Despite having ePHI, credit card information and personal identifiable information, many small and private healthcare organizations are still being ignored by cyber solution companies. As a result, these organizations are at a higher risk for data breaches and other cyberattacks.
It’s no secret that small and private practice healthcare organizations are oftentimes overlooked when it comes to cybersecurity products. In speaking with Dan Walsh, CISO at VillageMD, his insights resonated with me. “Despite HIPAA, PCI-DSS, and SOC2 data and needs, these types of organizations often lack the resources to meet stringent cybersecurity standards” Walsh says. “This leaves them vulnerable to cyber threats and data breaches that can be both costly and damaging to the organization and us as patients”. In this post, we’ll discuss why small and private practice healthcare organizations are particularly vulnerable to cyber threats, what HIPAA, PCI-DSS, and SOC2 compliance requirements are, and how these organizations can protect themselves from cyber threats.
Overview of HIPAA, PCI-DSS, and SOC2 Compliance: HIPAA (Health Insurance Portability and Accountability Act) is a federal law that provides data privacy and security regulations for protecting sensitive patient information. HIPAA requires all healthcare organizations, including small and private practice healthcare organizations, to maintain HIPAA compliance. You can learn more about HIPAA in our HIPAA Compliance 101 post. PCI-DSS (Payment Card Industry Data Security Standard) is a set of industry standards created to protect customer data from being accessed by unauthorized users. SOC2 (Service Organization Controls) is a set of standards created to ensure that companies are maintaining the security, availability, and confidentiality of their systems and data. All HIPAA, PCI-DSS, and SOC2 compliance requirements focus on setting baseline requirements to better protect the information we entrust to these organizations.
Small and private practice healthcare organizations can be particularly vulnerable to cyber threats because they often lack the resources, both money and time, to implement even the most basic cybersecurity measures. To put it into numbers for a small (under 50 person) healthcare practice (Approximate cost-per-year):
- Risk Assessment = $6,000-$30,000
- Vulnerability Assessment = $1,500-$15,000
- Penetration Test = $3,000-$20,000
- Awareness Training = $1,000-$5,000
- Compliance and vCISO = $15,000-$50,000
- Total Cost = $26,500-$120,000
Keep in mind that these are some of the known possible annual costs, and additional expenses for one-time projects could move those numbers further north. Without proper HIPAA, PCI-DSS, and SOC2 compliance requirements in place, these organizations are more likely to experience data breaches that can be incredibly expensive to respond to, even potentially putting a small practice out of business.
Despite the lack of resources, there are still several steps small and private practice healthcare organizations can take to protect themselves from cyber threats. Organizations like RealCISO.io, Orbitalfire, and Cyflare are recognizing this gap and are passionate about bringing high-quality, cost-effective solutions to the 32.5 million small businesses, 99.9% of US businesses, across the country, according to the SBA. As many people come to find out, expensive doesn’t always directly correlate to high-quality. By knowing where to find more cost effective solutions that meet the needs and daily work styles of small businesses, you can better protect your patients and your business.
- Risk Assessment – www.realciso.io = $0-$6,000 per year
- Awareness Training – www.curricula.com = $0-$12,000 per year
- Vulnerability Assessment – www.cyrisma.com = $2,000-$4,000 per year
- Managed Detection and Response – www.cyflare.com = $2,000-$4,000 per year
- Compliance and vCISO – www.orbitalfire.com = $6,000 – $22,000 per year
Cybersecurity is often overlooked when it comes to small and private practice healthcare organizations, but HIPAA, PCI-DSS, and SOC2 compliance requirements are often still required to protect sensitive patient information. While these organizations may have limited resources to meet stringent standards, there are still several steps they can take to protect themselves from cyber threats. By investing in HIPAA, PCI-DSS, and SOC2 compliance requirements; performing regular security audits and testing; training employees on cybersecurity best practices; investing in security solutions such as firewalls and encryption; and regularly monitoring systems for potential threats, small and private practice healthcare organizations can better protect themselves from cyber threats.