Shahid Shah is the CEO of Netspective, which specializes in technology and software engineering services for regulated markets like healthcare, government and medical technology.We spoke with Shah awhile back about the tools Netspective offers to healthcare companies. More recently we asked for his insight on the security needs of medical practices today and how they should be managing their IT assets. Here’s what he had to say:
How have the security needs of medical practices evolved since you started your business?
“Physician practices of all sizes – small, medium and large – are becoming far more responsible for information technology (IT) integration than they’ve ever been,” Shah said.
He elaborated that while everyone is talking about Electronic Health Records (EHR) right now, physicians are responsible for managing a much broader IT infrastructure. Not only their desktop computers, but also servers, routers, firewalls, switches, printers and fax machines and all the software contained within those devices plus revenue cycle management software, practice management software, e-prescribing software, lab software, etc.
“Their IT responsibilities have easily doubled and tripled in a very short period of time,” Shah said. “And in a very short period of time that will double and triple again.”
Considering the rapid growth, it’s critical that these practices be very cognizant that each time they add a new user, new device, or new piece of software that their responsibility for mitigating data breaches and their responsibility for sharing information and collaborating, grows. Physicians need to be well informed about the risks associated with each new IT asset and they should hire someone to help assess those risks and document them.
“The Office of Civil Rights (OCR) is increasing the number of audits they do on both larger institutions and smaller providers. It’s called the OCR Phase 2 Audit Program and will affect all covered entities regardless of their size,” Shah said.
He explained that larger institutions are more likely to have professional security and risk personnel, but smaller practices rarely have professional security and often don’t even have professional IT people which means they have bigger and mostly hidden risks.
And in the past 10 to 15 years, the number of pieces of hardware and software these practices are responsible for has grown “mind-boggingly quickly.”
How should practices be managing their IT assets to improve security and reduce risk?
Shah offered four main areas that practices should focus on:
1. Make sure you have a good law firm that handles your cyber security, privacy and policy work. Many people don’t have a law firm, but if they do, the law firm needs enough understanding of HIPAA related risks and the problems they might have with breaches.
2. Ensure you have extended coverage from malpractice to include cyber security coverage as well. Sometimes malpractice includes cyber security, but most of the time it does not. If you’re not sure, ask your malpractice insurer and request a rider be added.
3. Make sure that you have a professional group of people who are taking responsibility for information assurance as well as helping to manage local assets (IT hardware and software) that are in your environment. You can hire a company like Netspective to come in and inventory your IT infrastructure and evaluate your risk. “If you don’t have a basic inventory or catalog, and you get audited, you’ll get hammered,” Shah said. If you have basic documentation and you’re audited you’ll be in much better shape.
4. Make sure all your tools associated with cyber security are up to date, including external firewalls and internal network boundaries – (virtual LANs), make sure you have proper role definition for every individual using the network, and use network monitoring tools to understand how your network is being used normally so you can keep an eye out for potential breeches. This is typically difficult for practices to do on their own, which means you’ll need to get some help.
What are the most common security gaps you find in medical practices today?
First, practices don’t understand their current risks because they don’t catalog the equipment and software they have, Shah said.
“If you had a house, and you didn’t know how many doors and windows there are, then how do you know if all the doors and windows are locked?” Shah posited. Just being aware of each piece of equipment and the security risks it poses, takes care of a big swathe of problems.
For example, every practice will have printer, scanner and a fax machine. Every time you scan or fax something, Protected Health Information (PHI) could have data sitting on that particular piece of hardware. For a small practice, say with one physician, one admin and one nurse there will be many pieces of equipment and there are risks associated with each item. As the number of physicians and staff grows, the amount of equipment and software sometimes grows exponentially, not necessary linearly. And the holes could be anywhere – including with your suppliers.
He offered the infamous Target security breech as an example:
Target was not breached because the computers holding the credit card information are what got attacked first. Target was breached through one of their vendors: an HVAC and refrigeration supplier. The HVAC vendor that ended up being the entryway for the Target breach is the equivalent of a HIPAA “business associate” for a covered entity like a physician practice. Your practice, even if it’s perfectly secure, can become insecure because of holes in software or networks run by your business associates.
Second — watching what data is going in and out of your network. For instance, making sure that nobody is emailing PHI over unencrypted channels.
Lastly, is regular assessment and monitoring through regular “penetration testing” of your network.
In the long term, it’s important to recognize that your IT environment is always changing, so continuous monitoring and assessment is key to preventing breeches.
“Say they brought in a locksmith and he changed the locks, but it turns out that one of the locks was broken two days after the locksmith came, now you have new problem that you didn’t have before,” Shah said.
He continued by saying it is difficult for small practices to manage this ongoing assessment. But they can hire a professional like Netspective for as little as $200 or $300 a month who can continuously monitor your assets.
“Risk is rarely reduced over time,” Shah said. “Not only is it hard to secure your environment today, but it’s going to be harder tomorrow.”
How should medical practices be addressing patient concerns about the security of their health records – especially with the growth of patient portals?
Practices should have a well-branded FAQ or data sheet that says how you protect patient data, Shah said. When patients ask how you protect their data, you’d give them a glossy information sheet to give them comfort.
In there you would talk about all the things outlined above – how you work with a reputable law firm and have a cyber security team that comes in and tests your environment, and, in case something does happen, you have cyber insurance that would help get patients coverage for identity protection.
“If you can’t create an FAQ or document that describes how you protect your patients’ data, then you don’t really know how and are at really at risk,” Shah said.
How often should practices assess the security of their digital assets?
“You should get an initial assessment ASAP,” Shah said. “Then you want continuous monitoring followed by, at most, quarterly assessments.”
Hiring an outside auditor to come in can help ensure that you’re doing the right things from a security standpoint and that you have paperwork to prove you’re doing the right things in the event you’re audited.
One important consideration for physicians is that they are not only responsible for their own assets, but also those of every partner they work with in their ecosystem – so for instance, the lab they work with or the practice management company that helps with their billing. So it’s important that they be monitoring their business associates as well.
Shah compares this idea to the owner of a single family home being responsible for solely his family and property in the event of a fire, while those in an apartment building have responsibility to other tenants to ensure they don’t burn the building down.
Do you have any final pieces of advice for medical practices as it relates to improving security?
“Just figure out what you have, just start there,” Shah said. “Because your problem is you don’t know how big of a risk you have, because you don’t even know what equipment you have.” Just knowing where you stand, he said, is half the battle. If you’re not sure where to begin, give him a call or drop him an email.
Compare plans and pricing from PracticeSuite.com.
Last Updated on November 2, 2016