A HIT Expert Stresses Third Party Verification When Selling EHR Security to Physician Practices
How effective are we in marketing and selling EHR security to physician practices? Do we avoid the “marketing and sales speak” that skeptical physicians and administrators hate? Can we back up marketing claims with credible independent verification?
To be sure, breaking into the crowded EHR space is challenging for new EHR providers. They lack the track record of more established players. The good news is there is a strong demand for EHR security solutions to fight the growing number of healthcare data breaches.
As reported in EHRIntelligence, “Increased instances of ransomware attacks and cybersecurity threats will necessitate technology promising top-of- the-line security.”
Equally promising “Frustrated physicians, dissatisfied hospitals hopping from vendor to vendor, and shifts in government and healthcare policy open the door for smaller, more niche vendors to acquire clients.”
To market effectively and close sales, we must instill confidence and be able to back up our claims. That requires knowledge of physician practices which often lack IT expertise to handle security breaches.
After reading his white paper co-authored with Phreesia, I turned to Mac McMillan. He helped me understand physician needs and evaluate vendor qualifications. He’s president and chief strategy officer of CynergisTek and a healthcare privacy and security expert based here in Austin.
In our conversation, Mac highlighted the security challenges facing smaller physician practices and what doctors and administers should look for. His observations are extremely helpful in pressure testing our marketing strategies and identifying obstacles that stand in the way of selling EHR security solutions to physician practices.
At the same time, our discussion reveals that the gap in physician practices’ understanding of healthcare data breaches is a huge opportunity. EHR security providers with verifiable credentials and a willingness to educate their clients can differentiate themselves in the marketplace.
“I guarantee there are organizations that are HIPAA compliant and still very susceptible to a breach.”
Healthcare Security: A Growing Threat Beyond HIPAA
Mac: It’s not enough to just worry about HIPAA compliance any more. I guarantee there are organizations that are HIPAA compliant and still very susceptible to a breach. The HIPAA security rule addresses 19 of the security controls of the NIST common security framework. So you can be compliant with HIPAA and miss many critical areas of security that need to be addressed to defend against cyberattacks.
The problem in healthcare is not HIPAA security; it’s one of cybersecurity. Healthcare is just as susceptible, and in some cases, targeted more heavily than a lot of other industries like finance and banking.
Help physicians make informed decisions
Mac: Physicians are typically not IT people – certainly not IT security people. They know how to use an EHR from a clinical perspective, but managing an EHR is typically beyond their expertise.
The problem is that selecting a vendor is not taught in medical school. Doctors are not given a set of checklists when setting up a business from a compliance and security perspective.
Small practices often don’t have dedicated IT let alone a CIO. They are relying on a third party vendor to administer their systems and in some cases manage their network for them. They need to understand how to select the right partner.
Vendors can play a role in helping physicians understand the nature of threats to their practice. Regardless of practice size, physicians need to know what the threat looks like today in terms of what anybody connected to the Internet would experience.
The importance of certification in selling EHR security to doctors
Mac: Physicians need to understand the basis of your healthcare security claims, the importance of certification, and the standard or framework used to evaluate a EHR vendor’s program, service or product.
If it’s a software product or hardware product, vendors should be prepared to confirm whether it has been independently tested and gone through the technical security review.
If it’s just an internal process, what do you base your security on? HIPAA security rules? ISO or a recognizable industry standard for measuring their program?
Mac: Physicians need to differentiate between a simple audit questionnaire and a risk assessment. They are two very different things. One says I have these policies and controls. It doesn’t tell me anything about the maturity or effectiveness of those controls. It doesn’t say anything about the risks of this particular business.
A risk assessment actually goes through and documents the threats, the vulnerabilities, the controls environment, and the risks that are present. And it identifies what they are going to do about it.
If it’s a mature program, vendors should be able to produce the documentation that is based on industry recognized standards.
Mac: Nobody can ensure they won’t be hacked or have a breach. We haven’t found that 100 percent secure solution yet. Vendors need to show how they are contributing to the security of the environment and the protection of the data. They need to demonstrate they have their own rigorous program in place and good practices in terms of how they communicate and work with the physician practice.
And critically, they need to understand how to work with healthcare. Just because they have done security work or privacy work in other industries doesn’t mean they understand how to support healthcare properly.
In healthcare, privacy is a separate program. Privacy and security support one another but privacy in healthcare goes so much further into how we handle, release, transmit and share patient information. Most other industries don’t have those same kind of requirements.
Finally, what do we know about them; have they worked with other healthcare providers? Those who haven’t worked in healthcare are going to have a steep learning curve. Do you want them learning while they are trying to help you protect data?
What about new players trying to sell EHR security
Mac: First thing have an independent lab or company validate your security claims or certification. Clearly, the certifications provided by some organizations working with the ONC originally cannot be trusted from a liability perspective, as OIG has signaled they will be investigating more CEHRTs. Don’t put your company or your solution at risk. Get in front of this wave. Second, the market is moving to managed solutions that present low maintenance, administration, and cost profiles. Offer your solution as a SAAS and/or as a managed solution.
Mac: Physician practices have historically not taken security seriously. It’s cumbersome, it’s costly, and in some cases they don’t truly understand it. They don’t have the right people with the right skills and experience on their staff who are security experts like hospitals might have.
When you come down to the individual physician or a two or three doctor practice that’s where you begin to see a demonstrable fall in the level of cybersecurity support and sophistication. It’s an opportunity to educate the physicians who own that practice so that they understand what they need to do and where their options are.