• Cybersecurity and Risk Assessments

     

    What is Cybersecurity?

    Cybersecurity is the protection of data and systems in networks that connect to the Internet. Physicians and practices should consider the following to protect themselves against unauthorized access to their data and systems:

    1. Use Strong Passwords and Change Them Regularly
    2. Install Anti-Virus Software
    3. Train employees in key areas – acceptable use, password policies, defenses against social engineering, and avoiding phishing attacks
    4. Create security policies and make sure all employees commit to them
    5. Encrypt all records and confidential data to be more secure from cyber attack
    6. Perform frequent backups and keep a copy of recent backup data off premises
    7. Defend your network behind your firewall – and make sure you can block rogue access
    8. Deal with the bring-your-own-device dilemma by standardizing security protocols
    9. Control access to PHI
    10. Control access to devices

    Another option is to hire a company to do the above for you. HealthITSecurity.com reviewed some of the top healthcare cybersecurity companies.

     

    How to implement a Cybersecurity program?

     

    What is Ransomware?

    Ransomware is a form of malware that locks computer files with encryption, preventing the user from gaining access to their data. A security key must be used to decrypt locked data. That security key is held by the attackers, and is only released when a ransom is paid.

     

    If you have cyber security questions, call TMA's Health Information Technology Department at (800) 880-5720, or send an email to HIT@texmed.org.

     

    How to report a cyber incident to the Federal Government?

    HHS defines a computer security incident as “a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard computer security practices.” If you suspect an information security or privacy related incident, please contact your OPDIV Chief Information Security Officer or the HHS Computer Security Incident Response Center (CSIRC). The HHS CSIRC can be reached at csirc@hhs.gov or 866-646-7514. Read more here.


    What is a Risk Assessment?

    A risk assessment involves identifying the various information assets that could be affected by a cyber attack (such as hardware, systems, laptops, customer data, intellectual property, etc.) followed by identifying the various risks that could affect those assets.  

    How to conduct a Risk Assessment?

    The Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires that covered entities conduct a risk assessment of their healthcare organization. A risk assessment helps your organization ensure it is compliant with HIPAA’s administrative, physical, and technical safeguards. A risk assessment also helps reveal areas where your organization’s protected health information (PHI) could be at risk. 

    • ONC Security Risk Assessment Tool - The Office of the National Coordinator for Health Information Technology (ONC) developed a downloadable SRA Tool to help guide you through the process of a security risk assessment.
    • Risk Assessment Vendors - listing of Cybersecurity Risk Assessment Vendors put together by HCMS
    • HIMSS Security and Risk Analysis Tool Kit - A 10 step plan on conducting a security and risk analysis for your practice.  
    • ONC Security and Risk Analysis Tool Kit - A step-by-step guide on conducting a security and risk analysis for your practice. 
    • Gulf Coast Regional Extension Center - Will help physicians conduct security and risk analysis and create a corrective action plan.  
    • Texas Medical Liability Trust (TMLT) - Offers solo and small group practices low cost tool kits and help conducting the security and risk analysis.  
    • ONC SAFER Guides - recommendations on what practices need to do to achieve safe and effective electronic health record (EHR) implementation and use. The recommendations should be considered proactive risk assessments that aim to mitigate and minimize EHR-related safety hazards. Includes recommended practices as well as examples. 

     

    For more information on HIPAA and the HITECH Act, visit www.hcms.org/Practice-Resources/Compliance/HIPAA/

     

    Insurance and Liabilities

    One of the greatest threats to physician practices is the increasing number of stolen laptops, and other electronic devices which causes a security breach for the entire organization. In addition to this, limited access to hospital portals and EHRs can create password sharing among employees, which in turn creates a greater risk for PHI to be compromised on the practice end as well as putting the hospital at risk for a security breach. 

    • TMLT Cyber Liability
    • Department of Homeland Security - Homeland Security discusses the importance of insurance coverage for  Cybersecurity across all sectors, including Healthcare 
    • HCMS Buyers Guide - Additional information on attorneys and law firms that can assist physicians with  questions regarding Cybersecurity. 
    • Top ten tips for companies wanting to purchase Cybersecurity Insurance Coverage  
     
     
    Created by HCMS | Revised May 2018