Cybersecurity

Cybersecurity is the practice of protecting systems, networks, and programs from digital attacks. These cyberattacks are usually aimed at accessing, changing, or destroying sensitive information, extorting money from users via ransomware, or interrupting normal business processes. As the use of various forms of technology such as EMRs, Internet-connected medical devices, and health data sharing applications increase throughout the healthcare industry, so do cyber risks. The direct and indirect costs of a breach can be devastating. Healthcare industry data breaches and cyberattacks are on the rise costing the industry millions of dollars and placing physician practices at risk. Protecting your practice from cyberattacks is required by HIPAA and failure to take the necessary precautions can result in fines and prosecution in the event of a breach. Demonstrating you have taken every reasonable precaution will go a long way in mitigating any fines, lawsuits, or prosecution. 

Third-party breaches also impose a risk to the practice. A breach of a third-party's platform, like a clearinghouse or cloud-based EMR, not only affects practice operations, but the practice may have a shared responsibility for the breach even though they were not responsible for it. Many contracts used by cloud solution providers and EHR vendors include provisions that stipulate a shared responsibility with the customer for the security of the data being stored. Most of these contracts will try to limit the vendor's liability for both service outages and breach incidents. Review all third-party vendor contracts with for these provisions and negotiate with the vendor to remove such stipulations from the contract. Any contract should also be reviewed by legal counsel to identify any other provisions that may be detrimental to the practice. Review the HITRUST Ultimate Solution to Managing Third-Party Cyber Risks resource for more information on managing risks associated with third-party vendors.

Cybersecurity Program Implementation

The TMA Ransomware and Cyber Security Resource Center offers cybersecurity articles, education resources, consulting services, and endorsed vendor information. Contact the TMA's Health Information Technology Department at 800-880-5720, or send an email to HIT@texmed.org for more information. Also, for a quick run-down of cybersecurity best practices, review the HCMS Identity Theft and Cyberattack Protections resource. As implementing a cybersecurity program is often beyond the technical expertise of a practice, consider consulting with an IT expert to assist in safeguarding your systems and implementing a security program. HITRUST has vetted External Assessors that organizations of any size can depend on to assess performance and compliance with security control requirements and, when needed, help develop corrective action plans. 

Cybersecurity and Business Interruption Insurance

Cyber insurance policies offer protection against losses resulting from a cyberattack. Some general property insurance policies may include business interruption coverage that may include a cyberattack as a covered peril. Assess any current cyber liability coverage to determine if it meets your current needs. If no such coverage exists, consider obtaining business interruption insurance and/or a cyber liability insurance policy. Make sure coverage is available for a breach occurring outside of the practice such as at a clearinghouse or other third-party vendor. Review the FTC Cyber Insurance guide to ensure the policy has the necessary coverage.  

• TMLT Cyber Liability
• Department of Homeland Security - Homeland Security discusses the importance of insurance coverage for Cybersecurity across all sectors, including Healthcare .
• HCMS Buyers Guide - Additional information on attorneys and law firms that can assist physicians with questions regarding Cybersecurity.
• Five Tips For Purchasing The Right Cyber Insurance Policy

Other resources to assist in establishing a cybersecurity program:

• HHS Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients
• National Coordinator for Critical Infrastructure Security and Resilience (CISA): 
  • Ransomware Guide
  • Cyber Essentials
  • Free Cybersecurity Services and Tools
• What to Do When Your Business Associate Suffers a Ransomware Attack
• Medical Economics - 10 Best Practices for Preventing Cyberattacks 
• HHS Office for Civil Rights (OCR) Cyber Security Guidance Materials
• ONC Security Risk Assessment Videos - Information on what a risk assessment may involve
• ONC Top 10 Myths of Security Risk Analysis
• Texas Medical Liability Trust (TMLT) - Offers solo and small group practices and medium to large practices low cost tool kits and help conducting the security and risk analysis.
• ONC SAFER Guides - Recommendations on what practices need to do to achieve safe and effective electronic health record (EHR) implementation and use. The recommendations should be considered proactive risk assessments that aim to mitigate and minimize EHR-related safety hazards. Includes recommended practices as well as examples.

Visit our HCMS HIPAA, HITECH, and the Texas Privacy Law page for more information on the Texas Privacy Law.