Medicare Compliance & Reimbursement

As of Oct. 2022, CISA has received the most ransomware complaints — more than 25 percent of the total — from the healthcare sector, out of 16 critical infrastructure sectors the agency monitors, the advisory adds.

Consider This Advice on Incident Response Management

Depending on the size and scope of your organization, you may bristle at allocating funds for HIPAA compliance. Statistics show that data security is an area that your practice may want to invest in, since “security incidents will almost inevitably occur during the lifetime of a regulated entity,” OCR reminds.

There are real and existential costs to contend with, however — particularly for smaller organizations, explains Adam Kehler, director of RSP Healthcare Services at Online Business Systems. “Small practices are at a distinct disadvantage when it comes to procuring IT and cybersecurity services. This is especially true in rural areas,” Kehler cautions. “Often they will hire the only local IT shop or an independent person that someone at the practice knows.”

He adds, “I’ve seen practices where the doctor’s spouse, sibling, or niece/nephew becomes the de facto IT person. The challenge is that just because someone can configure a firewall, doesn’t make them knowledgeable in information security and compliance.”

Cybersecurity on its own is a very diverse and nuanced field. The business of securing health data with the overlap of the various constraints, safety concerns, and regulations adds another layer of complexity and necessitates expertise in the field, suggests Jen Stone, MCIS, CISSP, CISA, QSA, principal security analyst, with Security Metrics in Orem, Utah. “Many people believe their IT people are cybersecurity professionals.”

Stone continues, “This critical misunderstanding happens in practices of all sizes, whether they have on-site staff or outsource their technology needs. While some IT groups do know and implement security, that isn’t their primary function.”

OCR offers insight on starting the process of creating a security incident response team. Here are four items to consider, according to the Cybersecurity Newsletter:

1. Staff the team with subject-matter experts. Whether you use in-house employees or hire an IT vendor, make sure your security incident response team knows the Rules and the requirements. Your structure should “use a centralized or distributed model, staff[ed] with full-time employees or partially outsource[d],” OCR says. And “ensure team members have appropriate expertise — organizational and technical.”

2. Make communicating incidents a priority. Your team must establish “relationships and lines of communication between the security incident response team and other groups (both internal and external),” OCR advises.

3. Determine auxiliary staff that need notification after a data security incident occurs. Your team needs to identify “points of contact at external groups that may be helpful to include in the event of an incident (e.g., network service providers, software and hardware vendors, local and federal law enforcement, incident handling teams of business partners and customers),” OCR warns.

4. Formulate a checklist of what the team’s objectives are. Your design plan should determine “what services the security incident response team should provide (e.g., intrusion detection, advisory distribution, education and awareness, information sharing),” OCR says.

Reminder: Similar to managing your organization’s issues after your annual risk analysis, a security incident response team’s job is ongoing and evolves depending on threats and incidents. Your team needs to stay on top of testing for potential threats, training staff, updating and employing software, and more.

Resources: Check out the Cybersecurity Newsletter at www.hhs.gov/hipaa/for-professionals/security/guidance/cybersecurity-newsletter-october-2022/index.html and review the joint advisory at www.cisa.gov/uscert/ncas/alerts/ aa22-294a.