4 criteria for scaling HICP to small organizations
In 2018, 55.9% of U.S. medical practices had 10 or fewer physicians and were categorized as small organizations by the Health Industry Cybersecurity Practices (HICP) document. As an interconnected healthcare community, we need to consider how they can participate and adopt HICP by creating criteria well-fitted for small organizations.
As a community, we could also collaborate to develop a standardized small organization kit (SOK) that meets the cybersecurity safe harbor definition under the new Stark law. This kit would prepare them to connect securely to a health system or an exchange.
Below are 4 criteria that help small organizations narrow the options and create a solution for adopting HICP.
1. The solution needs to have a strategic and modular design
Small organizations’ IT is brittle because they did not usually design their systems with a long-term and strategic perspective.
The contractors they are working with are not incentivized to do a thorough long-term planning workshop for them and therefore tend to optimize for the short-term transactional view.
Small organizations need an overarching and modular design where individual modules can work independently, but yet, complement each other.
Fortunately, Health Industry Cybersecurity Practice (HICP) has provided comprehensive modules for small organizations. It is similar to a cookbook which has many recipes that are necessary for a three-courses meal.
Just like a chef can develop a nutritious three-courses meal on a low budget or a lavish scale, it is not the budget that determines the outcome but the quality of the design and the designer.
Using HICP as a common reference, skillful cybersecurity leaders would be able to develop an appropriate solution for both ends of the budget spectrum. Of course, the more limited the budget, the more talented the leader needs to be as they have to navigate more limitations.
With careful planning and design, the leaders can secure small organizations. Don’t rush the process. Take time to review HICP and design strategically.
2. The solution needs to be affordable
As HICP stated, cybersecurity investment for small organizations is typically non-existent or very limited. Therefore, the leaders must carefully plan this limited budget to cover the essentials while minimizing waste.
In the context of a solo physician practice, looking at the benchmark, it is justifiable to spend around $2,710.95/physician/year for cybersecurity. Accounting that each FTE physician is supported by 3.04 staff (and each staff work with a computer that also need to be secured), this number would need to be further distributed evenly. This estimation is derived from three data points:
- One study provides a data point where the gross revenue per FTE physician per year is $542,190 
- FS-ISAC provides another data point in a 2020 survey, where it says as an aggregated total across sectors, cybersecurity spending is at 0.5% of revenue .
- MGMA’s 2020 data about 3.04 support staff per FTE physician 
With a limited budget and phased implementation, it is crucial that each element can operate independently today and, at the same time, can be integrated with additional modules at a later stage. We need to prioritize the critical functions first while the rest of the design can come in the next financial year. This phased implementation hinged on the strategic planning we had looked at earlier.
But the point is, it’s OK to start small to cover the essentials while building towards a more complete solution.
3. The solution needs to be reliable
Small organizations need to work with vendors with a long track record in the market as being reliable.
This reputation is necessary as small organizations do not have a lot of buffer for error in terms of budget, resources, and operation.
With limited time and resources, one way to assess and validate reliability is to leverage what is known as “the wisdom of the crowd”  or by reading independent lab reports.
Wisdom of the crow method works by asking multiple people for their independent judgments to arrive at an average that is more accurate than individual guesses. For example, we could look at bestseller information for a category, e.g., best seller EDR for small-medium businesses. The assumption is that the crowds want the value of what they buy and cast their “vote” by what they purchased. The best seller represents the product that offers the most value for most customers in that particular category.
A more thorough and reliable method would be to review the tests that have been performed on products, done by independent labs or organization like MITRE.
Small organizations have a better chance to purchase a reliable product when they take a cue from independent and peer-reviewed information. Furthermore, if the winner holds this title for multiple years, it further adds credibility to its reputation. Go with a market-proven solution.
With a small margin or error and limited resources to do exhaustive research, small organizations can do crowd-sourcing to pick a reliable solution.
4. The solution needs to have healthy competition and a robust ecosystem
Another safety measure for small organizations comes when the solution has healthy competition and an established network of dealers, consultants, and user base with that skillsets.
Competition benefits the consumer by keeping the price low, more selection, more innovation, and maintaining high quality.
Healthy competition fosters an ecosystem that complements the product with third-party products and services, further benefiting consumers. For example, it is easier to get parts, services and recruit staff for products that have been around for decades. This trend drives down the total cost of ownership for small organizations as they are not paying for esoteric products and skillsets. In addition, it helps avoid vendor lock-in and keep it affordable.
For small organizations, there are benefits to go with commoditized products from market leaders. They benefit from the vendor who has worked hard to address product deficiencies, reliability, and customer service, contributing to their success in this category.
In short, a new or unproven product/vendor is not worth the long-term risk for small organizations.
Small organizations can reduce risk by leveraging the economy of scale and selecting a solution that meets the following criteria:
- Strategic and modular design
- and have healthy competition and a robust ecosystem
With these criteria identified, we will review the market to see what’s available for implementing HICP’s practices.
Do you agree, disagree, or have other criteria that come to mind? Or do you have other data points to consider? Please comment below.
 https://www.statista.com/statistics/415971/size-of-medical-practices-in-the-us/ https://doi.org/10.1377/hlthaff.2020.00794 https://www2.deloitte.com/us/en/insights/industry/financial-services/cybersecurity-maturity-financial-institutions-cyber-risk.html https://www.mgma.com/data/data-stories/medical-practices-look-to-clinical-support-staff-t https://www.amazon.com/dp/B000FCKC3I/
Originally published at https://healthcyberlab.org on January 11, 2022.