Written by HITRUST Independent Security Journalist Sean Martin.
Not all medical practices have the staff and resources to implement first-rate cybersecurity. In many clinics, you’ll find a few doctors, a few nurses, some administrators. Someone knows how to reboot the router and change printer toner cartridges. To that practice’s managers, cybersecurity is a much, much lower priority than, say, ensuring that there are enough doses of flu shots and keeping up with pediatric asthma cases. Yet it’s critical to protect patients’ medical records, keep the practice safe from cyberattack, and protect the flow of critical healthcare information. The answer: HITRUST CyberAid, a new initiative that can provide small practices (with 75 or fewer staff) with technology and services for cybersecurity protection.
CyberAid consists of a packaged solution that includes hardware, software, installation assistance, 24×7 monitoring services, training and support. HITRUST has partnered with Trend Micro for the technology; together, HITRUST and Trend Micro have kept the price low, to between $25 and $60 per user (that is, clinic staff), per year, for a complete package.
HITRUST CyberAid was announced in August 2016, with one provider partner, Children’s Health, the leading pediatric healthcare system in North Texas. At launch, the program covered 80 physician practices, each with between 2 and 15 physicians.
Where will CyberAid go from here – and will this initiative deliver cybersecurity to many of the country’s small practices? We talked to Pamela Arora, Senior Vice President and Chief Information Officer of Children’s Health, based in Dallas, Tex., who is spearheading the program at her hospital, and championed it at HITRUST, where she serves on the Board of Directors.
Ms. Arora explained that physician practices of 75 employees or fewer represent 40% of the provider healthcare market. From a cybersecurity perspective, the role of major supporting hospitals, like Children’s Health, “is to create a safe environment for patients’ medical information as it flows across the continuum of care.” In some cases, she explained, practices store patients’ electronic medical records (EMR) on Children’s computers.
The hosting of small-practice EMR by hospitals can be subsidized, she said, but “when it comes to cybersecurity, the practice’s hardware/services, we are not able to subsidize that today. It’s up to the physician’s office to decide how much to invest in their hardware, network services and security monitoring.” That’s why, Ms. Arora said, “Our strategy has shaped our goal to work with HITRUST to help protect that small practice. Because if it’s not safe, information will not flow across the continuum of care.”
Ms. Arora is convinced that CyberAid is poised for success because, for the first time, it brings together all the necessary elements to protect small medical offices with up-to-date cybersecurity. To make CyberAid work, she said, there were three requirements, all of which were met:
- A solid technical solution, created by HITRUST and Trend Micro, that is integrated and scales for smaller practices.
- Financial resources, such as those which currently allow hospitals like Children’s to subside the implementation of EMR for small practices. While Children’s is not legally able to subsidize cybersecurity, she is hopeful that legislative efforts will make that possible.
- Resolve to implement a solution by all parties, especially the smaller practices, in order to protect the medical practice and its patients, and also to allow the flow of information between practices and supporting hospitals for patient care, tracking health trends, and research.
“All of these came together with HITRUST CyberAid,” she said, “and we were eager to participate. The solution scales for small organizations to help them consume, act on, and share cyberthreat information.”
How is the program going? “Great,” said Ms. Arora. “For the offices that have already been deployed, they are resting easier at night. Physicians want to focus on care delivery. Cybersecurity is a worrisome area, but there wasn’t a clear option for them, other than worrying.” She added that with CyberAid, “It’s like the ‘neighborhood watch’ – going from nothing to cybersecurity complete with 24/7 monitoring. Feedback from providers is that they are happy with it and those who are queued up next are very excited.”
Ms. Arora’s advice to other HITRUST members who would like to promote CyberAid in their local areas: “HITRUST and Trend Micro are providing an affordable solution. If a HITRUST member finds a practice that’s interested, point them to HITRUST and to Trend Micro.”