I get calls all the time from prospective clients asking about our services. I always ask who they are currently working with to gauge their current state of IT, security, equipment, and overall compliance to see if we are a good fit. Yesterday I got another one of those calls and the Dr. told me a bit about the IT guy and how they know they should be doing more with backups and anti-virus and things like that, but the IT guy is reactive and that no longer fit with the practice’s goals.
It sounds like the Dr is ready to embrace the change and start being proactive. I tell the Dr about what we do and why we do it and that if we are to move forward, we will need some cooperation with the current IT guy. The Dr. gives me the name and I Google it. The first thing I see is a basic website that lists his break/fix reactive services. At the top of the list is VIRUS REMOVAL.
Ugh.
This is the number one red flag I see with IT guys trying to work in the healthcare space without any clear understanding of what their own regulation is under HIPAA. As an IT provider in the healthcare space, you are considered a Business Associate. You are also expected to know and identify any security deficiencies and offer paid solutions to remediate. You are also expected to be cybersecurity experts and provide all the things necessary and prudent to prevent data breaches — not wait for something bad and only clean up that mess. Most of this is indeed preventable and can be done with 1-4% annual investment of your gross revenue. (General business spends between 11-13% annually)
In this day and age, a virus could be considered a data breach, and failure to report it (*after a proper evaluation to determine if data had actually been breached first) could result in maximum fines. It’s just not worth it.
