Cyber Security: What Your Anesthesia Group Needs To Know
Between October 2023 and January 5, 2024, I have personally received five “Notice of Data Event” letters: one from an anesthesia billing company, three from Michigan health systems (two coming from the same health system), and one from my primary care provider’s billing vendor. As a patient, you are limited in what you can do to protect yourself from a healthcare data breach, however, as a private anesthesia group you can certainly take steps to protect your patients.
Whether your group has an in-house billing operation or outsources to a vendor, cyber security should be a top consideration. Healthcare institutions are prime targets for hackers because of the nature of the data collected. We spoke with Levi Citrin, Fusion’s Chief Technology Officer on measures Fusion takes to keep data secure for our clients and their patients. “At Fusion Anesthesia Solutions we put security at the forefront of everything we do. If we can’t do it securely, we don’t do it”. Below are a few key takeaways from our conversation and recommendations regarding cyber security for your anesthesia organization:
- First and foremost, make the financial investment in cyber security. Security compliance requires a major financial investment to implement and maintain but the return on investment is huge.
- The organization must become complaint/certified with the Systems and Organization Controls 2 (SOC2). The SOC2 security framework covers how companies should handle customer data that’s stored in the cloud and includes auditing of those processes.
- In addition to SOC2 compliance, conduct regular internal audits and testing. Have your own internal security framework that your organization follows.
- Outside access to systems should be prohibited unless it is on a company issued and regulated device.
- Implement systems that ensure any electronic communication containing Protected Health Information (PHI) are automatically sent securely.
- Require 2 factor authentication on all devices and accounts.
- Ensure data on all servers is encrypted and limit where data can be stored, i.e. on local computers.
- Implement and require annual HIPAA training for all employees.
- Implement tools to monitor desktops and servers.
For more information on this and other anesthesia billing and practice management topics, contact Fusion Anesthesia Solutions at sales@fusionanesthesia.com.