Baxter Lee, CFO, Clearwater, speaks to Nesrin Tift, Partner, Bass Barry & Sims, about the compliance and cybersecurity environment that physician practice groups face. They discuss issues related to interoperability and the rise of cyber criminal activity, along with appropriate steps that physician practice groups can take to address compliance and security concerns. They also talk about how to conduct an effective security risk analysis and identify cybersecurity risk during the M&A process. Sponsored by Clearwater.
To learn more about AHLA and the educational resources available to the health law community, visit americanhealthlaw.org.
Baxter Lee, CFO, Clearwater, speaks to Nesrin Tift, Partner, Bass Barry & Sims, about the compliance and cybersecurity environment that physician practice groups face. They discuss issues related to interoperability and the rise of cyber criminal activity, along with appropriate steps that physician practice groups can take to address compliance and security concerns. They also talk about how to conduct an effective security risk analysis and identify cybersecurity risk during the M&A process. Sponsored by Clearwater.
To learn more about AHLA and the educational resources available to the health law community, visit americanhealthlaw.org.
Support for A H L A comes from Clearwater, the leading provider of enterprise cyber risk management and HIPAA compliance software and services for healthcare organizations, including health systems, physician groups, and health IT companies. Our solutions include our proprietary software as a service-based platform, I R M Pro, which helps organizations manage cyber risk and HIPAA compliance across the enterprise. An advisory support from our deep team of information security experts. For more information, visit clearwater compliance.com.
Speaker 2:Good morning, and thanks for joining us today. I'm Baxter Lee, c f o of Clearwater. Joining me today is Nere Tiff with Bass Sims Nere, would you like to introduce yourself?
Speaker 3:Sure. Thanks, Baxter. I'm glad to be joining you. I'm Nerine Tift. I'm a partner in the healthcare regulatory practice at Basser and Sims in Nashville. And I advise clients in the healthcare industry in pretty much all aspects of healthcare, regulatory compliance and reimbursement. And one of those areas, um, that is a big part of my practice is HIPAA data privacy and security compliance.
Speaker 2:Great, thanks. Uh, and today we'll be talking to you about, uh, HIPAA compliance and cybersecurity concerns for physician practice management groups. And given the volume of investment activity we're seeing in the PPM space, uh, hopefully this will be a relevant topic for our listeners. So to kick us off, Nazare, why don't we start with defining physician practice groups. What are, uh, physician groups and what role do they play in the healthcare industry?
Speaker 3:Sure. So in, in the healthcare space, we tend to see, we see trends, um, cyclically. And so, you know, in some sense the, the, um, resurgence, uh, I guess you could say of physician practice management companies and platforms, um, we've seen before and with similar drivers, although slightly different in the last several years and potentially more lasting. And I think, you know, certainly that remains to be seen and we'll talk a little bit more about what some of those drivers are. But you know, certainly you have independent physician groups, physician practices. You have large and increasingly large physician practice groups where an ex exist existing group might, you know, make a strategic investment and acquire, um, other more independent community groups. And then of course you have physician practice management companies, which, you know, in some sense are driven by, um, areas of the law that that may prohibit lay entities from, um, employing physicians or practicing medicine. But you also see other drivers behind that, such as, you know, the, the desire of physicians to be more freed up to in fact, practice medicine and consolidation, you know, facing financial, increasing financial pressure and wanting to benefit from, um, you know, consolidation, operational overhead and management costs, and moving some of that day-to-day operational, um, function to, um, a management entity.
Speaker 2:Right. And oftentimes there are investors involved in, um, the establishment of a management group, is that correct?
Speaker 3:Yeah, absolutely. And, and again, we're seeing that, um, you know, really an uptick in the last several years, um, driven of course by just consolidation we're seeing all over the industry, um, but particularly with physician practice management in, um, specialty practices. But then as, as we're seeing the transformation of primary care and value-based care and pay for performance, there is really an increasing desire for physicians to be able to, um, you know, con consolidate to allow, um, the capital investment and the, the data, you know, the sort of the integration, the clinical integration, the financial integration to be able to avail themselves of some non fee for service compensation models.
Speaker 2:Mm-hmm.<affirmative>. Yeah. And, and certainly not a, uh, niche, the niche part of the industry anymore. I mean, we're seeing organizations are getting, you know, pretty large and, and you know, as you touched on, they're leveraging technology, uh, to enable, uh, the consolidation and the, and the evolution to value-based care. Um, based on some of the research we've done, there are over 150,000 physician groups in the United States. Uh, they generate north of 350 billion in annual revenue, uh, employing more than 2 million employees across the country. Um, and you know, as you touched on as well, the recent focus on primary care has been parti, particularly hot lately. Companies like Village md, Oak Street, one Medical, um, some of which are public or have aspirations to go public. These are, you know, becoming large entities, um, some of which are larger than than other, uh, what you would think of as an IDN in the hospital sector, that there is bigger or bigger, bigger than some of the IDNs and, and growing quite rapidly, uh, many of which are growing 20, 30% a year. So, uh, we're seeing that, uh, play out across other specialties, uh, such as orthopedics, ophthalmology, dental. So it's certainly a, a big, big force, uh, and trend, um, that that's continuing to evolve in the healthcare industry. One of the other trends that we are seeing is, uh, a rise in cyber attacks, uh, focused on healthcare. And in fact, healthcare continues to be the most targeted industry, uh, for cyber attacks. Uh, just last year in 2020, we saw a a 25% increase in reported breaches, uh, and ransomware seems to be at an all time high as well. Um, and if you think about kind of what's driving that, you know, healthcare has extremely valuable data, uh, around the patients that they, that they treat, um, not just things like names and social security number, but also birthdate, place of birth parents next of Ken, um, things that would be, um, good information to know if you're, or if you're trying to steal someone's identity for financial gain. And unlike in the banking, uh, or financial services industry where you could change your credit card number or your bank account number, the information that you might uh, uh, obtain through a health record is permanent. So it seems that, you know, you've got this, uh, on one hand sort of this trend of, of consolidation and the use of technology driving, uh, the evolution in healthcare on the other hand. Mm-hmm.<affirmative>, you've got sort of, uh, counterbalancing trend of, of cyber attacks. How are you, uh, thinking about those two trends and conversations with your clients?
Speaker 3:Yeah, so there's a lot happening there. Uh, and, and I think to your point about the rise in cyber criminal activity and cyber attacks, it's only really increased in the last year for, for some obvious reasons. But there is, there are, there are so many different factors going on there. And I think taking it back to sort of where we started, the increasing consolidation, you know, physician practice management companies and physician practices themselves, and the ancillary types of providers in the, in their sort of market are realizing that you really can't have clinical integration, which is a huge part of being able to, um, you sort of take advantage of value-based care arrangements without the technological integration mm-hmm.<affirmative>. And that's not only the, that's not only sort of a, um, a shared or common system, right? So, um, a, you know, sort of a single or, or shared EMR platform, which for IPAs and for clinically integrated networks is, is an important piece of being able to demonstrate that that required level of integration. But you also have just many different drivers pushing for interoperability. And, and part of that is on the regulatory side, the information blocking rules that, that took effect April 5th, 2021. And many of us, myself included, just kept assuming that the effective date would get pushed again, just given the truly sort of transformational nature of, of these rules. Um, but they did not. So you have, you know, you have organizations, you have providers, but also certified health IT developers and other actors covered under that rule being really required at this point to take to, um, eliminate barriers to interoperability, to sort of open up pathways for data sharing and data exchange that previously could have been restricted or closed, you know, based on a number of factors, um, to that, you know, sort of integral to that organization. But at the same time, that is exposing organizations to potential new security risks and security concerns over security, um, constitute a potential safe harbor under the information blocking rules. But it's really pretty narrow what those security concerns or security, um, issues must be to be able to sort of overcome a claim of information blocking. But still, you've got this, this sort of ongoing tension. And at the same time, again, going back to the start, we're in this period of increase in consolidation. And as someone who advises clients, often in, in the event, unfortunately, of, of a breach, a cyber incident and an OCR investigation, cyber criminals know to target organizations that are going through onboarding, transition change. You know, those are times of vulnerability. So you have consolidation and you have interoperability, and it, it opens up really a, an important new element to the transformation of care, but it's, it's not without risks.
Speaker 2:Right. Right. And, and layer on the pandemic on top of that, I mean, how has the pandemic affected these groups? And there's a lot of organizational change as a result of that as well, right?
Speaker 3:Right, exactly. And I mean, you made the point again about, about the increase, um, in cyber attacks in 2020, the, the pandemic, you know, obviously with so many necessary components of the healthcare system moving to a virtual platform or some kind of remote interaction among the various actors, that also created some increased level of risk. On the HIPAA side, the Office for Civil Rights, um, issued enforcement discretion notices and waivers to some limited, uh, parts of hipaa. And, and one of those was really specific to telehealth and was very important, especially early on in the pandemic, when there was a very urgent and immediate need to be able to see patients through some kind of virtual platform, whether it be, you know, from a physician's iPhone, um, right on Zoom or something like that. And, and on the one hand, the regulatory, uh, flexibility was crucial there to, to the delivery of necessary care, but it effectively allowed for some unsecure methods of communication between providers and patients.
Speaker 2:Mm-hmm.<affirmative>. Yeah. And I think, you know, in addition to that, you know, you had, you know, uh, workforces moving to remote, um, working from home and accessing critical systems, uh, through VPNs and other mechanisms. Um, yeah, I
Speaker 3:Mean, you had,
Speaker 2:That's, yeah, go ahead.
Speaker 3:I was gonna say, that's a great point that not only the clinicians are now communicating with their beneficiaries and patients remotely, but you have the, you know, other, other members of the workforce, non-clinicians who are now, you know, working from home, logging in remotely conducting necessary business and administrative functions using a system or restorer that contains phi
Speaker 2:Mm-hmm.<affirmative>. Yeah. So a lot of, lot of transition going on for these organizations. You, you touched on the, you know, sort of the regulatory drivers behind interoperability, um, the move to, you know, telemedicine and other remote care, and then obviously with the pandemic having, you know, people, um, accessing information from multiple locations. What does all that mean, uh, from a cyber perspective? Um, clearly we've seen, you know, a rise in cyber attacks and, um, uh, you know, ransomware being at an all time high last year. So, uh, so the, the threat actors out there, you know, looking to take advantage of, of all this disruption and dislocation in the market. But, but so what, like, what is it, what's the real impact of a cyber attack on a physician group, and why should the executives of these organizations care?
Speaker 3:Yeah, and no, I mean, I think that's an important question. I think I actually am curious, Baxter, what you are seeing just based on the, the cost element and the potential for damages. I mean, for, you know, OCR fines and penalties, we see those sort of incrementally getting a little bit bigger depending on the size of the size of a breach, the, um, you know, level of, of sort of culpability associated with an alleged violation. But what are you seeing as far as, you know, truly the cost of, of a cyber attack?
Speaker 2:Yeah, I mean, uh, uh, it's a great question. And there's, there's a lot of, um, several studies out there. PK Institute seems to be one that people point to a lot. Um, and according to them, the healthcare industry leads, you know, among all other industries in the US as, as the costliest for a data breach. And, and the average breach being over 7 million. Uh, and they break it down at a record level. So they look at how many patient records are exposed in these breaches, and then averaging in the total cost of, of responding and remediating a breach, uh, including lost revenue, including, you know, business disruption and things of that nature. And it averages out to over$400 per record. Um, and you know, one of the things that's really interesting about, um, their study and, and particularly, uh, in the healthcare industry is not only, uh, is it the most costly, but, um, the, uh, the industry is the slowest to identify and to respond to a cyber attack compared to other industries. Mm-hmm.<affirmative>. So we're seeing that, you know, when a cyber attack happens, it can be upwards of nine, nine months to a year before it, the breach is detected, uh, which then impacts the, you know, the outcome, right? And, and allows for, you know, greater access to records, greater, um, exposure of information, and then that's driving up the cost. And, um, you know, one other interesting trend, um, we do have this breach portal, right? And when there's a, um, a breach mm-hmm.<affirmative> of over 500 records, you're required to report that to the office for civil rights. Um, one thing that we've seen lately is this rise in sort of class action suits, which are mm-hmm.<affirmative>, you know, a newer cost of a breach and how plaintiff's attorneys are getting involved in the, the, uh, the follow up and, and interaction. What, what are you seeing from that perspective on the, on the plaintiff's attorney and class action side?
Speaker 3:Yeah, so that's an interesting one because I think you're right, that is increasingly becoming as much of, or in maybe in some cases more so a potential concern or risk that we are advising clients to consider and to, you know, in the case of a, a transaction, for example, um, to, to sort of weigh when, when assessing potential risk of an acquisition is if there, if there has been some kind of breach, whether or not it would be associated with any kind of allegations of non-compliance or settlement, or even fine or penalty with or from ocr, that that potential for class action lawsuit, um, whether or not that's successful, but having to defend the, the litigation or the potential litigation can be really costly. And there, you know, there, there's a lot of activity in the plaintiff's bar around this. Some jurisdictions, um, you know, tend to be more favorable towards the plaintiffs, for example, in, um, potentially not having to demonstrate damages or harm. And just that a, a failure to comply with a state confidentiality law or in some cases, um, a HIPAA standard can serve as grounds for, um, for, for the claim regardless. But one interesting trend that, that we've seen in the last couple of years, and this, this is specific to, um, instances of a breach or potential breach or security incident where a provider organization has engaged, as you know, as, as they are instructed to do, and are often done under privilege to engage a forensic consultant or security consultant who can conduct an analysis, really a technical analysis as to potential access or activity of a hacker or, you know, um, um, access to one system. So the, um, in Ray Capital One, consumer data security breach litigation case. Um, just a couple of years ago, the US District Court for the Eastern District of Virginia ruled essentially that Capital One, uh, was required to turn over that incident report that was prepared by its cybersecurity forensics consultant. And this was a big deal in this space. You know, if you are, um, an attorney who counsels clients in these matters, if you are a security firm who engages in this kind of work, this was really significant. And I have seen since that, uh, ruling I have seen a, a, a, you know, a, a significant sort of shift in tone. Um, the most common example in, in my practice might be in the case of a, in, in the, um, instance of a transaction where we're sort of trying to ask questions about an incident that occurred. And there is, you know, a lot of very careful wording and careful thought and, and, um, sellers are very careful as to what they feel comfortable kind of putting forth and disclosing. And essentially, um, despite the fact that Capital One's attorneys, you know, engaged this consulting, uh, forensics firm under privilege, and that they, um, held, held out this documentation and this investigation as being privileged, the court essentially ruled that nevertheless, um, privilege is not attached to the report. And in the case of this particular class, action, capital One had to turn over the report, and there were a couple of factors there, um, you know, based on kind of do, how the documents had been shared internally within the company, um, how Capital One classified the expense. This part, um, this particular consultant was on retainer and Capital One had essentially classified it as a business expense, not, not legal. Couple different factors at play there. And certainly, you know, this is one jurisdiction. You know, you can't say that this would necessarily be the outcome, uh, across the board, but it really kind of created waves and concern for those of us who, who do, um, really feel strongly that, you know, the, when relying on experts to conduct that kind of, um, investigation, underprivileged, that the attorneys and the consultants as advisors can keep that information privileged and reach a conclusion based on their own assessments. Um, so it, I I kind of, I digress there, but, but that is, that I think signals, um, really, um, potential concerns for, for the way these investigations are carried out.
Speaker 2:Absolutely. Yeah. I mean, certainly a lot to worry about if you're, uh, an executive of an organization and you know, the, the threat of a breach, right? You've got, you know, not only the ransom that you have to pay, you've got the threat of or concern for OCR finds the penalties now the class action suits and, um mm-hmm.<affirmative>, you know, one of the things that we talk about a lot that I don't think gets, um, covered as much, and, you know, going back to these trends of, of consumerism and, uh, ambulatory convenient care where the consumers more involved in, uh, and the choice around where and how they receive care is the reputational harm that comes along with a cyber attack. Yeah. So mm-hmm.<affirmative>, um, you know, and, and so if, if you, you know, you have the big distraction for management that drives up, um, you know, the, the, um, the cost of a breach as well and the concerns around that, but then, you know, the ongoing overhang of, of your organization having been tagged with a cyber attack and you know, through mm-hmm.<affirmative> Potentially a class action lawsuit or other, you know, other mechanisms that would, you know, um, you know, impact your reputation, um, that that would be a significant concern. In fact, we've, you know, three of the top 10 breaches in 2020 were among physician practice groups. Mm-hmm.<affirmative> and one in particular, uh, Florida Ortho Institute, uh, was a breach that affected ransomware attack that affected over 600,000, uh, 640,000 records. They are now going through a class action suit, um, with the plaintiff's firm, Morgan and Morgan, which we all know and see the advertisements for on tv. So, um, clearly you, their name is being publicized as being part of a breach as the, as the plaintiff's attorneys trying to recruit, um, people to join that class action suit. So, um, the, the reputational harm there can be significant. Uh, and then there were two other significant, uh, breaches within, uh, physician practice groups. Uh, one was, uh, uh, elite Emergency Physicians, uh, which was a, through a third party vendor, which is an, uh, another trend we're seeing is third party technology vendors, um, that you're using to store or retain or share data with. Um, and this particular case was quote unquote secure storage, uh, uh, record storage business, another one, the Baton Rouge Clinic of over 300,000 patient records that were exposed to a physi, uh, through a fishing attack. So we're hitting all three of the major, uh, trends, uh, with those two breaches, ransomware, third party, and Phish. Um, but yeah. Ezra, any any thoughts on, you know, smaller, um, practices or other other concerns, um, for those organizations before we move on?
Speaker 3:Sure. No, I mean, I think, I think that's right. And, and I think that OCR tends to demonstrate, um, time and again that, you know, the size of an organization doesn't necessarily shield it from the potential for, um, enforcement action. And so, I mean, yes, breaches affecting physician practices, um, surely can have, um, repercussions. And then just as another example, you're also seeing OCR really sort of aggressively in its right of access initiative, target providers in, um, allegations of non-compliance relating to the hipaa right, of access to one's phi. And that ends up coming down often on, you know, physician groups and, and physician practices. So, um, definitely, definitely, and unfortunately not, you know, exempt from, from the, the purview, um, of the enforcement agencies. Yeah.
Speaker 2:So it's, you know, small to large, right? We're seeing it across the spectrum. Um, and, you know, so if you're advising your clients, I mean, what are, what are these organizations, uh, these physician practices supposed to do? I mean, one of the questions we get a lot is, you know, what do we have to do and what are good things to do? And how do we separate, you know, well, what we need to do today versus tomorrow. Mm-hmm.<affirmative><affirmative>, um, and I kind of look at it from the lens of, of what is reasonable and appropriate, right? As it's sort of deemed in the security role, how do you determine what's reasonable and what's appropriate for a small organization, a midsize organization, and, and large to, you know, those have different definitions or interpretations. How do you advise your clients for that perspective?
Speaker 3:Well, and I think that you and I can both agree that what's reasonable is evolving. You know, I think when I first started advising clients in the security rule, and you look at the encryption standard, and it's addressable, you know, we would, we would sort of advise clients, you know, this is addressable. So if there's another way to, for example, protect these laptops that you feel is, you know, a kind of, um, would afford the, a similar, uh, reasonable level of security, you know, that may be okay, you know, password protection, keeping inventory, things like that. But what's reasonable really has evolved. I mean, this was, you know, a number of years ago, and now if you don't have in encrypted laptops, that that is, is sort of a low hanging fruit, um, in my mind. So, I mean, I guess I'm curious as to what you would say to that Baxter, but, but I think in part, it, you kind of have to keep up with, you know, what was reasonable maybe, you know, when you first implemented your security policies eight years ago is, is different now. And so I think the key is kind of remaining nimble. And, and I also, um, the HIPAA security rule, I, I, I tend to view it and I advise my clients this way because it's, it's, I think it's easier to view it as more of a process. You know, it's not a sort of place in time policy on X date, um, makes you compliant type of rule. I mean, by its nature, it's something that requires revision and re revisiting and, um, you know, um, considering risks that may have been introduced, you know, the pandemic being a great example, you know, maybe not on day one, but on day 365, maybe it's time to go back and look and say, okay, what did we, what do we know now about our system that we really think we need to dedicate some time and resources to improve? Cause because we went, you know, 80% virtual things like that. I think it just, it has to be a process. It has to be an ongoing discussion. And I think that also, not only is that just a sort of more, um, I think less daunting way to approach HIPAA security, but I think it also is a, is a really good way to position you for compliance, because if you can demonstrate that you have a process and that you are periodically reviewing and revisiting your safeguards in light of operational, um, human technical risks and vulnerabilities, I think that's really a key step as to what OCR looks for.
Speaker 2:Yeah, absolutely. I mean, I think you, we approach it from a very similar, uh, framework and, and having a plan in place, um, and it's a constant evolution. It's not a one and done type, uh, process, but, um, you know, I think, you know, understanding, you know, the size of your organization, the nature of your business, the, the amount of records you maintain and process, um, and then, you know, other compliance requirements, uh, beyond hipaa, you have pci, you have state and local privacy and regulatory requirements. Um, so all those need to be, you know, kind of coordinated, uh, as part of your compliance and your security program. And, you know, just as you said, you know, what is reasonable and appropriate for a company today, it may not be. So, you know, a year or two years, three years down the road, especially as we've talked about the, the rapid pace of growth and consolidation of these businesses. Um, and so you may do be doing something today that this is just not gonna be appropriate or reasonable for your organization, you know, through that evolution of your growth. And you really need to be thinking about how do you scale your program as the business scales, uh, and maintains that standard of reasonable and appropriateness. One of the ways that we help organizations, um, is through a framework that we use called our 10 point, uh, compliance and security, right? Cyber Risk Management program. And it's really de derived from, uh, the ocr r enforcement actions and understanding, you know, where organizations have come up short, uh, from those, um, um, the, from that perspective. And it's designed to say, okay, you know, if you do these 10 things, you can demonstrate, uh, reasonable diligence with respect to meeting the requirements. And, um, I think he would, you know, um, maybe agree ezrin that if you can demonstrate reasonable diligence, those CR will, um, be a little more, um, uh, forgiving, uh, if there was an incident. But, you know, for us, it, it starts with having governance, um, and, and just making sure you've got a good governance structure in place. You have a designated security officer, privacy officer. Um, from there it's having good policies and procedures, um, uh, and making sure they're tailored to your specific business, not just buying policies and procedures, you know, HIPAA policies, security policies, and off the shelf from someone and, and saying, we have policies, but making sure they're really adapted to your business. And then, you know, you really need to train your workforce, right, and make sure they know what they can and can't do in certain situations and what's right and what's wrong. Um, and then how to avoid, you know, possibly clicking on a, the, an improper email, things of that nature, security awareness training being critical these days. Um, and then we get into things like a HIPAA security risk analysis under, which means, you know, really understanding the threats and vulnerabilities to the E E P H I and your systems, um, that you're using, um, and then having a good risk management plan to respond to risk as they're identified. Uh, and that's a continuous process, right? Because your, your systems are evolving and changing constantly. Um, and then complying and having assessments to make sure that you do comply with the HIPAA security and privacy and breach rules. Um, and then one of the other key pieces of, of the way we think about things is technical testing and, and actually doing vulnerability scanning, uh, and penetration testing of your networks, um, to understand what bad actors, you know, what, what vulnerabilities exist and how they might be exploited and testing, uh, the exploit, uh, the ability for those to be exploited so they can put, you know, specific controls in place to mitigate that. Um, and then, um, one other key piece, and we touched on this very briefly earlier, is, is vendor risk management and understanding the vendors you're doing business with and, and the risk associated with them. And, and wrapping all of that up with a good, you know, documented program and plan to show, Hey, we do have a plan in place. We're doing these things, you know, we've got a roadmap of things that we need to continue to do, uh, and we're able to respond effectively, um, if we are, you know, as we identify risk or organization. But, um, again, it's like you said, so having a program that can identify and respond and evolve with the business, but how else are you guiding your, uh, clients to make sure that they have, uh, or doing the right things and have the right practices in place?
Speaker 3:Yeah, I think I, I, I, I would echo, um, everything that you said, Baxter, and in particular that vendor risk, oh man, that just ends up being the thorn in the side of, of so many<laugh> clients. Um, and, and it's hard, you know, when you have so many different, um, sort of elements of your organization and, and maintaining oversight over all those different parts and, and factors can be difficult. But I think more generally, I would say that similar to kind of what I said before, um, approaching this as a process and, and really the same applies for the information blocking rules, which is top of mind for me because of the, of the, um, recently passed effective date and a lot of clients, uh, really kind of facing now and coming to terms with, with what this requires and what this means. And, and so much of that ties back to investment of resources and having conversations across the organization, not just with your compliance and your privacy team, but with your it, with your security and with your management. And, you know, for example, as was working with a client that we were working on putting information blocking rules in place to, um, sort of with the privacy team and came to realize there was one really big piece of, of the compliance that we needed to bring in the IT folks because it had to do with how the EMR was configured and, and to what extent it would allow connection to other and sort of portability to other treating providers systems. And that's such a big part of the interoperability, um, and information blocking rules that we realized we really needed to kind of bring all of those groups to the table. So, you know, having a process, having those conversations and, and the resources part, you know, the investment, the financial investment in the security and the it, I mean, I, you know, I sympathize with clients, I, I, I live it, I'm sure you do too, that they have, you know, there's just a lot of different competing pressures, and particularly for the last 12 months dealing, you know, 13 months dealing with the pandemic and, and seeing, um, uh, you know, kind of how organizations are adapting to those financial pressures. But at the same time being told, Hey, we're also more vulnerable to cyber risks, and by the way, we need to, you know, reconfigure a lot of our systems to allow for information sharing. There is just, there's an inherent tension there with, with all of these different drivers. Um, so I think I, and I know you, you guys do this too because we've, we've worked with you and, and we've worked together in, in advising clients and, you know, not assuming that we can tell them something and then they can just do it day one or turn it on day one, but that it's something that really has to be, um, you know, everyone sort of has to have a voice at the table in, in determining the best approach,
Speaker 2:Right? Absolutely. Uh, let's touch on risk analysis for just a minute. Um, this is clearly one of the core requirements of the HIPAA security role. Um, and it seems to be an area that in through enforcement actions, uh, is, is a common, um, deficiency. Um, what is risk analysis and what are some of the challenges associated with performing a risk analysis and, and doing it appropriately in the odds of the office for civil rights?
Speaker 3:Right? I could talk about risk analysis<laugh> for a very long time, and I will not, because I realize that not everyone, you know, gets as excited about this topic as I do. But, um, you know, a risk analysis, I will say in just a couple of brief statements, it, it is not a gap analysis. It is not a policy compliant analysis. I think exercises of of that nature are certainly important and worthwhile, but that's not a security risk analysis. Security risk analysis is again, a process, um, by which an organization identifies, um, you know, vulnerabilities, potential vulnerabilities across its kind of system or IT environment or network, whatever the case may be. Then considers different types of, um, organizational external human environmental threats, um, considers the likelihood and impact of a threat should it exploit one of these identified vulnerabilities. And then as a result of that, kind of spits out, if you will, um, a, a risk level or a risk rating. It doesn't have to be a number or, you know, a, a particular magic code, but some kind of way to rate the risks that result from that analysis. And then that in turn allows the organization to sort of prioritize and put in place measures to reduce those risks to a reasonable and appropriate level.
Speaker 2:Yeah. So just to put a bow on it, can you have an effective<laugh> compliance program without doing a proper risk analysis?
Speaker 3:<laugh>? Um, that seems like sort of a, a, a set up question there.<laugh>, you know, OCR is very clear dating back to its guidance in, you know, 2010 I think it was, that that risk analysis is sort of the foundation or the core of HIPAA security compliance. And so it is an important starting point. I think that, again, there are ways to incorporate a risk analysis into your organization's compliance plan if it's not already there and it doesn't, you know, it doesn't make you non-compliant. But at the same time, I think it is so important to have a, a plan in place for when and how and, and where to conduct that process. It, it, you know, it often is really effective when it's done with by an external organization and independent, but, but for some smaller providers who don't have, you know, the capability or the resources to do that, um, it can also be done internally. I've seen some very effective security risk assessments that were performed internally with all, again, all the right players at the table answering the questions. And, um, you know, it's not, it's not one size fits all, but I think it really has to have those important elements, um, vulnerability, threat likelihood, impact risk.
Speaker 2:Yep. I couldn't agree more. Um, shifting gears, um, for a minute, um, thinking about m and a, I mean, certainly if we touched on on earlier, you know, investment about private equity is driving a lot of growth and consolidation, uh, in the physician practice space. Um, what can be done during the m and a process, um, to identify and avoid cybersecurity risk? Um, what are your clients looking for through, uh, the due diligence process?
Speaker 3:There's a lot I could say there. The, I will say, you know, where we're increasingly, um, working on acquisitions with reps and warranty insurance, the insurance underwriters and their council are increasingly honed in on cybersecurity and hip compliance and potential for breaches and vulnerabilities. And so that's something we, we focus on and we have sort of adapted to focusing our diligence, not just to the compliance program and, and all the, you know, sort of document requests that can be answered, um, by providing materials, but really conversations around the culture of compliance and how, for example, the organization, um, sort of monitors and tracks re uh, use of mobile devices, mobile device management, um, you know, technical controls that are in place, malware protection, all that sort of thing. So really looking beyond the policies that tick the boxes and looking at it as well from kind of a risk-based perspective as a, as a compliment to the compliance based perspective.
Speaker 2:Yep. Yeah, I was, uh, attending a different conference yesterday and, and I heard someone say that cybersecurity is now a top three diligence i item for Yeah. Private equity investors and, and healthcare. Yeah,
Speaker 3:That certainly understand absolutely why,
Speaker 2:Uh, because,
Speaker 3:Because it really is, it is sort of, um, you know,<laugh>, cybersecurity doesn't, cyber risks don't discriminate, you know, it can happen to any of these kinds of organizations, whether vendor, provider, and, you know, no matter how large or small.
Speaker 2:Yeah. Well, we've talked about a lot today. I mean, certainly, um, a lot of, lot of trends here. Um, really appreciate, uh, your insights. I think to, to wrap up. Um, you know, I think it sounds like, um, you know, as an organization, physician practice group, um, you're being asked to do a lot of things, um, from a regulatory perspective. Um, the, the market itself is also pushing for more interoperability, uh, sharing of data value-based mm-hmm.<affirmative>, uh, initiatives. Yeah. Um, and that's sort of competing with, um, with the, uh, the rise in cyber attacks. And so, uh, I guess a final question as we, as we wrap up here is, you know, how in thinking about building a cybersecurity program, um, it, it's critical, at least in my mind, to have a good, good program that, that, that evolves with the organization and creates resilience for that business. Yeah, yeah. Um, but, but how do you think this becomes something that if you do it right, it's a competitive advantage, uh, for organizations that really prioritize, uh, mitigating and managing these cyber threats, uh, as part of their business?
Speaker 3:Yeah, I, I think so. Uh, I mean, I think in particular in the, this time of consolidation and, um, looking to be sort of to integrate clinically and financially, if you can have a really strong technical and security infrastructure, I think for sure that that can really only create a competitive advantage. And, you know, I'm curious to hear your thoughts as well.
Speaker 2:Yeah, I mean, I think certainly, um, if, if there were to be, uh, an incident, um, the distraction that it causes for management, the financial impact, the reputational harm, those things that we talked about could all impact sort of the growth and trajectory and, and ultimately the, the enterprise value of the business that you're trying to build and create. And, you know, to the extent you can make appropriate investments to fit, to ward off, uh, those, uh, that, that type of thing from happening, uh, while we know that, you know, others are, are being, um, uh, like, uh, subject to those risks, I think you could, um, poten, you could definitely, um, stand apart from your peers, uh, if you can avoid those, those issues and, and all the associated costs and, and challenges that come along with it. So that's what we're talking about with our clients. I think they really wanna understand how to do that, how, how, what's reasonable and appropriate and how to think about a building a program that, that supports and scales with the business as it grows. Mm-hmm.<affirmative>. So,
Speaker 3:Yeah.
Speaker 2:Um, anything else you would add before we wrap up today?
Speaker 3:No, I think that, I think you have said it well,
Speaker 2:<laugh>. Great. Well, thank you very much. As usual, it's been a pleasure talking with you today. We've discussed the HIPAA compliance and cybersecurity, uh, concerns for physician practice groups. Hope you have, uh, found this useful and, and beneficial. Uh, thanks for taking time to listen to our discussion and take care.
Speaker 3:Thanks. Next.