NJAMHAA News - October 2021

October 2021 17 Security, which Contributes to environment of all applications, data, etc. that would need to be back online right away in the cloud or on the premises. “It is not cheap to create the duplicate environment. You also need a duplicate path to the cloud in case the primary path goes down,” Blass explained. As technology and other variables continue to evolve, the number of locations of PHI increase further and the threat landscape changes even more, it will become increasingly critical for providers to ensure their DRBC plans are up-to-date and tested. By doing so, healthcare organizations will make important decisions, such as moving applications to cloud hosts, “where DRBC plans and procedures are managed remotely by companies whose sole purpose is to protect the confidentiality, integrity and availability of PHI,” Blass stated. In addition to the impact on patients’ safety and care, cyberattacks can drastically affect providers’ cash flow by taking away access to patients’ accounts and the general ledger, and the ability to submit claims to insurance companies, which, in many cases, are only accepted electronically. Paying vendors and staff could also become a problem, so backup plans are needed. ComplyAssistant’s Risk Register Helps Implement Controls and Minimize Vulnerabilities Blass strongly recommends that providers implement Health Industry Cybersecurity Practices (HICP), which can be achieved with ComplyAssistant’s Risk Register tool. A task force established by the U.S. Department of Health and Human Services (HHS) in 2017 has published the top five threats and top 10 recognized security practices for small, medium and large organizations. These HICP are based on the National Institute of Standards and Technology’s Cybersecurity Framework and are mapped to other frameworks. Adoption of HICP is voluntary, and incentives are available for organizations that implement HICP for 12 months. These incentives include potential mitigation of HIPAA fines; early, favorable terminations of HIPAA audits; and mitigation of the remedies in HIPAA resolution agreements with HHS, Blass shared. Resources on Information Sharing and Analytics Blass recommends the following state and national organizations for additional information, guidance and resources:  Information Sharing and Analysis Organizations ( www.cisa.gov ) and Information Systems Audit and Control Association ® (www. isaca.org) : These organizations are focused on cybersecurity. They share experiences and knowledge about threats.  Healthcare Information and Management Systems Society (www.himss.org ) and its New Jersey chapter: These groups focus on security, privacy and compliance. Blass co-chairs the NJ HIMSS’ Security, Privacy and Compliance Committee, which presents monthly webinars.  Health Care Finance Management Association ( www.hmfa.org ): This organization has a Compliance and Risk Ethics and Security forum, of which Blass is a member.  American Health Information Management Association (www. ahima.org ): Although this group focuses primarily on billing and coding, it recently began addressing cybersecurity. “Anything to do with change leads to more vulnerabilities,” Blass stated, underscoring the importance of proactively gaining information, training staff and implementing technology and practices to reduce risk. For more information about ComplyAssistant, please visit www.complyassistant.com. Anything to do with change leads to more vulnerabilities. - Gerry Blass