Written by HITRUST Independent Security Journalist Sean Martin.
Cybersecurity. To a small practice, this sounds worse than a root canal, worse than getting your shots, worse than painful physical therapy after an operation. Yet compliance with security policies and best practices is important for maintaining a healthy doctor’s office that can focus on patient care — while remaining in compliance with all necessary government regulations, such as those required to avoid unwanted disclosure of patient privacy and health information. HITRUST has developed a program specifically for smaller practices to help them create the necessary secure technology environment, and demonstrate full compliance to the necessary external organizations and regulators.
The program is called HITRUST CSFBASICs — no, that’s not a typo, it means “CSF Basic Assurance and Simple [as opposed to complex] Institutional Cybersecurity.” CSFBASICs helps smaller, relatively low-risk organizations successfully adopt a cybersecurity and third-party assurance program. The program went through an initial pilot with a small physician practice in early 2016 and is planned to roll out across the United States in 3Q17.
One early adopter of CSFBASICs is Dr. J. Stefan Walker of Corpus Christi Medical Associates (CCMA), a small five-physician primary care practice in Corpus Christi, Texas. With only 3.5 full-time equivalent staff, CCMA’s focus is keeping up with patients — not only information technology, explains Dr. Walker. “We just don’t have the employees to get there. I don’t see how a small practice could comply with HIPAA, OSHA, HIT — or even, for example, the new regulation for LEP (Limited English Proficiency). I don’t know of too many practices that are fully complying.”
The regulatory framework for small practices can lead them to shut their doors – or, if they remain open and unprotected, be liable for huge fines or lawsuits, Dr. Walker continues. It may be easier to simply go out of practice and join forces with others, but there’s a cost – everyone loses the autonomy of the doctor/patient relationship. A larger healthcare provider may have strict rules that aren’t in the best interests of doctors or patients: “The patient is thought of as a consumer rather than a patient and the doctor viewed as a customer service representative,” he said.
Compliance with those security and privacy policies and regulations – that’s where HITRUST CSFBASICs helps, explains Dr. Walker. The program addresses increasing threats to small practices and provides for the adequate protection of patient information by offering compliance with the letter and intent of the HIPAA security and privacy rules, while offering reasonable consideration for flexibility of approach. It delivers a reasonable level of assurance at a reasonable cost, and addresses internal and external stakeholder requirements, as well as federal and state compliance requirements.
What does the program look like? First, there’s a simplified set of control requirements to address HIPAA compliance and “good security hygiene.” Second, there’s a simplified assessment approach based on a three-point maturity model (evaluating policies, processes/procedures, and implementation of each requirement) and a three-point scoring model (to show where the practice is fully compliant, partially compliant, or non-compliant with each level of the maturity model). CSFBASICs also addresses periodic monitoring of the practice’s cybersecurity and information protection program to help ensure it continues to operate effectively.
The goal is simplicity. Unlike larger healthcare organizations, small practices like Corpus Christi Medical Associates can’t devote significant staff time to managing cybersecurity and compliance with privacy and security regulations – and can’t afford to hire consultants to manage these programs on an ongoing basis. Thus, the streamlined approach offered by CSFBASICs helps these smaller organizations make the best decisions possible to provide reasonable assurance and reasonable security at a reasonable cost.
The target demographic for CSFBASICs is small, low-risk organizations: Small entities are defined by the U.S. Small Business Administration. They may be fully independent, such as a business entity (e.g., a physician practice) that is owned by one or more individuals. Or a hybrid business entity (e.g., a physician practice) that is partially or wholly owned by another business entity (e.g., a hospital). Or dependent – a business entity (e.g., a physician practice) that is wholly owned by another, larger business entity (e.g., a hospital); employees of the dependent business entity may or may not be employees of the larger entity.
Dr. Walker explains that many practices simply can’t keep up with the complexity of compliance and cybersecurity without help. So what do they do? “Some doctors wave their hands and ignore the problem, but it’s unethical to ignore the problem because you are essentially treating patient privacy with neglect.” By contrast, other practices “make minimal effort to make some attempt to do something” about cybersecurity, he continues, “but you are not trained in IT, you are a doctor. You don’t have the resources to keep up with threats and technology advances.”
A third type of physician practice, Dr. Walker describes, “expends a lot of effort but still misses the mark. The scale of the program is that you could have professional hackers in China or Russia that are way more advanced than you are. It won’t fly in court to say that you tried, and not have proof that you worked to meet a set of compliance standards.”
That’s why Dr. Walker embraces CSFBASICs. “You can’t entirely get rid of the threat of a breach, because nobody can — but you will be able to prove you are doing your best effort, validated against industry standards. You’ll have the peace of mind to know that the chances of a breach have decreased, and if you do wind up in court, you can testify, in all honestly, ‘We applied the industry standards.’”
Don’t struggle to figure out cybersecurity and HIPAA compliance on your own. The HITRUST prescription is CSFBASICs, developed based on recommendations from NIST, the Small Business Administration, and small practice owners. It’s just what the doctor ordered.
Sean Martin is a HITRUST Independent Security Journalist