Cybersecurity is the practice of protecting systems, networks, and programs from digital attacks. These cyberattacks are usually aimed at accessing, changing, or destroying sensitive information, extorting money from users via ransomware, or interrupting normal business processes. As the use of various forms of technology such as EMRs, Internet-connected medical devices, and health data sharing applications increase throughout the healthcare industry, so do cyber risks. The direct and indirect costs of a breach can be devastating. Healthcare industry data breaches and cyberattacks are on the rise costing the industry millions of dollars and placing physician practices at risk. Protecting your practice from cyberattacks is required by HIPAA and failure to take the necessary precautions can result in fines and prosecution in the event of a breach. Demonstrating you have taken every reasonable precaution will go a long way in mitigating any fines, lawsuits, or prosecution.
Third-party breaches also impose a risk to the practice. A breach of a third-party's platform, like a clearinghouse or cloud-based EMR, not only affects practice operations, but the practice may have a shared responsibility for the breach even though they were not responsible for it. Many contracts used by cloud solution providers and EHR vendors include provisions that stipulate a shared responsibility with the customer for the security of the data being stored. Most of these contracts will try to limit the vendor's liability for both service outages and breach incidents. Review all third-party vendor contracts with for these provisions and negotiate with the vendor to remove such stipulations from the contract. Any contract should also be reviewed by legal counsel to identify any other provisions that may be detrimental to the practice. Review the HITRUST Ultimate Solution to Managing Third-Party Cyber Risks resource for more information on managing risks associated with third-party vendors.
Cybersecurity Program Implementation
The
TMA Ransomware and Cyber Security Resource Center offers cybersecurity articles, education resources, consulting services, and endorsed vendor information. Contact the TMA's Health Information Technology Department at 800-880-5720, or send an email to
HIT@texmed.org for more information. Also, for a quick run-down of cybersecurity best practices, review the
HCMS Identity Theft and Cyberattack Protections resource. As implementing a cybersecurity program is often beyond the technical expertise of a practice, consider consulting with an IT expert to assist in safeguarding your systems and implementing a security program.
HITRUST has vetted External Assessors that organizations of any size can depend on to assess performance and compliance with security control requirements and,
when needed, help develop corrective action plans.
Cybersecurity and Business Interruption Insurance
Cyber insurance policies offer protection against losses resulting from a cyberattack. Some general property insurance policies may include business interruption coverage that may include a cyberattack as a covered peril. Assess any current cyber liability coverage to determine if it meets your current needs. If no such coverage exists, consider obtaining business interruption insurance and/or a cyber liability insurance policy. Make sure coverage is available for a breach occurring outside of the practice such as at a clearinghouse or other third-party vendor. Review the FTC Cyber Insurance guide to ensure the policy has the necessary coverage.
Other resources to assist in establishing a cybersecurity program:
Visit our HCMS HIPAA, HITECH, and the Texas Privacy Law page for more information on the Texas Privacy Law.