Confront cybersecurity threats in nephrology practice
Click Here to Manage Email Alerts
Key takeaways:
- A cyberattack can disrupt care, expose sensitive patient data and erode trust.
- HHS released voluntary cybersecurity performance goals for health care organizations.
- Practices should approach security proactively.
It seems that cyber threats are all around us. The recent breach experienced by Change Healthcare certainly highlighted our vulnerability in nephrology practice.
Many nephrologists and dialysis providers were financially, clinically and operationally impacted for weeks or months when services provided by the health care tech vendor were interrupted. Our nephrology practices care for patients from initial diagnosis of kidney disease through death, making the stakes exceptionally high. If our systems are compromised, it can mean more than just downtime; it can disrupt the care continuum, expose sensitive patient data and erode the trust we work so hard to build.
Protect sensitive data
Nephrology practices handle highly sensitive data, from lab results, medications and treatment plans to financial and other demographic information. Reliance on electronic health records to manage these data has improved efficiencies but also created new vulnerabilities. Cybercriminals have become increasingly sophisticated, often targeting health care providers because of the sensitive information we hold. Small and mid-sized practices, like many nephrology groups, are particularly at risk as these often lack the cybersecurity resources of larger health systems.
The regulatory landscape in health care has evolved over the years. Since 2005, the HIPAA security rule has required health care practices to perform security risk assessments to identify and mitigate vulnerabilities. While these assessments are critical for patient safety and compliance, these can also be costly and time-consuming, adding to the operational burden for nephrology practices. The financial, operational and expertise challenges associated with meeting cybersecurity requirements continue to mount as reliance on complex and ever-changing technology increases.
In January, HHS released new voluntary cybersecurity performance goals for health care organizations. These goals are designed to safeguard patient health information and are categorized by the agency as either essential or enhanced. The essential goals — things like multi-factor authentication, data encryption and basic incident preparedness — give all of us some practical steps to boost resilience, no matter the size of our organization. The enhanced goals — like network segmentation and centralized incident planning — tend to be within reach for larger, better-resourced organizations.
Take a proactive approach to security
Right now, these goals are voluntary, but let’s be realistic: These could become the standard down the road. That is why it is important for our practices to take a proactive approach, making strides wherever we can. Even if we are not able to achieve every goal immediately, taking steps now can put us ahead when these goals eventually become the standard.
To tackle cybersecurity risks head-on, here are a few steps nephrology practices should consider:
- Strengthen access controls by adding multi-factor authentication. This is a simple way to make sure that only authorized users can access sensitive patient information, providing an extra layer of security.
- Keep up with routine staff training so that everyone on your team can spot suspicious emails, phishing attempts and other cyberthreats. With the right training, your staff becomes your first line of defense.
- Stay on top of system maintenance by regularly updating software and applying security patches. This helps close known vulnerabilities and keeps your systems running smoothly.
- Create a cybersecurity response plan so that if a breach ever happens, you are ready to act quickly. Having a plan in place can make all the difference when it comes to protecting your data and minimizing disruption.
Costs of ignoring security
The cost of ignoring cybersecurity — or just not taking it seriously enough — is steep. It is not just our practices at risk; our patients and health care partners are affected, too. As we become more integrated and share data across health systems, a cyber breach has the potential to reach well beyond our individual walls. Compromised data can end up in the EHR systems of other health care entities, which ultimately puts patient safety on the line and adds more strain to providers.
For nephrology practices, a lack of attention to cybersecurity is not just risky — it is costly. We are talking about substantial HIPAA fines, not to mention the impact on the integrity of our shared medical records. A data breach can lead to financial loss, damage our reputation and shake the trust patients have in us. The consequences far outweigh the investment needed to prevent cybersecurity incidents in the first place.
HIPAA privacy and security rules give us the foundation for protecting patient data, but in my experience, effective cybersecurity goes beyond just checking a compliance box. Taking steps like regular staff training and keeping systems updated is not only about avoiding fines; it is about honoring the trust our patients place in us. I have seen firsthand how data breaches can disrupt patient care, and it is unsettling. Patients want assurance that their personal information is safe, and by committing to these practices, we show them that their trust is as valuable to us as their health.
For more information:
Jennifer Huneycutt, CPA, CMPE, is executive director of Metrolina Nephrology Associates, PA in Charlotte, North Carolina, and a Healio | Nephrology News & Issues Editorial Advisory Board member. She can be reached at jhuneycutt@metrolinanephrology.com.