Specialty provider groups in fields like dermatology, gastroenterology, ophthalmology, women’s health, and dental care, backed by private equity, represent a forward-thinking model for patient care. These groups streamline the administrative burdens associated with running medical or dental practices, enabling providers to focus on patient care while maintaining their autonomy. Their rapid growth is driven by strategic acquisitions, advanced management practices, and economies of scale.
However, mergers and acquisitions often introduce what Kemba Walden, the former acting National Cyber Director, refers to as “cracks” where vulnerabilities can lurk, ready to be exploited by attackers.
These cracks often emerge from the complexities of integrating new practices, each with its own set of locations, information systems, programs, and digital assets. Such systems frequently lack essential cybersecurity controls and harbor unknown risks. Additionally, inadequate policies and procedures, combined with insufficient cybersecurity awareness among staff, can weaken the security posture of these rapidly expanding provider groups. This gap has frequently led to ransomware attacks and data breaches.
While there are numerous best practices that specialty provider groups should implement, several key practices are commonly neglected or poorly executed:
Comprehensive Risk Analysis
Many medical practices conduct only superficial risk assessments, overlooking the need for a thorough, asset-based risk analysis. High-level assessments fail to identify specific vulnerabilities, threats, and controls related to individual information assets like EHR systems, patient portals, telehealth apps, and imaging systems. This oversight has led to numerous preventable breaches. A risk analysis that doesn’t encompass all information assets and their components also risks non-compliance with HIPAA regulations. The Office for Civil Rights automatically investigates breaches involving 500 or more records, emphasizing the importance of adhering to its Final Guidance for risk analysis.
Tailored Employee Training
Phishing and other forms of social engineering remain the top initial threat vector in cyberattacks. Employees who are not properly trained or vigilant represent a significant vulnerability. Sophisticated social engineering attacks often combine vishing (voice), smishing (text), and phishing (email). It's crucial to cultivate a culture where employees recognize their role in security, understanding that attackers are actively trying to deceive them into disclosing credentials or clicking malicious links.
Comprehensive Risk Analysis Leverage Recognized Cybersecurity Frameworks
Healthcare providers should adopt established cybersecurity frameworks, such as the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework (CSF) and the Department of Health and Human Services’ (HHS) 405(d) Health Industry Cybersecurity Practices (HICP). These frameworks offer best practices to build resilient cybersecurity measures that are suitable for their organizations and are effective against the evolving threat landscape. They also facilitate compliance with regulatory requirements and can provide legal benefits in case of enforcement actions. Public Law 116-321 mandates that OCR consider an organization’s adherence to recognized security practices, potentially reducing fines, audit durations, and other enforcement actions.
Ongoing Vulnerability Detection and Remediation
With each acquisition, new technical vulnerabilities are introduced. Although not all pose immediate threats, a holistic approach to vulnerability management is crucial. Organizations need continuous visibility into which vulnerabilities present the highest risks and must be adept at quickly identifying and addressing new vulnerabilities before they are exploited by cybercriminals.
Threat Monitoring, Detection, and Response
Even with robust cybersecurity measures, some risks cannot be eliminated. New vulnerabilities, stolen credentials, or insider threats can still pose significant risks. Therefore, healthcare providers must have ongoing monitoring systems in place to detect indicators of compromise. This involves gathering data from log files, employing endpoint protection, and escalating security incidents based on predefined rules or attack indicators. Rapid response and containment are critical, as even a few minutes can significantly impact the outcome of an attack.
In conclusion, while specialty provider groups offer many benefits, they must remain vigilant about cybersecurity by implementing comprehensive risk analyses, tailored employee training, recognized frameworks, and robust monitoring and response systems.
Physicians Practice | July 30, 2024