Cybersecurity is a paramount concern for Federally Qualified Health Centers (FQHCs), given the sensitive patient information they handle. The recent experiences of two FQHCs in rural Pennsylvania shed light on the importance of proactive cybersecurity measures and a comprehensive approach to breach preparation and response. In this blog post, we will examine the contrasting strategies employed by “Far, Far Away Health Center” and “Apex Health Center” and explore the impact of their differing approaches on their cybersecurity posture, compliance with HIPAA (Health Insurance Portability and Accountability Act) regulations, and potential fines.

Two Approaches to Security and Compliance

1. Far from secure, but the right
intentions…

Far, Far Away Health Center is a busy facility with a focus on day-to-day operations and ensuring patient quality is keeping up with demand. They have a limited perspective on information security, perceiving it as solely an IT task rather than an organizational responsibility. Compliance, for them, is seen as a checkbox exercise, focusing on meeting minimum requirements rather than implementing robust security measures. Their security controls are implemented in response to specific requirements or based on prior experiences, lacking a comprehensive framework for addressing emerging threats. Additionally, the center's incident response and business continuity plans are not regularly tested, leading to a lack of readiness.

2. An organizational approach is the pinnacle…

In contrast, Apex Health Center knows that ensuring a high-level of security to protect patient data is what allows them to deliver quality care with confidence. Apex recognizes that information security is a shared responsibility across the organization. They prioritize compliance as an outcome of good security practices and make risk-based decisions by considering the potential impact on operations, finances, and organizational goals. Apex Health Center follows a well-established framework for their security controls and conducts regular exercises to test their incident response and business continuity plans. This proactive approach helps them identify vulnerabilities and mitigate risks effectively.

Two Approaches to Budget

1. Surface level planning…

Far, Far Away Health Center's budget allocation for security lacks strategic planning. The decision-making process is heavily influenced by the IT Director's recommendations without thorough evaluation. This results in a fragmented security approach, with investments made based on perceived needs or recommendations from external sources, rather than aligning with the organization's specific requirements.

2. Risk driven allocation…

Apex Health Center takes a more comprehensive approach to budget allocation. Their leadership team approves a budget for critical and high-risk areas, while also encouraging the use of existing solutions and manual processes where applicable. The decision-making process considers the alignment of investments with the organization's needs and goals. This approach allows Apex Health Center to prioritize critical security measures, such as multi-factor authentication and security monitoring, while planning for future enhancements.

Two Responses to a Breach

1. Untested and unexpected…

It’s Friday afternoon, and the IT team is looking forward to the weekend when a major breach occurs at the Far, Far Away Health Center. The team struggles with an ad-hoc response. Without a tested incident response plan, their team scrambles to figure out the necessary steps, resulting in delays, confusion, and frustration amongst the team. This reactive approach undermines their ability to contain the breach effectively and minimize its impact, causing a huge interruption to their networks, and a necessary shut-down of the facility. Many patients are left untreated and the impact to patient data is unknown.

2. Prepared and ready for action…

Across the country, the same group of attackers manage to breach Apex Health Center on the same day. This team is prepared, and they demonstrate a proactive response to a breach, following their tested incident response plan. They promptly notify the relevant stakeholders, such as legal authorities and cyber insurance providers, enabling a coordinated effort to mitigate the breach's effects. Their ability to identify critical systems, disable compromised accounts, patch vulnerabilities, and document the incident using approved templates showcases their preparedness and professionalism.

OCR Investigation and Responses

Future of fines and corrective supervision…

Due to their inadequate security measures and breach response, Far, Far Away Health Center finds itself in an unfavorable position during an OCR (Office of Civil Rights) investigation. They struggle to provide the necessary evidence of compliance with HIPAA safeguards, including a comprehensive risk assessment, risk management plan, and policies and procedures. As a result, they face potential fines and are required to implement a corrective action plan under OCR supervision.

Heads held high…

In contrast, Apex Health Center's proactive security measures and thorough documentation enable them to respond effectively to OCR inquiries. They provide the required Security Risk Assessment (SRA), Risk Management Process (RMP), Policies and Procedures (P&Ps), Incident Response Plan (IRP), Business Continuity Plan (BCP), and evidence of tabletop exercises. Apex Health Center can demonstrate their commitment to technical remediation, incident response activities, and notifications to affected patients, OCR, the State Attorney General, and the media. Consequently, OCR recognizes Apex Health Center's compliance with HIPAA and acknowledges their appropriate response to the breach.

Two Different Tales, Two Different Outcomes

The divergent approaches to cybersecurity and breach response have significant consequences for the two FQHCs involved. While Apex Health Center successfully closed the case with OCR, demonstrating compliance and security maturity, Far, Far Away Health Center faced a different outcome. The OCR found Far, Far Away Health Center to be non-compliant with HIPAA regulations, resulting in hefty fines and the imposition of a Corrective Action Plan (CAP) that will extend over ten years. Far, Far Away Health Center is now required to document a Risk Management Plan, fully implement Policies and Procedures, conduct System Activity Reviews, enhance access controls, document and test their Incident Response Plan, and provide quarterly updates on compliance activities to the OCR.

The story of these two different FQHCs underscores the critical importance of a proactive and comprehensive approach to cybersecurity for Federally Qualified Health Centers. It is evident that perceiving information security as an organizational responsibility, rather than solely an IT task, yields better results. A risk-based decision-making process, aligned with the organization's goals and operations, facilitates effective resource allocation. Following a well-established security framework and conducting regular exercises to test incident response and business continuity plans strengthens preparedness and response capabilities.

Compliance is NOT a checkbox

Moreover, organizations should recognize that compliance is not a checkbox exercise but an outcome of good security practices. By investing in appropriate security measures, conducting thorough risk assessments, and documenting policies and procedures, FQHCs can demonstrate their commitment to safeguarding patient data and meeting regulatory requirements.

In an increasingly challenging cybersecurity landscape, FQHCs must prioritize cybersecurity investments, allocate budgets strategically, and implement proactive security controls. By doing so, they can not only protect patient information but also avoid fines, maintain compliance, and instill trust in their patients and stakeholders. The lessons learned from the experiences of Apex Health Center and Far, Far Away Health Center should serve as a wake-up call for all FQHCs to prioritize cybersecurity and build a resilient security posture.

Is your team prepared for a breach?

Have you thought through and tested your incident response and business continuity plans?

Our tabletop workshops and assessments can help to identify gaps and build a prioritized approach to improve your readiness. Let’s get started connect@obsglobal.com 

About the Author

Adam Kehler is the Director for Online’s RSP Health Cybersecurity practice. He has been a proud Onliner since May, 2016. Adam started as a software developer and expanded his IT and architecture knowledge in roles from Implementation Specialist to Technical Account Manager, and Project Manager to Data Center Operations before shifting his focus to Information Security and obtaining his CISSP certification. Working with many of our Clients, Adam set his focus on the Healthcare industry, recognizing the nuances of cybersecurity and compliance within the healthcare space as something very specialized. He has since built up a team of HCISSP and CISA-certified experts that can advise in this highly targeted industry, including HIPAA Compliance and Security Risk Assessments, HITRUST, NIST, and cybersecurity program development.