HHS 405(d) provides significant free resources and guidance designed to help you protect your business and your patients

by Karen Blanchette

Dear Readers,

I would usually save the bio until the end, but I feel the context is helpful as you read this article. Bear with me for a few sentences and we’ll move on to the good stuff.

I think my initial passion for technology began when I was a Navy Officer in the 1990s. I was fortunate enough to be assigned as the CIO over a large group, and that was life-changing for me. Later I married a White Hat, ethical hacker, cybersecurity architect. Suddenly, cybersecurity was in my life, lock, stock, and barrel. Attending technology, cybersecurity, and hacker conferences like DEFCON and Black Hat pumped us up and motivated us to launch the HITCM-PP certification. It is focused on what solo and small group physicians and their practice managers need to know, not the tech-guy. That is what this article is about, small practice management. No resources, serious threats, and HHS is stepping up with excellent support.

If you think cyber-awareness isn’t your problem, you are wrong. Your job is at risk, as are the jobs of anyone on any network you are accessing. Your patients are at risk. And no, the EHR company nor the hospital is handling it for you. In almost every case, even your hired tech-guy isn’t handling it for you. Not because they are negligent, but because they are not you and YOU are the one clicking on the keyboard.

I will tell you about actions you can take right away, for free, and with little effort on your part or your staff’s part. Links referenced here will be provided at the end of the article. Obligatory disclaimer: I am not an attorney, I don’t play one on TV, and this is not to be considered legal or business advice. What it is intended to do is show you that you don’t need to back-burner cyber-awareness for your practice due to complexity, cost, or lack of personnel resources.

Let’s get to it!

Everyone who logs into any device at the practice needs to be cyber-aware!

The 1st barrier we see is that clinicians, and even office managers, think this is an IT issue and out of their wheelhouse. “Not my job. Somebody else is handling it, right?” I have good news and bad news. The bad news 1st. Your practice staff, and physicians, are ALL links in the cyber-risk chain. If you want to keep your practice profitable, it IS your job. All of you!

The IT Guy, if you have one, might be the person you direct questions to. But every user on a network must be aware of basic threats and know what to do when they see one. The weakest link concept applies, and each user is a link. The tech guy cannot do your job for you, and if your job requires you to be logged onto any computer at all, then you need to be aware of the threats. Yes, that means new responsibilities for everyone, and we know that our plates are already overflowing. To be clear, the IT-Guy IS going to have a chunk of responsibility as well, but there are responsibilities that land squarely on every end-user… you, your staff, the nurse, everyone with a login.

Now the good news. You and your rock’n team can do this. HHS and industry partners have been working tirelessly to develop free and consumable tools for you. I am going to show you how to get started with an actionable plan that will take the least amount of time for you and your team (no FTE, only 1 hour/week).

Introducing 405(d)

The big dogs are now motivated, more than ever before, to reach solo and small group practices. Everyone on the network is a potential weak link and entire systems can be compromised by an attack at a solo provider practice. They/you are easy targets and a path to larger ransom opportunities. Solo and small groups usually do not have an IT budget (if they do, it’s tiny). They are generally untrained, and do not recognize the threats. That’s why I strongly implore you read the rest of this article and use some of the free resources we introduce.

Directly quoted from the 405(d) website:

As a result of the Cybersecurity Act of 2015, the U.S. Department of Health and Human Services brought together over 150 cyber-experts, clinicians, and healthcare administrators to develop the Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients publication. The 405(d) Program and Task Group, is a collaborative effort between industry and the federal government, which aims to raise awareness, provide vetted cybersecurity practices, and move organizations towards consistency in mitigating the current most pertinent cybersecurity threats to the healthcare sector.

I mentioned earlier that I am an HHS 405(d) ambassador. I also serve on multiple HHS work groups where solo and small group practice resources are being created. My focus is on delivering support that solo and small group practices can actually use to make a difference. And yes, that means with no budget and no time. It is a tall order but we are making progress. There is a 4-minute video big-picture outline of 405(d) worth watching. It is included in our suggested Week 1 Plan. More on that later.

Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients

HICP (pronounced hiccup) is short for that entire title, including the MTPP part. When you first open HICP, it can look like a lot of information. Don’t worry, we will help you break it down and find just the need-to-know portions for the smallest practices in America.

There are three HICP documents:

- The Main Document

- Technical Volume 1

- Technical Volume 2

As a small practice, you can disregard one of these documents right away. Technical Volume 2 (T2) is designed for larger organizations and intended to be used by technical professionals (not clinicians, physician practice owners, nor office managers). T2 is literally for the tech-guy (or rep from a large tech company) working with senior level executives at larger groups and hospitals. No need for small practices to spend a single minute worrying about T2. And just like that, boom, one down, two to go.

There are segments of the Main Document (MD) and Technical Volume 1 (T1) that you and members of your practice will need to become familiar with and we break it down by role for you. The HICP Quick Start Guide for small practices helps you identify what those segments are. Again, don’t spend time searching for the parts you need to know. We’ve already done that for you. The Quick Start Guide is a 2-sided flyer that breaks down the documents and specific pages within them by role. Physician practice owners and medical office managers need to be familiar with 9 pages (5-10 and 28) in the Main Document, and 2 pages (3 and 4) in Technical Volume 1. When you use these free resources to help you break it down, it saves a lot of time AND makes sure you can focus on the portions most critical for your practice.

How Do You Eat an Elephant?

Of course we all know the answer is “One bite at a time”. But how many of us apply that rule in our day-to-day lives? Don’t try to do it all at once. We are in a marathon, not a sprint. But it does pay to get started now.

HICP identifies 5 of the most common and current threats:

E-mail phishing
Ransomware
Loss or theft of equipment or data
Insider, accidental or intentional data loss
Attacks against connected medical devices that may affect patient safety

Make a commitment to use 405(d) tips and infographics to help your practice staff gain cyber-awareness. It can’t be learned overnight but introducing a new topic each week is doable and will make a difference. Don’t put your practice and patients at risk just because this elephant is so big.

At the end of this article, I will share suggestions for actions you can take right away. I will be referring to some of these 5 threats as we go. And of course, my recommendations are free 405(d) resources created for you!

Each threat has a complete set of support documents including flyers, infographics/posters, and slides breaking it down into pieces that can be easily consumed in a short amount of time by non-technical people. Regarding Threat 1, Email Phishing for example, 405(d) introduces the following scenario so you can better understand and share within your practice how cyber-threats present in real life.

Here we go:

Your employee receives a fraudulent e-mail from a cyber-attacker disguised as an IT support person from your patient billing company. The email instructs your employee to click on a link to change their billing software password.

An employee who clicks the link is directed to a fake login page, which collects that employee’s login credentials and transmits this information to the attackers. The attacker then uses the employee’s login credentials to access your organization’s financial and patient data.

Seems simple enough, right? It’s easy to read in a cyber-focused article and think to yourself… “what a stupid move that was”. But this is typical of how 80% of hacking related breaches happen. People are busy and distracted doing a great job delivering healthcare. The hackers use this against us, so we must work smarter. Knowing this information can help you protect your practice and your patients.

For phishing, some of the best defenses include multi factor authentication and tagging emails that come from outside of the organization. You don’t need to implement these today, my goal is simply to make you aware that these free HHS resources are available and pave a way for you to become engaged. One hour of your attention each week and you will be utilizing 405(d) resources to protect your practice, and your patient PHI.

Public Law 116-321

Earlier I said, it pays to get started now. Here’s one important reason why. Public Law 116-321 amends the HITECH Act allowing special leniency for covered entities and business associates who tried to do the right thing by following 405(d) guidelines and best practices (over the past 12 months). It might not prevent all attacks, but now you get credit for a year of due diligence!

This is a HUGE deal. If you remember nothing else from this article, remember this! Not only is it a good idea to be cyber-aware and protect your practice, but this law cuts you a break IF you can demonstrate that you have been following 405(d) guidance for the past 12 months or longer.

The full title of the law is:

An act to amend the Health Information Technology for Economic and Clinical Health Act, to require the Secretary of Health and Human Services, to consider certain recognized security practices of covered entities and business associates when making certain determinations, and for other purposes.

Start now and get that year-counter moving! Make sure you document that you’re following the guidance.

Take ACTION Now!

You can have all the best ideas and intentions, but making time for yet another program is not easy. I get it and am available to help you. And it’s not just me, or PAHCOM, or even HHS. There are many great support organizations focused on solo provider and small group physician practices (CommHIT & PH-ISAC, BC Advantage, etc.)

I challenge each practice to implement a one hour per week plan. Begin with an overview then dive into the 5 threats. Use the free HHS 405(d) resources shared here. We have created suggested materials for Weeks 1-4 to get you started. The Week 1-4 plans are available free to the public at https://my.pahcom.com/405d-noexcuses (scroll to the bottom where you see the elephant).

Here’s a sneak peek. Week 1 has three action items:

- Watch the 4-minute HHS 405(d) video

- Review the HICP quick start guide (only 2 pages)

- Assign reading to various roles in your practice (based on the quick start guide)

The most important thing is to get started and DOCUMENT that you’re doing this. Remember Law 116-321. It starts to protect you one year AFTER you demonstrate that you have recognized security practices in place. HICP is recognized and 405(d) puts it in a consumable format so you can TAKE ACTION NOW!