But you already knew that.
You may be a private practice clinician thinking to yourself that you’ve already seen and heard numerous times that healthcare information is up to 50 times more valuable to criminals. You also probably have learned that what we used to believe about getting hacked as being a rare occurrence involving fringe elements, no longer applies. In fact, with the June 20 memo from Secretary Burwell, it’s now official: the healthcare industry has formally recognized cyber crime for what it is – a sophisticated and professionally run criminal enterprise – that is growing rapidly, with no apparent control over it. We view the memo from Secretary Burwell as timely and prudent. But frankly, it has been a good long time since “we’re too small/we’re not on anyone’s radar/nobody knows about us” justifications have sufficed. So, what are you supposed to do now?
“we’re too small/we’re not on anyone’s radar/nobody knows about us” justifications no longer suffice
Your feeling of cognitive dissonance from being aware of, but yet not taking action on this knowledge, may have already motivated you to implement information security solutions on your own – but maybe you quickly got bogged down by technical jargon and were sticker-shocked by costly solutions that seemed overly complex for your practice. That, combined with the enduring pressures of growing your business, controlling costs and keeping up with training and staffing demanding your attention – you eventually lost momentum, and went back to what you were good at – patient care and running your business. Does this sound familiar?
You are not alone.
We of course applaud the memo from Secretary Burwell, especially those of us who work side-by-side with private practice clinicians who are diligently striving to protect the confidentiality and security of their patients protected health information. If you would gladly do what was required, if you just knew what to do – you are not alone. Every day, we are inspired by clinicians who are diligently implementing cost-effective, best-of-breed solutions and best practice policies and procedures that successfully address their ransomware risks. Here is what we are seeing clinicians do that gets them results.
Work with a partner.
If you already had the operational budget to staff your own IT, you would have done it by now. And with the shortage in information security skill sets and advanced healthcare compliance experience – now would not be the best time to start. Instead, find an experienced partner to help you. Generally, the more experienced and skilled partners will engage with you in clear terms, and discuss both the business and technical aspects of your practice. Someone local who can meet with you onsite in your clinic can be a good option for you. Talk to three candidates – and if you walk away from all of those initial conversations with your head swimming in tech talk, just imagine trying to get to the bottom a thorny issue that may come up…and keep looking until you find a partner that can demonstrate clear thinking and direct, straightforward communication of how they will help you identify, prioritize and address your ransomware vulnerabilities.
Process. Then solutions.
Be open and curious as per your usual in your selection process – but do take note if early discussions tilt heavily toward solutions. But you may ask – if the prospective partner is very strong technically and is eager to cover the many details of their solutions, why should you be concerned? The reason isn’t because solutions aren’t needed – it’s because of the possibility that the prospective partner, while strong in technology, may still be on the learning curve regarding process. As you have already realized, ransomware is a well-known issue now, so beware of product and service vendors eager to sell their solutions, who may be focusing a bit more on their sales volume than on tailoring their approach based on the details that make your practice unique.
the hard earned secret to delivering enduring value is well thought-out process
Experienced professionals who have a track record of success tend to know that the hard earned secret to delivering enduring value is well thought-out process for implementation, maintenance and continuous improvement. Solutions come and go. Meanwhile, process lives on, and ushers in right-sized, prioritized solutions at the appropriate time.
Security Risk Assessment and Management Plan. Update annually.
As all clinicians know, the federal law governing covered entities (hint: it’s five capital letters, rhymes with the last name of host of ABC’s Live with Kelly), and mandates that they complete a Security Risk Assessment on a periodic basis – which experts in industry often recognize as annually. As it turns out, it’s not just a good idea for compliance – it is an excellent starting point for ransomware cyber-risk planning as well. If you have been performing your Security Risk Assessment in-house just to check-the-box, start working with a partner. In fact, you may want to ask your prospective partner for their viewpoint on the importance of and approach to the Security Risk Assessment. If given a fair chance (or maybe even more than one), but the prospective vendor partner is unable to describe the significance of the Security Risk Assessment and resulting Management Plan in terms of right-sizing and prioritizing solution options – you may want to let them know that you thank them for coming in, but you regret that you need to leave to attend to an urgent business issue (spending your time wisely, that is).
Plan the Work. Work the Plan.
Although at times we experience a love/hate relationship with Governance and Risk professionals because it can feel like they are always poking holes in our work – let us remember that bottom line, they are trusted, wise and have excellent insights. We recommend that you take their advice. Internal Audit, External Audit, Audit Committee, Examiners at the State and Federal Levels – they all seem to agree: As counter-intuitive as it may seem, a record of steady progress on implementing improvements from a list that is prioritized based on a combined analysis of likelihood of threats and their impact is not viewed as a commission of guilt or incompetence, but rather quite the opposite: as the hallmark of a serious organization that has developed a strong posture to address their ransomware cybersecurity risks.
Steady and sustained focus will see you through.
You may see over the coming weeks and months, numerous discussions of ransomware and all the who, what, where and whys. Read it all. As much as you can stand, anyway. Then once you have developed a base of knowledge:
- Start working with a partner. Take some time. Find a good one.
- Update your Security Risk Assessment. Update your Management plan. Discipline yourself to complete this step first. Plan the work – your future self will thank you later.
- Work the plan. Deliver the top prioritized item. Then go back to the plan for the next one. Resist the temptation to over-commit. Remain focused and commit to steady progress.
By getting help from a partner, combined with your steady focus – you may surprise yourself with how satisfied you feel after implementing significant improvements to your ransomware risk level at an affordable cost…not to mention the increased confidence from having your very own coherent and controlled ransomware risk program, tailored just for your practice.