Matt Brennan, CPC, RCC: The Role of Compliance in Cyber Security

The reality is that there is a lot of identity theft going on across the country, and health care records are especially lucrative in the cyber world. I've read that the value of a medical record is upwards of $60 per person, so dark web thieves are feasting on any health-care data they can get.

 

Matt Brennan, CPC, RCC
SR Director of Compliance
April 30, 2024

Compliance may not be the most compelling subject within radiology practices, but when you append cyber security to it, ears perk up. Health care has a target on its back right now, and compliance can help you keep cyber thieves out of your data, says Matt Brennan, CPC, RCC, Strategic Radiology director of compliance, president of Precision Health Management, and Practice Administrator of member group Southeast Radiology.

"The reality is that there is a lot of identity theft going on across the country, and health care records are especially lucrative in the cyber world," reports Mr. Brennan. "I've read that the value of a medical record is upwards of $60 per person, so the dark web thieves are feasting on any health care data they can get."

Brennan points to the proliferation of disparate IT systems in individual health care organizations—including radiology practices—as one underlying vulnerability for health care entities. "Some of that technology does not have the necessary safeguards in place to prevent hacking," he notes. "Because data thieves continue to have success in these endeavors—stealing information relatively easily and selling it on the dark web—it has become a vicious cycle." 

Exploiting Vulnerabilities

A practice's vulnerability depends on how it is configured; just because a radiology group is entirely hospital-based and behind the hospital firewall does not render it totally exempt from exposure. "Almost all radiology groups deploy home reading stations and that is one vulnerability if they are not secured properly," says Mr. Brennan. An unencrypted laptop stolen from a car is also a potential vulnerability if the computer is not appropriately password protected, enabling a data thief a pathway into a PACS or RIS system.

Billing companies also are targets; the recent hack of Change Healthcare has underscored how an attack on a business associate can expose a radiology practice to collateral damage. "Billing companies are being tested on a regular basis," notes Mr. Brennan. "I was talking to a billing company in the Midwest and they told me that they observed a hacker trying to get into their system. Their security methods were effective and ultimately the hacker did not get in, but they witnessed it as it happened."

Practices that have freestanding imaging centers and a PACS and RIS that they manage have even more vulnerabilities and one of the major ones is staying current with software patches. "Does your RIS and PACS have all of the necessary patches?" Mr. Brennan questions. It is not just clinical systems that can expose your organization to a hack, it is any software that enables an employee to access information on the internet.

"One vulnerability exposed recently was a delayed Citrix patch implementation, leading to a cyber-attack for one large health care system," notes Mr. Brennan. "There's a whole host of software that is used to access information and medical records and if that software is not patched appropriately, that's a vulnerability that cyber thieves can expose and exploit."

Compliance Can Reduce Risk

In general, corporate compliance is an umbrella for many different topics including training and education for staff members and physicians on compliance and cybersecurity topics, policies and procedures that mitigate risk and create standards for an organization along with numerous HIPAA topics integrated into the mix.

Policies and procedures are essential to mitigate the risk that practices are facing on a daily basis:

Password management. How often are passwords updated and what are the required components for a password (upper/lower case letters, special characters, numbers, letters).

Multi-factor authentication. Have you implemented multi-factor authentication to access clinical systems? "That is becoming a standard," he notes. "Microsoft has an authenticator, and there are other systems like Duo, Okta and others, that will ping your phone with a code, and you have to authenticate to prove that you are the one logging into the system."

Education. How will you educate staff about the vulnerabilities associated with cyber events. "Many Strategic Radiology groups use companies like Healthcare Compliance Pros and KnowBe4  to raise the level of awareness for all of the employees in the organization," he reports. "These software tools are designed to educate and raise the level of awareness about the many cyber security risks so that employees and physicians are less likely to click on the wrong link when working or otherwise set up a vector for a cyber thief to penetrate an organization."

Phishing tests.  Some SR groups are periodically sending phishing emails to employees to see if they can get employees to click on a link, Mr. Brennan reports. "They are doing that to see who is more prone to click on these phishing emails and who is not," he says. "Ultimately, you are trying to mitigate risk."

At the SR practice level, Mr. Brennan is compiling an inventory of SR groups to see who has policies and procedures in place, who is using compliance software, and how individual practices are protecting themselves from cyber-attacks.

Cyber Risk Housekeeping

Mr. Brennan recommends that radiology practices undergo a formal Security Risk Assessment (SRA). "Many groups complete the SRA internally," explains Mr. Brennan.  "For SR groups that use HCP, there is a module built into the software so that you can do an SRA online.  You log in and a wizard walks you through the questions. If you don't use HCP, the Office of Civil Rights (OCR) has a module that is free and also works well.  The bottom line is that any SRA tool will walk you through all of the questions and then gives you your performance at the end.  The key is not necessarily shooting for a perfect score but is to evaluate your organization's IT footprint and to better understand the vulnerabilities that your group has so that you can take steps to remedy those gaps."

Topics reviewed include how a practice's data files stored, password management and configuration, tools in place for data backup, disaster recovery plans, general physical safeguards for PHI, and how a practice handles electronic PHI (ePHI) when submitting data outside your organization. The review encompasses all outward-facing systems in an attempt evaluate risk areas, and the score is based on which areas are sufficiently insulated and what the weak points are.

"There are all sorts of cyber-security elements, and the SRA is an excellent tool," recommends Mr. Brennan. "Groups are encouraged to do an SRA annually. We are trying to find out which groups within SR haven't done an SRA yet because those groups may be more vulnerable to a cyber incident than a group with more robust IT processes that does an SRA regularly."

As Director of Compliance for SR, Mr. Brennan regularly shares relevant articles about cyber issues and compliance-related matters "especially if there is information about what triggered a cyber incident" he says. "What I've tried to do is raise the level of awareness among compliance leaders in SR. Hopefully, SR members can learn from other people's mistakes, whether it was a patch that was not installed or an employee clicking on a phishing email that enabled a thief to gain access to their IT infrastructure.

"The cyber security world is a dangerous one right now," he concludes.

BACK
Subscribe to Hub
News from around the coalition and beyond