How a Fast-Growing Group of Autonomous Physicians Manages Cyber Risk
“There’s a segment of doctors out there who want to be business owners; they don’t want to be employed by a hospital or large Medical Group because they enjoy having autonomy and ownership—we help them do that,” a CISO of a large autonomous physician group, told us recently.
As physicians continue working to advance a value-based care model, they face several challenges, including finding the right strategies, talent, and technology to make the shift. While many physicians join forces with a hospital or health system-employed medical group, others continue to seek ways to deliver world-class care and remain independent. This organization is partnering with independent physicians and provider groups to help them evolve to value-based care in a scalable, efficient, and effective way.
The organization helps physicians maintain autonomy and focus on their patients by providing a cloud-based technology platform to manage operations and reduce administrative burden. With the platform, physicians can use the technology to help with revenue cycle management, IT, and value-based care services. It also includes a well-known EHR for specialty medical groups which leverages APIs to connect solutions that improve patient-provider messaging, scheduling, and website integration.
The company, which started as a technology company selling a subscription concierge service directly to patients in the DC metro area, now works with more than 3,300 providers across the United States, serving more than three million patients, and is growing 25-30% year over year.
Developing a Shared Risk Framework
The organization’s growth poses unique challenges for the newly public company, specifically when talking to regulators and insurance companies and managing healthcare’s IT and compliance side. “We had to solve how you manage cyber risk for 3,300 providers across eight states and counting—in a shared risk framework,” their CISO said.
The company established a corporate framework essential to its success in solving this. At a high level, it looks a little like this:
Corporate Framework
There’s a medical group, care centers, and a management company for each market. The care centers have an affiliate agreement to deliver services under the medical group. There’s a business associate agreement with the medical group to the care center and a support services agreement from the management company.
Further, it’s worth noting that the care centers are independently owned businesses. They can purchase whatever third-party IT equipment they need to deliver services. This framework allows their markets to function as a single affiliate-covered entity under HIPAA, meaning they share a single notice of privacy practices and some risk and liability.
Managing Risk
While the framework is essential to fine-tuning operations, the organization must also account for the range of sophistication and maturity across markets as the care center can establish its controls.
They operate a for these groups and providers to handle risk at this scale better. The principles are high-level statements based on NIST guidance which creates standards that can be established from the board level down through the other tiers within the corporate framework.
The organization also level-sets requirements and policies at the affiliated covered entity level. They offer framework templates because each covered entity in each market for the medical group will adopt its own set of policies. The templates enable them to develop policies based on control sets to more effectively scale their operations.
Building compliance is critical, so the team shares standards with their care centers, which are responsible for defining their administrative, technical, and physical safeguards. These standards are written so that providers can understand and make sense to the third-party service providers that manage their information security and technical security programs.
But they don’t just offer frameworks and set providers out independently. The company also provides guidance and support, including documentation to help them in their compliance journey. For example, in terms of necessary controls, the organization helps medical groups look beyond HIPAA to see what other requirements apply to the organization. That might include specific industry or emerging local, state, or federal requirements.
Extra Support and Managed Services
While most of their providers have a good handle on their compliance requirements, the reality is that maturity levels vary from one group to another. “We knew some practices would need more help than others, and we wanted to be there to provide that extra layer of support and expertise, so we established managed services for those that need it,” explained their CISO.
The goal is to ensure that independent business owners have the options they want to manage their programs on their own, based on the organization’s framework. For providers who are confident they can tackle their compliance program, they provide the necessary guidance to adopt appropriate controls based on the medical group policy.
For providers who want a little more help, the organization offers remote support services and automatic updates for desktop security patches, encryption, and proprietary software. They also equip providers with managed security services at the highest support level, including firewalls, workstations, malware, and remote support for the platform.
A Trusted Partner
The organization’s CISO says Clearwater has been an essential partner in helping them scale their managed services model. “We initially began a conversation about software, but it quickly evolved to a more holistic approach to all of the company’s services.” Clearwater provides ongoing managed services through their ClearAdvantage program, including OCR-quality risk analysis and risk management, vulnerability assessments, workforce training, policies and procedures, and on-demand access to Clearwater’s cybersecurity experts.
Clearwater helps them clearly understand and manage cybersecurity and compliance risks while navigating the increased complexities of its growing provider base. Together, they’re united to help reduce risk and ensure HIPAA security, privacy, and other compliance needs are successfully managed with the organizational framework, including successful navigation and management of internal and external audits.
The partnership with Clearwater was initially designed to safeguard the organization, but it quickly evolved into a way to more effectively deliver services to their provider network and help them mature their programs with autonomy and independence.
