Every Doctor Must Implement a Cyber Risk Management Program
Most doctors run small businesses of less than 100 employees and typically their IT infrastructure consists of one network supporting one office. Nonetheless, a small medical office or medical group with multiple offices must still implement a cyber risk management program in order to comply with various state and federal laws, along with the doctors’ ethical obligations, regarding protection of the practice and its patients’ nonpublic personal medical information.
For example, as probably every doctor already knows, they must comply with the HIPAA Privacy Rule and the HIPAA Security Rule. The Health Insurance Portability and Accountability Act of 1996 (HIPAA), required the Secretary of the U.S. Department of Health and Human Services (HHS) to develop regulations protecting the privacy and security of certain health information. The Privacy Rule, or Standards for Privacy of Individually Identifiable Health Information, establishes national standards for the protection of certain health information. The Security Standards for the Protection of Electronic Protected Health Information (the Security Rule) establish a national standard set of security standards for protecting certain health information that is held or transferred in electronic form. The Security Rule operationalizes the Privacy Rule by addressing the technical and non-technical safeguards that medical offices, as covered entities, must put in place to secure individuals’ electronic protected health information (e-PHI).
See https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html
Minimum Activities
Since HIPAA rules and regulations have been in effect for many years, most medical offices have developed policies and procedures that meet minimum compliance standards. However, a medical office should go beyond compliance and implement a cyber risk management program as a business process related to risk management, that includes regular employee training, vendor management, penetration tests and vulnerability assessments. By doing so, the medical office would ensure that it is not only in compliance with HIPAA, but that it is also adequately managing cyber risk with appropriate resources, At a minimum, a medical office should have quarterly and annual reviews of its cyber risk management program, and require all employees to receive cyber risk training. In addition, it is imperative that a medical office perform an annual cyber risk self-assessment along with penetration tests and vulnerability assessments. If it has been more than three years since a third party conducted an assessment of the medical office cyber risk management program, then the medical office should hire a consultant to conduct an independent assessment to establish a baseline and remediation plan to improve the practice's cyber risk management posture.
The Security Rule requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting e-PHI.
Specifically, covered entities must:
Cyber Risk Analysis and Management
The Administrative Safeguards provisions in the Security Rule require medical offices to perform risk analysis as part of their security management processes.
A risk analysis process includes, but is not limited to, the following activities:
How the Cyberlaw.io Cybersecurity Risk Management Self-Assessment Kit Can Help You Comply
The Cyberlaw.io Cybersecurity Risk Management Self-Assessment Kit contains a primer covering the basics of cybersecurity risk management for the small medical office of medical group – everything from performing a self-assessment of your practice’s cybersecurity posture, to identifying threats and vulnerabilities, to implementing your own cybersecurity risk management program manual, to managing the program and improving it on a routine schedule as a new and essential business process.
You can implement a cyber risk management program using the Cyberlaw.io Kit forms and self-assessment third-party tools.
Use the Forms and Tools to
Types of Forms
Acceptable Use Policy
Action Plan
Compliance Checklist
Cyber Risk Management Program:
Data Security and Privacy Disciplinary Policy
Data Storage Policy
Data Transmission Policy
Electronic Devices Inventory
Email Policy
Employee Acknowledgment
Employee Disciplinary Records
Employee Termination Policy
Minimum Access Policy
Mobile Device Security Policy
Network Security Policy
Password Security Policy
Remote Access Policy
Social Media Policy
Vendor Confidentiality Agreement
Workstation Security Policy
Click Here to Purchase the Cyberlaw.io Cybersecurity Risk Management Self-Assessment Kit
For example, as probably every doctor already knows, they must comply with the HIPAA Privacy Rule and the HIPAA Security Rule. The Health Insurance Portability and Accountability Act of 1996 (HIPAA), required the Secretary of the U.S. Department of Health and Human Services (HHS) to develop regulations protecting the privacy and security of certain health information. The Privacy Rule, or Standards for Privacy of Individually Identifiable Health Information, establishes national standards for the protection of certain health information. The Security Standards for the Protection of Electronic Protected Health Information (the Security Rule) establish a national standard set of security standards for protecting certain health information that is held or transferred in electronic form. The Security Rule operationalizes the Privacy Rule by addressing the technical and non-technical safeguards that medical offices, as covered entities, must put in place to secure individuals’ electronic protected health information (e-PHI).
See https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html
Minimum Activities
Since HIPAA rules and regulations have been in effect for many years, most medical offices have developed policies and procedures that meet minimum compliance standards. However, a medical office should go beyond compliance and implement a cyber risk management program as a business process related to risk management, that includes regular employee training, vendor management, penetration tests and vulnerability assessments. By doing so, the medical office would ensure that it is not only in compliance with HIPAA, but that it is also adequately managing cyber risk with appropriate resources, At a minimum, a medical office should have quarterly and annual reviews of its cyber risk management program, and require all employees to receive cyber risk training. In addition, it is imperative that a medical office perform an annual cyber risk self-assessment along with penetration tests and vulnerability assessments. If it has been more than three years since a third party conducted an assessment of the medical office cyber risk management program, then the medical office should hire a consultant to conduct an independent assessment to establish a baseline and remediation plan to improve the practice's cyber risk management posture.
The Security Rule requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting e-PHI.
Specifically, covered entities must:
- Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit;
- Identify and protect against reasonably anticipated threats to the security or integrity of the information;
- Protect against reasonably anticipated, impermissible uses or disclosures; and
- Ensure compliance by their workforce.
Cyber Risk Analysis and Management
The Administrative Safeguards provisions in the Security Rule require medical offices to perform risk analysis as part of their security management processes.
A risk analysis process includes, but is not limited to, the following activities:
- Risk analysis should be an ongoing process, in which a covered entity regularly reviews its records to track access to e-PHI and detect security incidents, periodically evaluates the effectiveness of security measures put in place, and regularly reevaluates potential risks to e-PHI.
- Evaluate the likelihood and impact of potential risks to e-PHI;
- Implement appropriate security measures to address the risks identified in the risk analysis;
- Document the chosen security measures and, where required, the rationale for adopting those measures; and
- Maintain continuous, reasonable, and appropriate security protections.
How the Cyberlaw.io Cybersecurity Risk Management Self-Assessment Kit Can Help You Comply
The Cyberlaw.io Cybersecurity Risk Management Self-Assessment Kit contains a primer covering the basics of cybersecurity risk management for the small medical office of medical group – everything from performing a self-assessment of your practice’s cybersecurity posture, to identifying threats and vulnerabilities, to implementing your own cybersecurity risk management program manual, to managing the program and improving it on a routine schedule as a new and essential business process.
You can implement a cyber risk management program using the Cyberlaw.io Kit forms and self-assessment third-party tools.
Use the Forms and Tools to
- Learn about implementing your practice’s cybersecurity risk management program, maintaining cybersecurity resiliency, and performing a self-assessment of your practice’s cybersecurity posture
- Create your own cybersecurity risk management program manual, including policies, procedures, checklists, notices to employees, letters to vendors and more!
- Perform an essential self-assessment of your practices’s cybersecurity posture
Types of Forms
Acceptable Use Policy
Action Plan
Compliance Checklist
Cyber Risk Management Program:
- Privacy and Data Protection
- Fraud
- Securing Networks
- Protecting Online Activity
- Mobile Devices
- Employee Protocols
- Securing Facilities
- Securing Operations
- Debit and Credit Cards
- Responding to Incidents
- Policy Management and Development
- Written Information Security Program
- Glossary of Cybersecurity Terms
Data Security and Privacy Disciplinary Policy
Data Storage Policy
Data Transmission Policy
Electronic Devices Inventory
Email Policy
Employee Acknowledgment
Employee Disciplinary Records
Employee Termination Policy
Minimum Access Policy
Mobile Device Security Policy
Network Security Policy
Password Security Policy
Remote Access Policy
Social Media Policy
Vendor Confidentiality Agreement
Workstation Security Policy
Click Here to Purchase the Cyberlaw.io Cybersecurity Risk Management Self-Assessment Kit