can they afford to be the target of a successful cyber-attack. The answer is normally “very little”, which makes sense as, regardless of the compliance requirements, the real cost of an attack could be the complete loss of your practice.
Regular businesses not subject to PCI or HIPAA compliance seldomly survive the aftermath of a data breach. Imagine when you add the cost of penalties when the data breached belongs to patients.
OCR fines have surpassed seven digits numbers, and after a decision is made later this year or in 2019 about sharing fines with affected customers, you can count on those numbers to reach sky-high values. There will be no insurance policy enough to cover the fines, and the cost to continue in business may be too high for most practices.
So, what a practice can do to reduce this risk to a level where everyone is comfortable?
The first step is to perform a Security Risk Assessment. The Annual Risk Analysis is already required by law and must be performed by an IT Professional. Where most practices fall short is in the follow-through of the results of the assessment.
The results of the risk assessment must be transferred to a management plan that maintains your level of security. This is also mandated by law and is a tedious and time-consuming effort that requires IT expertise to be successful. One wrong step could mean expensive fines, increased insurance premiums, and damage to your reputation. Even if you have a plan in place today, maintaining compliance on an ongoing basis is tricky business when it comes to technology-related safeguards mandated by HIPAA.
The Management Plan ranks individual issues based on their potential risk to the network while providing guidance on which issues to address by priority.
The IT Security Team then must fix the issues presented, establish new rules and policies that must be implemented and followed to bring the risk level down, and re-assess the resulting environment to document the risk level change and confirm the resolution of the issues discovered, restarting the whole process.
Ongoing internal security monitoring is also a must to ensure that no changes to the environment are made without the IT Security Team’s knowledge, a common situation found on unmanaged networks, or as the result of regular maintenance and operation of the network.
Expecting the practice’s administrative staff to act as the security officer is not only unrealistic but a perfect recipe for failure. Administrative personnel not only don’t have the expertise, or the time to perform such tasks but also has no way to know if they are solving a present issue or creating a new one.
To find out if you are leaving your practice vulnerable, we are offering a FREE security assessment that will discover if you have the right systems in place to protect you!
The information we collect is not personally identifiable, provides us no access to your patient data or your network afterward, and is kept confidential. We can only use it to generate the reports you need to fully understand your risk level and what actions need to take place to fix any problems we can find.
You can download a sample of the reports using the form on the right side of the screen.