Small health care organizations tend to have limited resources for managing their cybersecurity practices, but they are no less subject to cyberattacks. Indeed, the five threats identified in the Main Document can be very disruptive to small organizations. For example, if a small provider practice loses a laptop with unencrypted personal health information (PHI), a publicized breach could result. Such a breach could have consequences for both the provider’s patients and the practice’s reputation.
Technical Volume 1 provides health care cybersecurity practices for small health care organizations. For the purpose of this volume, small organizations generally do not have dedicated information technology (IT) and security staff dedicated to implementing cybersecurity practices due to limited resources. Personnel may consequently have limited awareness of the severity of cyber threats to patients and to the organization, and thus awareness of the importance of cybersecurity.
The primary mission of small healthcare organizations is to provide health care to their patients in the most cost-effective way. Cost-effectiveness enables small organizations to sustain operations, maintain financial viability, justify future investments such as grants and, in the case of for-profit organizations, generate an acceptable profit. Conducting day-to-day business usually involves the electronic sharing of clinical and financial information with patients, providers, vendors, and other players to manage the practice and maintain business operations. For example, small organizations transmit financial information to submit invoices and insurance claims paid by Medicare, Medicaid, Health Maintenance Organizations (HMOs), and credit card companies.
In general, small organizations perform the following functions:
- Clinical care, which includes but is not limited to sharing information for clinical care, transitioning care (both social and clinical), electronic or “e-prescribing,” communicating with patients through direct secure messaging, and operating diagnostic equipment connected to a computer network, such as ultrasound and pictures archiving and communication systems (PACS).
- Provider practice management, which includes patient access and registration, patient accounting, patient scheduling systems, claims management, and bill processing.
- Business operations, which include accounts payable, supply chain, human resources, IT, staff education, protecting patient information, and business continuity or disaster recovery.
Just as health care professionals must wash their hands before caring for patients, health care organizations must practice good cyber hygiene in today’s digital world by including cybersecurity as an everyday, universal precaution. Like hand washing, cyber awareness does not have to be complicated or expensive. In fact, simple cybersecurity practices, such as always logging off a computer when finished working, are very effective at protecting information that is sensitive and private.
This volume takes into consideration recommendations made by divisions of the U.S. Department of Health & Human Services (HHS) including, but not limited to, the Office for Civil Rights (OCR), the Food and Drug Administration (FDA), the Office of the Assistant Secretary for Preparedness and Response (ASPR), the Office of the Chief Information Officer (OCIO), the Centers for Medicare and Medicaid Services (CMS), and the Office of the National Coordinator for Health Information Technology (ONC), as well as guidelines and leading practices from the National Institute of Standards and Technology (NIST) and the Department of Homeland Security (DHS).
Small health care organizations must comply with multiple legal and regulatory guidelines and requirements. They often ensure compliance by creating an internal infrastructure of personnel and procedures to govern the transmission of sensitive data as needed internally and with authorized external resources. For example, organizations may be subject to directives from:
- Electronic health records (EHR) interoperability guidelines
- Medicare Access and the Children’s Health Insurance Program (CHIP) Reauthorization Act of 2015 (MACRA)/Meaningful Use
- Health Insurance Portability and Accountability Act (HIPAA)/Health Information Technology Economic and Clinical Health Act (HITECH)
- Payment Card Industry Data Security Standard (PCI-DSS)
- Substance Abuse and Mental Health Services Administration (SAMHSA)
- The Stark Law as it relates to using the services of an affiliated organization
Many small practices and health care organizations use third-party IT support and cloud service providers to maintain operations that leverage current technologies. Given the complicated nature of IT and cybersecurity, these third-party IT organizations can be helpful in identifying, assessing, and implementing cybersecurity practices. Your IT support providers should be capable of reviewing the practices in this publication to determine which are most applicable to your organization.
The practices in this volume are tailored to small organizations, but such organizations may also benefit from selected practices in Technical Volume 2, which focuses on medium and large organizations and is included with this publication. Small organizations may benefit from the cybersecurity practices in both volumes.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article