Dear BC Advantage Readers,
Wow and wow! PAHCOM has been engaged in the HHS cybersecurity workgroups for several years. While we have supported the development of resources and met countless times on Zoom, nothing can hold a candle to the recent face-to-face three-day workshop in DC with headliners, HHS Deputy Secretary Andrea Palm and OCR Director Melanie Fontes Rainer.
This event solidified the seriousness of cybersecurity support and commitment from the highest levels of government and industry leadership. Read on and I'll elaborate on why this is so important, not only for the healthcare sector in general, but especially for smaller physician practices.
Karen
Cyberthreats are a risk to your practice, but that's not even the worst of it. When we look at the spectrum of possibilities and consider our cost-benefit analysis for making cybersecurity a priority, most of us recognize that "if" your practice gets hacked, then your patient data could be breached. The result is that you could lose patients and/or be fined. In the darkest of scenarios, most of us see closing our own doors as the lowest of lows we could possibly face. But that's missing the big picture. Additionally, if you are targeted and end up losing everything you worked for, that's not even the worst of it. Our scale of what could possibly go wrong if we don't manage our business properly has changed. Now, it's bigger than us, bigger than your practice, and bigger than our community.
Technology: Friend or Foe?
Most of us have a love-hate relationship with the technology devices we use daily. But for the most part, especially where the internet is concerned, it's a huge game-changing benefit. Think email, shopping, music streaming, and Netflix. And in healthcare, sharing patient data quickly and accurately saves lives. At my last mammogram, they were able to view the images in real time and realize they needed to reshoot one of them and did so within minutes. That might seem normal to some, but it wasn't that long ago when a patient had to come back in for another image or the radiologist just had to work with subpar information, and sometimes make subpar assumptions—not good when it's your health!
Technology has been a godsend for advancement in healthcare. But as with all things, there is a Yin to the Yang. Being connected provides cyber criminals (often called bad actors) an opportunity to access a more difficult target through an easier one. A solo provider practice with no office manager might not consider themselves a target for cyber criminals. They don't have much to extract for ransom, and there's very little patient data to exploit. But that tiny practice is a gateway to larger business targets with much deeper pockets.
According to a recent AMA study, over 50% of the physicians actively practicing medicine belong to a small practice of 10 or fewer providers. That number is down from over 60% a few years ago, but still comprises a massive number of small practices operating independently and likely without an IT department, never mind a dedicated cybersecurity resource. To be fair, many have an "IT Guy" who keeps the internet up and user accounts functioning. But they can only do so much. Even in a large hospital, the end user (the person physically clicking on the keyboard) has new responsibilities around cyber awareness. Healthcare leadership must ensure that each employee is trained to recognize a cyberthreat and knows what to do about it. Large practice groups and hospitals often have IT and Training departments continually ramping up defenses. Many smaller practices are still trying to make sure they are complying with federal laws and at least have a HIPAA Security Officer assigned. Healthcare is a highly regulated and high revenue industry. Private practices are being pulled in all directions, and it's not getting any easier. Quality training is critical!
Big Gun 1: HHS Picks Up the Tab on Training
The entire U.S. healthcare sector is at risk, together, all of us. HHS has stepped up and made addressing this a priority. PAHCOM, PH-ISAC, and CommHIT leadership serve on several HHS workgroups ensuring the small practice voice is well represented in the development of resource materials and outreach programs. You can find many of the free training and guidance resources on the main HHS 405(d) site (https://405d.hhs.gov/). PAHCOM also shares 405(d) information and created a weekly implementation plan designed to help solo providers and managers get their programs started right away (https://my.pahcom.com/405d).
More support is being developed to reinforce the seriousness of cyberthreats to our sector and gain attention from the provider community. A video series is being filmed at the time of writing. It is directed at clinicians and features a superstar MD. Stay tuned for the big official announcement!
Big Gun 2: DOL Picks Up the Tab on Certification
HHS isn't the only government agency in the game. The USDOL has recently allocated funding that can be applied to HIT training and certification. Through our partners at CommHIT, PAHCOM is actively registering practice managers and staff for the program. Participants receive the online HITCM-PP course and the certification exam at no cost to them. This is available through March 2023. The course is self-paced but expect it to take up to five hours to complete. Once the course is completed, the three-hour certification exam can be scheduled. Health Information Technology is an exploding field, and we can't get our people up to speed fast enough. Right now, both training and certification are available to smart and eager people who recognize the opportunity and want to make a positive difference within healthcare. Find more information and register to be a part of the solution on the PAHCOM CommHIT site (https://my.pahcom.com/commhit).
The HHS and DOL programs are in response to the fast-growing need for technology-savvy healthcare staff and leadership. We must shore up our cyber defenses to protect our patients and our careers.
There's a lot of noise out there and too much going on to give your attention to even half of it. We get that. But cybersecurity, information technology, how it helps, and the risks associated with it, all of that is critical for the future of our sector.
Reach out to learn more about how your staff can receive free training and help your practice stand strong against cyberthreats. If you're a physician practice owner, get your leadership certified in HIT for management of physician practices. If you're the manager, get certified. Through a temporary grant, training is free for participants and so is the HITCM-PP certification exam.
One more thing: Please share this information with your colleagues, in user groups, society luncheons, association meetings, etc. We are all inundated with information, and we often miss the important things. Help others see this. It matters-for all of us!
Karen Blanchette, MBA, is the Executive Director for PAHCOM, serves on multiple HHS task groups specific to cybersecurity and is an Ambassador for HHS 405(d). In 2011, Karen led PAHCOM through the inception of an HIT credential specific to managers of solo provider and small group physician practices. Cybersecurity is in domain 4 of that certification.
Learn more about the HITCM-PP (
my.pahcom.com/hit). Register for free training/certification (my.pahcom.com/commhit). See Karen's full biography (my.pahcom.com/biokaren).
Karen Blanchette, MBA, is the Executive Director for PAHCOM and serves on multiple HHS task groups specific to Cybersecurity and is an Ambassador for HHS 405(d).
In 2011, Karen led PAHCOM through the inception of an HIT credential specific to managers of solo provider and small group physician practices. Cybersecurity is in domain 4 of that certification.
https://my.pahcom.com/hit
