Daily reports of yet another healthcare provider falling victim to a breach or security incident is now the norm. The trend seems to be getting worse not better.
Disturbingly, a recent report from CHIME and KLAS showed that smaller providers are less likely to adhere to cybersecurity programs.
Meanwhile, just 72 percent of healthcare organizations conform with HIPAA, while an average of just 47 percent adhered to NIST security controls.
So, if providers aren’t conforming to the minimum requirements, how can they expect to keep pace with the ever-evolving sophisticated threat landscape? Even if you are one of the few organization that have implemented HIPAA and NIST controls….that is merely a starting point for your cybersecurity measures. These standards will not keep you safe. They are merely frameworks. Compliance is not protection. Stopping at just compliance is frequently more about culpability from regulators than protecting the practice. There is a very big difference. Managing regulatory culpability may reduce your OCR fine, but if a breach takes down your practice it does not really matter.
The bad guys know this. That is why 71% of Ransomware Attacks are targeted at small business. Ransomware is just one of many attacks the physician practice must deal with.
No organization, let alone small practices, have enough resources to fully eliminate risk. Eliminating risk is impossible – run from any vendor that tells you otherwise. The goal is to use a rational approach on where to apply controls and be prepared to recover from a breach once it happens.
Choose a low risk, low cost provider that is focused on healthcare and has already baked-in typical physician practice threat maps, HIPAA compliance and related healthcare frameworks.