Cybersecurity for Independent Healthcare Providers

The same cybersecurity threats that affect large, well-resourced health systems also affect smaller, independent physician offices and other ambulatory care facilities. And the consequences are the same—such incidents can result in theft or exposure of protected health information (PHI) or other sensitive information, failure of (or inaccessibility to) important applications or computer systems, treatment delays, or possibly even patient harm. Moreover, any of these consequences can damage the office's or facility's reputation, particularly if publicized.

But whereas large organizations often have an entire IT staff at their disposal, smaller offices may have only a single IT person or no dedicated IT staff at all, and in many cases these facilities contract with an external IT service. Such locations may have only basic security measures in place against cybersecurity attacks, and personnel may have limited awareness of the nature and impact of cybersecurity threats. Given these limitations, it's important for ambulatory care centers or the IT services they use to understand what cyber threats are the highest priority, along with the special security concerns, patient safety hazards, regulations, and other considerations that the healthcare context presents, and how to implement a strategy that fits the organization's resources.

This article will help ambulatory care centers and contracted IT vendors get started on developing a security strategy. We point toward some helpful outside resources, as well as ECRI's guidance.

Ambulatory care facilities may face a...