Q&A with Renee Broadbent, Chief Information Officer

4 Questions with Renee Broadbent, Chief Information Officer

What are your thoughts on a practice holding Cyber Liability Insurance?

Cyber Liability Insurance is must today for any practice or organization that stores and transmits protected health information (PHI).  Cyber Liability Insurance is not inexpensive, however it’s well worth the peace of mind. Healthcare ranks at the top of all industries for a data breach in terms of volume and cost. In 2021, the average cost of a data breach in the healthcare sector amounted to over $9M.  Remember, a data breach isn’t usually discovered immediately so there is ample time for more damage.

Cyber Liability Insurance can help mitigate the financial burden of a breach.  In addition, many policies offer additional assistance such as assigning a coach to assist you, to help organize and direct the needed actions to stop the threat and make sure you follow all the processes around notification. Cyber Liability Insurance policies are available in all shapes and sizes and offer varying amounts of coverage depending upon risk and other factors.  Best practice is to work with a broker who can conduct a risk assessment for you and make recommendations on levels and amounts.   Coupled with your policies and procedures, having cyber insurance can help ease the burden and pain of any data breach; it’s not if, it’s when. Be prepared.

What should physician practices require from their vendors?

Managing your practice requires the use of technology and other services that may contain protected health information or be exposed to it. When engaging with a technology vendor who will hold PHI, you can take some simple steps to ensure they are protecting your data.  First, make sure any arrangement that requires a Business Associates Agreement (BAA), has one. Second, ask your vendor to provide evidence of advanced security certifications, such as HITRUST or SOC (System and Organization Controls) or other industry standard certifications. Third, ask for the Accord for their cyber liability insurance and don’t be afraid to ask them to increase it for you if its not enough!  Last, ask for a Disaster Recovery Plan so that in the event of a disaster your data is protected!

What do you see as the most likely scenario for a data breach?

Data breaches can occur in a variety of ways, but the most common way is through a phishing email.  Phishing is when a ‘bad actor’ sends an email that appears legitimate, with the intention of fooling the recipient into opening the email and clicking on something to compromise credentials. The individual then uses the credentials to obtain additional, more valuable, data. The challenge with phishing emails is that they’ve become very sophisticated and difficult to discern from a legitimate email.  Extra diligence along with training helps mitigate the risk of opening a bad email.

What is the best way to stay current on the changing regulations and requirements?

Regulations on data evolve over time to provide enhance protections in the ever-changing data landscape.  Some regulations like HIPAA change very little, but other protections of personal information have been enacted such as the California Consumer Privacy Act (CCPA), which is being considered for adoption in other states. Regulations around substance abuse and mental health are state and federally driven and may vary state to state.  This is especially important in terms of data exchange.  The are a number of ways to keep current including List Serves, that provide updates, regularly reading the Compliance Newsletter provided by SoNE, or hiring someone to assist you in navigating the best practices for you practice to ensure you remain compliant with any changes.

Renee Broadbent, MBA, CCSFP is Chief Information Officer