1Technical Volume 1: Cybersecurity Practices for Small Healthcare Organizations |
Introducon
Healthcare providers are being attacked by malicious actors, some from inside their own organizations
and others from around the globe. While news reports may insinuate larger providers are targeted
more frequently, the data suggests smaller ambulatory practices are also targeted and can suffer greater
proportional damages. The rationale is that smaller providers are generally less prepared to detect,
respond, and recover from cyber-attacks.
Indeed, the ve threats identied in the Main Document can be very disruptive to small organizations. For
example, if a small provider practice loses a laptop with unencrypted Protected Health Information (PHI),
a publicized breach could result in consequences for the provider’s patients and the practice’s reputation.
Technical Volume 1 outlines healthcare cybersecurity best practices for small healthcare organizations.
For this volume, small organizations generally do not have dedicated information technology (IT) and
security staff dedicated to implementing cybersecurity practices. Consequently, personnel may have
limited awareness of the severity of cyber threats to patients and to your organization, and thus, not
recognize the importance of cybersecurity and how to address it.
Many small healthcare organizations provide direct healthcare services to their patients in ambulatory
environments. These environments have less overhead and, because of this, are often more cost-
effective than large acute facilities. Cost-effectiveness enables small healthcare organizations to sustain
operations, maintain nancial viability, justify future investments (e.g., grants) and, in the case of for-
prot organizations, generate an acceptable prot. Conducting day-to-day business usually involves the
electronic sharing of clinical and nancial information. This is done internally within the small healthcare
organization and its physicians and externally with patients, providers, and vendors that have a role
in managing your organization and maintaining business operations. For example, small healthcare
organizations transmit nancial information to submit invoices and insurance claims paid by Medicare,
Medicaid, Health Maintenance Organizations (HMOs), and commercial insurance companies.
In general, small organizations perform the following functions:
• Clinical care, which includes but is not limited to sharing information for clinical care, transitioning
care (both social and clinical), electronic prescribing or “e-prescribing,” communicating with
patients through direct secure messaging, services provided through telehealth, and operating
diagnostic equipment connected to a computer network (e.g., ultrasound and picture archiving and
communication systems (PACS)).
• Provider practice management, which includes patient access and registration, patient accounting,
patient scheduling systems, claims management, and bill processing.
• Business operations, which include accounts payable, supply chain, human resources, IT, staff
education, protecting patient information, and business continuity/disaster recovery.
If you would like to conrm your status as a small healthcare organization, refer to the HICP Main
Document, Table 1.
Just as healthcare professionals must wash their hands before caring for patients, healthcare
organizations must practice good cyber hygiene by including cybersecurity as an everyday, universal
precaution. Like hand washing, cyber awareness does not have to be complicated or expensive. In fact,
simple cybersecurity practices, such as always logging off a computer when nished working, are very
effective at protecting sensitive information.