Was there something I could have done?

By ADMC Member Debi Carr

Was there something I could have done differently? I heard that question again this week. In fact, I have heard this question repeatedly over the last several years. I have heard this question in cases from hardware failures to ransomware attacks. At some point, usually the doctor, but sometimes the practice manager will ask “Was there something I could have done differently?”

My answer is always a resounding YES.

Yes! Create and implement a security management plan which is an ongoing ever evolving process. A security management plan is the security strategies for the practice.
A strong security management plan begins with identifying what information is critical to the operation of the business such as accounting software and of course the practice management application. Often patient information is also housed in other applications as well, so it is critical to your plan to know where your information is created, transmitted and stored.

Yes! A risk analysis is a good place to start. It is required under the Health Insurance Portability and Accountability Act but also because it provides an overview of your security posture. A risk analysis should be conducted annually or whenever there are changes to the environment.

Another facet of a strong security management plan is policies and procedures that direct your team on how patient and practice information is to be processed. These policies and procedures should be written and available to all team members.

Yes! Training team members should receive regular training on your practice’s security policies and procedures as well as awareness training. We know that most infections enter a practice through malicious emails. Training team members to identify these emails is critical to a strong security management plan.

Yes! Creating and implementing a backup protocol that allows for a quick recovery. Full system onsite backups allows for the quickest recovery. Offsite back ups preserve critical data but does not allow for a quick recovery time. Both are important to have, but both have different functions. There should always be a back up that is not connected to the network in anyway. Too often when threat actors gain access, they delete the onsite and the offsite backs ups. Having a back up of the backups helps to guard against this scenario. TEST the back ups should also be part of your security management plan.

A strong security management plan is required under the Health Insurance Portability and Accountability Act. So often private practices ignore the requirements of HIPAA, thinking that they are too small or that it is just too expensive. Sadly, small practices are actually the prime targets of cyber-attacks. And those attacks can be very expensive.

On July 23, 2020, the Office of Civil Rights levied a fine of $25,000 against a small practice for failing to protect the practice against a cyber-attack. OCR’s investigation found “longstanding, systemic noncompliance with the HIPAA Security Rule”. Specifically, the practice “failed to conduct any risk analyses, failed to implement any HIPAA Security Rule policies and procedures, and neglected to provide workforce members with security awareness training until 2016”. In addition to the fine, the practice will be monitored for the next two years.

“Health care providers owe it to their patients to comply with the HIPAA Rules. When informed of potential HIPAA violations, providers owe it to their patients to quickly address problem areas to safeguard individuals’ health information,” said Roger Severino, OCR Director.

Cyber attacks are up 120% since February. Small healthcare practices are prime targets. A strong security management plan can help protect a practice from an attack and more importantly to recover quickly. “Was there something I could have done differently?” Yes, you should have had a strong management plan.


Debi Carr is a Cyber Security and Crisis Management Consultant, Speaker, and CEO of DK Carr and Associates, LLC. She assists private practices in obtaining and maintaining HIPAA HITECH Compliance including performing risk analysis, team security training, crisis management and incidence response. Debi holds several certifications including Health Care Information Security and Privacy Practitioner, Certified Associate Healthcare Information and Management Systems and is a member of AADOM, ADMC, HIMSS, ISC2, ISSA, ISSAC, InfraGard, SCN.