Healthy security practices for small provider groups: 9 steps to boost your cybersecurity hygiene

Heather Donohue: ©TriZetto Provider Solutions

Cybersecurity is a constant and costly challenge for industries across the board. Health care faces additional risks, and in fact, spends more than any other industry recovering from cyberattacks that continue to increase in frequency year-over-year. By our calculations of raw data from U.S. HHS for Civil Rights, between 2022 and 2023 the number of entities impacted by ransomware attacks grew by 250%.

In 2023 alone, the average cost of a breach ballooned more than 50% to nearly $11 million annually. Data breaches are problematic for all health care organizations, particularly small provider practices who may not have the resources to spend recovering from one.

Small provider practices face unique challenges when it comes to cybersecurity. They often have less staff and budget to deploy additional security measures. Staff are doing their day-to-day work plus implementing new software and protocols, if they have the knowledge to work on the security measures at all. The good news is that your organization can take steps to mitigate risk and proactively keep your data safe.

The industry has changed irrevocably

Multiple large-scale data breaches in the past year have changed the way the industry does business. Small provider practices were hit particularly hard by these changes because they slowed down and even stopped cash flow. Additionally, practices had to employ additional staff to process claims manually and conduct eligibility checks.

The disruption in payment processes posed significant challenges to their ability to continue providing essential health care services to patients. Although many practices are at least partially back up and running, the landscape is still treacherous.

Sashi Padarthy: ©TriZetto Provider Solutions

It's safe to say security is paramount for everyone now and moving forward.

9 steps every small provider practice can take to boost their cybersecurity practices

Health care businesses should be proactive. There are several cost-effective ways provider practices can strengthen their cybersecurity without breaking the bank.

Use encryption when possible

Encryption protects data by converting it into code so unauthorized users can’t access the information. Common places encryption is used are email, patient health information (PHI), personally identifiable information (PII), and other internal health-related reports. Using encryption where possible keeps your data safe.

Have robust firewall and anti-malware software in place

Firewall technology monitors and protects ingoing and outgoing data, deciding whether to allow information in and out of the network. Anti-malware software scans your network looking for “malicious software” or malware. Like firewalls, this software is meant to prevent, find and remove malware threats on your network. Both pieces are critical to keeping your network free from threats you may not even realize are present.

Perform system software and practice management system updates

While it can create process changes or feel like it’s not a big deal, every practice needs to regularly maintain operating system software and practice management system updates. This keeps your system agile for users, meaning less system errors, downtime and most importantly, more usable for patient care. These updates also include security changes, so keeping up with them will help you maintain a secure system.

Implement user access management

The days of having one login for everyone to share are over. Each individual using a system needs their own login, and the list of employees who can access each software or program needs to be regularly maintained. Individuals who no longer have access should be removed, and those who have different permissions should be noted.

Require Multifactor Authentication (MFA)

MFA has become a standard security practice. It involves requiring additional verification, such as a work email or phone number, to securely access sensitive information. Most health care applications such as EHR, practice management systems and others now offer MFA as a security feature. Although it may take a few extra seconds to log in, MFA significantly enhances data security, ultimately saving time and money by preventing potential breaches.

Administer regular security training to educate employees

Not everyone is aware of how to use security protocols, which is understandable since it’s not the highlight of most jobs. Increasing security is non-negotiable, which only works effectively if employees understand what’s happening and how to do their job within the new security parameters. Annual security training, and spot training if new functionality occurs, will empower your employees to do their part in protecting the company data.

Manage vendors and vendor access

Sometimes data leaks or information loss aren’t happening within your system but from a vendor’s. As you increase your own cyber security, make sure that you’re doing your research and asking questions of your vendors. What are their security practices? Are they in line with what your business needs? Be particular, as these vendors greatly impact the way you do business.

Develop a backup and recovery plan

Creating a comprehensive backup and recovery plan is essential to minimize the impact of potential data loss or system failures. Regularly back up critical data and store it securely off-site or in the cloud. Test your backup and recovery processes periodically to ensure they function as expected. Consider implementing a disaster recovery solution that enables you to quickly restore systems and data in the event of a major incident.

Conduct tabletop exercises

Tabletop exercises are simulated scenarios that help organizations assess their cybersecurity preparedness and identify areas for improvement. These exercises involve key stakeholders discussing their roles and responsibilities during a hypothetical cybersecurity incident. By conducting regular tabletop exercises, small provider practices can better understand their vulnerabilities, refine their incident response plans and improve communication and coordination among team members.

The world of cybersecurity is growing more complex, and that’s something small provider practices must face. Not all is lost. You can use these practices to start updating your security in the coming weeks. There’s never a bad time to add more security.

Heather Donohue is the chief operating officer at TriZetto Provider Solutions. Sashi Padarthy is the strategy and growth leader, healthcare business, at TriZetto Provider Solutions.