BRIDGE Cybersecurity, Data Integrity, and Compliance Services
The majority of BRIDGE clients are nonprofit health centers that provide care to underserved patient populations. Cyberthreats target healthcare with greater frequency than any other industrial sector. Nonprofit healthcare organizations are often even more vulnerable to cyberthreats because of limited resources.
According to the U.S. Department of Health and Human Services Office of Civil Rights, the number of data breaches and exposed health records has climbed exponentially since they began keeping records in 2009. Over the last 24 months, more than 565 healthcare organizations reported breaches impacting 500 or more individual health records. [i]
Unlike a stolen credit card number, patient health records contain thousands of datapoints that can be sold and resold on the black market fetching premium prices. In another common ploy, extortionists paralyze providers by taking electronic health record systems offline with no guarantees data will be restored once a ransom is paid. Compounding insult to injury, healthcare organizations that fail to safeguard protected health information risk civil and criminal prosecution, steep fines, and reputational damage for violations of HIPAA Privacy and Security Rules. [ii]
Exceptional Value for Nonprofit Health Centers
At a time when the stakes are higher than ever, BRIDGE’s managed Cybersecurity, Data Integrity, and Compliance programs offer nonprofit healthcare organizations exceptional value with proactive tailored solutions that build layers of protection around data networks. BRIDGE’s lifecycle risk management approach works to identify vulnerabilities, apply protections, vigilantly monitor environments, and continually reinforce workforce awareness and education about cybersecurity best practices.
Aligned with National Institute of Standards and Technology (NIST) and the Center for Internet Security Critical Security Controls (CIS) frameworks as well as PCI DSS payment card industry security standards, BRIDGE managed services help clients safeguard electronic protected health information (ePHI) in compliance with HIPAA Privacy and Security Rules and meet stringent accreditation requirements of various healthcare agencies and governing bodies.
Though compliance is a critical goal for our clients, BRIDGE abides by the industry adage that compliance does not equal security. Under the direction of Security and Compliance Officer Kevin Warner, BRIDGE takes an holistic approach to data security and compliance. He explains, “Moreso than just compliance, our goal is to make sure that our clients’ patient data, all of their confidential information, and all their data environments are secure and well protected; that they’re adhering to industry best practices when it comes to securing data and identities and devices; and that we’re able to incorporate those practices into repeatable processes that we can follow year after year to demonstrate that that we’re remaining both secure and compliant.”
Strategic Services Provide Guidance for Long-Term Resilience
Strategic services such as BRIDGE’s Virtual Chief Information Security Officer (vCISO) program provide executive-level expert advising and planning to help health centers intelligently budget resources to monitor network security over the long-term. BRIDGE partners with clients to design data governance systems, information security architecture, policies, and protocols. BRIDGE also provides services to build organizational resilience with business continuity planning for response and recovery preparedness before an incident strikes.
For these programs to be sustainable, BRIDGE provides a lot of education. Security and Compliance Officer Kevin Warner says, “We speak to client organizations as a whole about things like data governance, what it means to manage information in terms of secure storage and access. Discovery in legal terms. The data lifecycle. When is it right to destroy data? When does it become a risk to retain data for too long? And then on the individual front, we need to educate people about risks starting with an understanding that the vast majority of information security incidents involve some sort of human element. Just under half are caused by phishing attacks or online ploys where somebody falls victim to a scam. Staff organization-wide must have some level of savvy—even when it’s not their specialty. We’re to the point where the use of technology entails some level of knowledge about associated risks and how to mitigate those risks.”
Understanding Based on a Shared Vision and Purpose
Kevin Warner has been with BRIDGE from its founding days, and built the cybersecurity, data integrity and compliance program. Since entering health IT in 1999, he has focused on security solutions for nonprofit health organizations. Over the years, he has accumulated deep understanding of the specific challenges BRIDGE clients face. He recognizes that “information security solutions are expensive. Skilled information security professionals can be costly—especially in today’s historically tight job market—and it can be really tough for nonprofits to afford adequate security controls. And then there’s the issue of sustainability. Information security programs can be really complex to manage.” He adds, “BRIDGE’s information security professionals bring a depth of experience that you can’t just hire off the street. We have been doing this for a long time. A lot of our clients don’t have dedicated IT support. There’s just not capacity. Clients can depend on the talent of the BRIDGE staff. That’s a great advantage that we offer.”
Perhaps the most important factor that sets BRIDGE apart from other managed service providers is a vision and purpose shared with our clients to advance health equity. It is natural for BRIDGE to focus on cost-effective quality security solutions for nonprofit health centers because we are cut from the same cloth. Nodding to our roots, Kevin Warner says, “BRIDGE was born out of the nonprofit space. That has been the core of our business since our inception. Other technology providers out there may work with nonprofits, but that’s not the focus of their business. For BRIDGE—more than 90% of our clientele is not-for-profit—so we approach our work through that lens.”
He adds, “Being part of an organization like BRIDGE where it’s very mission-driven—it feels more like a family or a community as opposed to just a job. Much of our staff came directly from the nonprofit sector, and even though we’re not directly working hands-on with patients, we know our work has an impact to help achieve the greater good. That’s important to us.”
Reliable, Quality Managed Services Delivered with a Human Touch
That commitment comes through in the way BRIDGE deliver services with a very human touch.
In addition to tailoring cybersecurity, data integrity and compliance to the needs of each client, BRIDGE offers the option of onsite deskside support. Warner underscores that is in keeping with the “very human way that we’re delivering IT services, which is amazing and very different. The fact that we have BRIDGE staff working onsite means client health centers consider us part of the team. Having an onsite IT support person that you catch in the hall to say, ‘Hey, my mouse isn’t working…’ You can put a name to a face. They’re in the building with you. That proximity leads a lot of our clients to feel comfortable running things by us in terms of day-to-day business decisions.”
BRIDGE really cares about the long-term success and well-being of our clients. Warner says, “As a trusted partner, BRIDGE can comfortably advise our clients about what is valuable in terms of investments and where to allocate funding when it comes to getting the best bang for your buck. Our solutions consciously strive for the highest impact in terms of security in a cost-effective manner. We’re accustomed to hunting—doing the discovery—to find less expensive options for our nonprofit clients. In doing this work, we have developed alliances that enable BRIDGE to secure best-in-breed software and hardware at significantly reduced cost.”
[i] U.S. Department of Health and Human Services Office for Civil Rights. (2023). Cases currently under investigation. [Data set]. Breach portal: Notice to the Secretary of HHS breach of unsecured PHI. https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
[ii] U.S. Department of Health and Human Services. (2022, October 19). Health information privacy. HIPAA home. https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html