Building a scalable cybersecurity program for physicians

© RoBird - stock.adobe.com

Today private practice tends to follow one of two paths: joining a hospital or health system-owned medical group or partnering with a physician practice management group (PPMG).

Physicians often choose a PPMG because they want to retain some ownership and autonomy, while some are drawn to the added resources, access to new treatments and technology, and higher level of coordinated care in a hospital or health system-owned medical group. Regardless of a physician's chosen model, they will document, communicate, and manage much of their practice in multiple technology platforms. Keeping patient data secure and protecting care delivery—often dependent on access to these systems—is critical to the success of the practice and the larger organization.

A fast-growing base of physicians poses unique challenges to integrating technologies, processes, policies, and operating procedures. Hospital-owned medical groups typically leverage the operational model the hospital has already adopted on their behalf, but physicians in a PPMG sometimes retain ownership; it’s not unusual for them to have the autonomy to purchase whatever third-party IT equipment or software they need or prefer to support care delivery. Protecting patient data across sprawling platforms, hardware, and applications can be incredibly difficult.

One PPMG CISO told us recently, “We had to solve how you manage cyber risk for 3,300 providers across eight states and counting—in a shared risk framework.”

Building scalable cyber risk management programs

Establishing and building HIPAA compliance and protecting systems and data is critical,regardless of the ownership structure. Establishing standards for administrative, technical, and physical safeguards across the larger medical group is a must.

A comprehensive cyber risk management program makes this easier, offering each entity – whether affiliated or wholly owned – a package of policies, procedures, and best practices they can implement. Our customer’s CISO gives physicians a jumpstart on cybersecurity and compliance while protecting the larger entity. Among the components of his program are:

Risk analysis and risk response

Each new provider and practice is added to the organization’s risk analysis program, ensuring risks at the system level are identified across the organization. We have worked with our PPMG customer to simplify the rigorous risk analysis and response process by leveraging software that incorporates AI/ML capabilities and allows for an entity hierarchy that cascades elements of the risk analysis to “child” entities for a holistic risk posture view across the organization.

Vendor risk management

Over 55% of healthcare organizations have suffered a third-party breach in the last 12 months. Vetting the security and privacy practices of every vendor a physician practice is working with (or failure to do so) can have an incredible impact on the organization’s operations, finances, reputation, and cybersecurity and compliance.

Business continuity and disaster recovery planning

Medical groups should also understand their most critical business processes and associated resources to ensure operational resilience during and after a disruptive event. A business impact analysis (BIA) is key to uncovering these components and helps inform disaster recovery and business continuity plans.

Technical testing

Building a cybersecurity strategy is insufficient; an organization must test its defenses and security awareness throughout its affiliated practices. Technical testing such as vulnerability assessments, penetration testing, and simulated phishing attacks ensure physician group leaders know where there are gaps or vulnerabilities and can take action to mitigate them. It only takes one employee clicking a malicious email link to put the entire physician group and all associated locations at risk.

Work with an expert

Hospital, health system, and medical group cybersecurity leaders often share how difficult it is to stay on top of the emerging threat landscape, keep controls and remediation efforts current, monitor endpoints, and manage the associated alerts in addition to their other leadership responsibilities. While adding headcount may seem obvious, it’s not always feasible, given the cybersecurity talent shortage and high burnout rate.

The CISO in our case says having a partner is essential to scaling their managed services model to physicians. “We initially began a conversation about software, but it quickly evolved to a more holistic approach.”

They leverage a complete managed services program that includes the above components and program leadership, workforce training, policies and procedures, and on-demand access to additional cybersecurity/privacy experts.

Organizations without a Security Operations Center (SOC) might also consider managed security services for 24x7 threat hunting and incident response, endpoint detection, and firewall management. A mature SOC also acts as a workforce multiplier, leveraging orchestration and automation to conduct security operations tasks.

Regardless of the physician practice ownership model, clearly understanding and managing cybersecurity and compliance risks while navigating the increased complexities of a growing provider base is simply too challenging to do alone. With a partner, medical group leaders are better equipped to reduce risk and ensure HIPAA and other compliance needs are successfully managed within the organizational framework.

Anthony Martinez is Clearwater’s vice president of consulting services, he has more than 20 years of experience serving the healthcare public and private sector and 15+ years consulting in a technology, security, and executive capacity.