OSIS Insights

Copy of osis-continuous-improvement-chcs

Cybersecurity and Five Steps for Continuous Improvement

Posted by Nicole Miller on Feb 9, 2022 8:57:07 AM
The world of Cybersecurity is always changing and evolving because new threats, vulnerabilities, and risks are frequently being discovered. As such, Community Health Centers (CHCs) need to assess the security posture of their organization and should also change and evolve overtime. At first, this may be an intimidating task; however, if you are practicing using the continuous improvement cycle, the task becomes less daunting.

Continuous improvement is a simple cycle that allows us to constantly improve overall workflows while using these five steps to assess the security posture of the organization:

  • Identify security threats, vulnerabilities, and risks in the organization.
  • Develop a plan to mitigate these identified threats, vulnerabilities, and risks in the organization.
  • Act on the plan and execute new ideas.
  • Review your steps to mitigate threats, vulnerabilities, and risks in the organization.
  • Repeat this cycle accordingly.

osis-continuous-improvement-chcs (2)-png

The continuous improvement cycle should be used regularly to improve your security posture and be used when your cyber environment changes significantly. Changes such as major Electronic Health Record (EHR) upgrade, installing new or updating software new third-party integrations, and major infrastructure changes including updating or adding new hardware. All these changes can come with their own security issues, which is why it is important to utilize the Continuous Improvement cycle when these changes take place.

Treat Cybersecurity like Homeownership  

If you imagine cybersecurity as a house, continuous improvement starts to make a little more sense. You cannot simply build a house and never improve anything once it is built. Home ownership is an endless job. When you see that something is broken, like your air conditioner, you will fix it. You want to save money on your electric bill, so you add solar panels. You need to add a room, because you are growing your family. Your home will change continuously as your needs change and your family grows. 

It's the same for your organization and its security. As your organization changes and grows, your security posture should change as well. Take performing a major upgrade to your Electronic Health Record (EHR) or adding kiosks and/or patient check-in tablets as examples of change or growth. The use of the continuous improvement cycle would work well to identify potential cyber security risks that could be presented with these changes. From here, you can make changes and adapt to security to proactively eliminate or minimize these risks rather than react after detection.  

Continuous Improvement for the Health Centers We Serve 

At OSIS we are continuously changing to meet the needs of our Members. Health Centers are at the epicenter of the OSIS Network, and as health centers change, OSIS must be flexible to make changes as well, especially with cybersecurity. Security is one of our top priorities. OSIS’ Infrastructure team is charged with developing and implementing formal and extensive security related policies & procedures to ensure that OSIS is complying with and exceeding all standards set forth in the HIPAA Security Rules. Since we know that cybersecurity risks change day to day, OSIS’ security posture is ever evolving. The list below are actions OSIS takes internally to ensure privacy and security for the health centers we serve, and may change or evolve as the needs of those health centers change:  

  • Conduct Security Awareness Training sessions for staff 
  • Provide staff weekly cyber security quizzes, and education as well as security tools like dark web scans from our cyber security training platform vendor 
  • Perform a SOC2 Report and HIPAA Security Risk Assessment annually 
  • Deploy Anti-Malware endpoint solution 
  • Deploy Endpoint Detection and Response (EDR) endpoint solution 
  • Centralized logging and retention 
  • Intrusion Detection and Prevention Services 
  • Web Filtering of malicious content 
  • Multifactor Authentication 
  • Multiple accounts to manage access to privileged areas 
  • Cybersecurity and Infrastructures Security Agency (CISA) Vulnerability Scans and remediation of known vulnerabilities 
  • Routine Backups 

Health Center Governance 

If the continuous improvement cycle is new to your health center, take lead from health center boards.  National Association of Community Health Centers (NACHC) offers Health Center Governance training programs to help empower boards as they navigate the complex health care environment. The training programs offer governing strategies and insight to help board members address today's most critical priorities while identifying strategies for long-term health center success. Resources are available from Board Member Boot Camps to online videos/modules, tools, guidance, and much more.  

As mentioned in the Preparing Health Centers for a Culture to be Cyber Ready, OSIS provides insight on what health centers should invest in to drive actions and activities in a health center’s structure to reduce cyber and operational risks. Organizations can learn how to improve their cyber hygiene and prepare for evolving security risks, threats, and vulnerabilities. If your health center does not have a continuous improvement plan to improve overall workflows within the security posture, we suggest creating one today.  

Resources: 

OSIS Webinar Series: Insight to Basic Data Security and Resources 

Cybersecurity & Infrastructure Security Agency (CISA)  

The Office of the National Coordinator for Health Information  

Topics: Community Health Center, Cybersecurity, NextGen EHR