Eyeworld

96 | EYEWORLD | DECEMBER 2021 P RACTICE MANAGEMENT by Brendan Gallagher About the author Brendan Gallagher Information Systems Specialist Medical Consulting Group Springfield, Missouri While that sounds like a lot, much of the data required is available from sources that are probably already available. For instance, a phys- ical inventory of computers or identifying the software utilized are common in many manage- ment software systems. Human resources and accounting can provide data regarding person- nel and vendors. This is also the step where risk priorities are established. As the saying goes, fish where the fish are. The same goes in assess- ing risk. Phishing is by far the most common method of entry for cybersecurity breaches. Identifying phishing as a higher risk affects the strategy of the organization and what protec- tions are put in place. Be aware of what the biggest risks are and focus efforts on those risks. Identifying systems outside the practice walls is also something to consider in this step. Websites and other external portals can affect patients' personal devices and practice reputation if breached or compromised. Protect Protection is where many organizations focus their efforts. This includes the "techie stuff" of user management, training, and data security and protection. Most practices have software and hardware protections in place such as security software, hardware devices such as firewalls, and implement data encryption and backups of critical data. While technical A path to cybersecurity continued on page 98 I n the cybersecurity landscape, the only constant is change. There are new attacks and breaches every single day. How can a practice begin to keep up with ransomware, phishing attacks, vendor breaches, bad actors, and the regulatory environment? It feels like an overwhelming problem with no relief in sight, and it's enough to make many practices throw up their hands and leave their fortune to fate. It doesn't have to be this way. Taking an incremental, stepwise, practical approach, you can make a difference in cybersecurity posture and help protect your practice and maintain compliance. They say Rome wasn't built in a day, and neither is cybersecurity. But how do you start and where to begin? You need a plan. There are many frameworks available to help facilitate cybersecurity plans and so much advice and ma- terial online that it can result in analysis paraly- sis. A good place to start is with a standardized, well-supported framework to give you a map and what to do along the way. The National Institute of Science and Technology Cybersecu- rity Framework (NIST CSF) is a well-recognized framework that has been adopted not only here in the U.S. but by countries all over the world. It's good for security posture and provides a framework that identifies key areas that apply not only to healthcare but all businesses. Earlier this year, HR 7898 amended the HITECH Act. How does that affect a healthcare practice? By implementing the NIST CSF for at least 12 months, it provides a safe harbor to potentially reduce HIPAA fines and the duration of audits. The NIST CSF has five core main functions: Identify, Protect, Detect, Respond, and Recover. The NIST CSF breaks down each of the core functions into categories and subcategories to provide focused objectives. This is not an all or nothing framework. Taking a one-step-at-a-time approach, it's easier to implement and can be customized to meet the needs of the practice. Identify This step involves taking inventory of the organizational assets, which include personnel, systems, software, processes, and risk profile. Taking an incremental, stepwise, practical approach, you can make a difference in cybersecurity posture and help protect your practice and maintain compliance.

• Blank Page
• Blank Page (1)