Cybersecurity is a hot topic currently thanks to several recent ransomware attacks. This is an increasingly serious issue because healthcare is particularly vulnerable to attacks due to the high value of medical information, the slow adoption of security practices and the lack of resources to implement security, according to the Report on Improving Cybersecurity in the Health Care Industry, released in June by the Health Care Industry Cybersecurity Task Force.
Most organizations are managing their cybersecurity needs at least partially in-house according to the July 17 MGMA Stat poll. Most respondents (47%) say they are using a mix of in-house and outsourced resources to manage their cybersecurity, while 31% are managing their security entirely in-house. Only 21% of respondents said that they entirely outsourced their cybersecurity needs.
One of the reasons many cited for using a mix of in-house and outsourced resources is that their internal staff does not have the capability to do everything. One respondent said, “In-house does not have the depth of staff to manage all security issues,” so they contracted with outside vendors for monitoring support.
A primary role that outside vendors play is performing audits and vulnerability testing. “We use [an] outside vendor to audit access and evaluate systems to keep us aware of vulnerabilities,” replied another respondent.
MGMA Government Affairs recommends conducting a HIPAA Security Risk Assessment as well as regular penetration tests, which are often performed by third-party vendors to test the security of “everything from your firewalls and networks to the servers driving your websites and patient portals.”
For larger organizations, security is more likely to be managed entirely in-house. Many respondents whose organizations manage all cybersecurity needs in-house said they were part of a hospital system or other large organization.
Regardless of how your organization manages security, it is more important than ever to make sure you are doing all you can. “There is one thing we can be sure of – there will be more attacks, and medical professionals must be vigilant to ensure that patient data is secure,” says Robert M. Tennant, MA, director, Health Information Technology Policy, MGMA Government Affairs. “Providers cannot afford to simply hope they will not be attacked. It is most likely not a matter of if, but a matter of when and where another attack will occur.”
Want to receive timely industry data like this every week? MGMA Stat is a simple way to get real-time healthcare data all through text message.