First Midwest BankFirst Midwest Bank logoArrow DownIcon of an arrow pointing downwardsArrow LeftIcon of an arrow pointing to the leftArrow RightIcon of an arrow pointing to the rightArrow UpIcon of an arrow pointing upwardsBank IconIcon of a bank buildingCheck IconIcon of a bank checkCheckmark IconIcon of a checkmarkCredit-Card IconIcon of a credit-cardFunds IconIcon of hands holding a bag of moneyAlert IconIcon of an exclaimation markIdea IconIcon of a bright light bulbKey IconIcon of a keyLock IconIcon of a padlockMail IconIcon of an envelopeMobile Banking IconIcon of a mobile phone with a dollar sign in a speech bubbleMoney in Home IconIcon of a dollar sign inside of a housePhone IconIcon of a phone handsetPlanning IconIcon of a compassReload IconIcon of two arrows pointing head to tail in a circleSearch IconIcon of a magnifying glassFacebook IconIcon of the Facebook logoLinkedIn IconIcon of the LinkedIn LogoXX Symbol, typically used to close a menu
Skip to nav Skip to content
FDIC-Insured - Backed by the full faith and credit of the U.S. Government

Why Outsourcing IT and Cybersecurity Is the Smart Choice for FQHCs

Federally Qualified Health Centers (FQHCs) occupy a unique place in the healthcare ecosystem, serving the needs of underserved populations — often in rural areas.

But like every healthcare organization from a single practitioner to a multistate health system with multiple hospitals, FQHCs must maintain tight security on their patient and clinical data. In that regard, FQHCs compete with every other healthcare facility (and companies in every other industry, for that matter) for scarce cybersecurity and IT talent.

A 2022 cross-industry survey from Deloitte shows that talent acquisition is the top internal challenge for 50% of organizations. Beyond finding top candidates, 30% report employee retention as a challenge, while 28% point to a skills deficit among workers.

Looking at external challenges, executives identified cybersecurity as the top issue, with less than one-half saying their organizations were adequately prepared. To surmount this disconnect between finding the right job candidates and keeping data secure, an overwhelming number of companies have turned to outsourcing cybersecurity and other IT functions.

According to Deloitte, 81% of companies outsource cybersecurity; 77% outsource IT infrastructure services; and 68% outsource helpdesk and user computing functions.

When even top companies struggle to maintain adequate IT staffing levels, FQHCs will have difficulty competing, which makes outsourcing IT and cybersecurity functions a logical choice. Here are several reasons why FQHCs should consider outsourcing to a firm experienced in the nuances of healthcare.

1. More bang, fewer bucks

Estimates differ widely on potential cost savings, but the minimum estimated savings is 20%-30%. This makes sense when one considers the number of employees needed to run an IT department. Each position in an FQHC’s IT department needs to be overstaffed somewhat to cover for vacations, holidays, medical leave, training, conferences, and other contingencies. Besides each worker’s salary, there are costs for benefits such as health coverage, disability, life insurance, and more. Don’t forget payroll taxes.

When a worker leaves for other employment, someone will need to cover that person’s responsibilities until a replacement is identified, hired, and sufficiently trained, which could take many months. Healthcare organizations often have highly individualized technology implementations that require special skills to monitor and patch.

Nevertheless, some IT departments are overstaffed. Before starting any outsourced engagement, have the vendor evaluate current staffing levels to identify any potential overstaffing issues.

2. Maintain IT continuity

As mentioned above, turnover can upset the skills balance within IT. While some positions may require a general knowledge of technology, others require specialized skills. Cyber criminals don’t care whether Joe is on leave or Sally just took a job at another company — they will exploit any weakness to steal patient credentials or lock files and demand a ransom. Turnover can also disrupt institutional philosophies and initiatives that keep facilities protected.

Outsourcing can allow uniform coverage of contracted IT functions and keep the department on track for special projects, initiatives, etc. Some organizations outsource certain IT functions, while others outsource the entire department, including IT leadership. The level of outsourcing likely depends on the comfort level of the C-suite.

3. Keep worker knowledge high

It’s entirely possible that Sally left the organization because she wasn’t challenged enough in her job or couldn’t continue to grow her skillset. Engaged workers crave additional training and opportunities to strengthen their skillsets. But not all organizations can offer that level of engagement.

While an internal employee may learn a new skill, is that person sufficiently proficient to perform the task without introducing an error that brings the IT infrastructure down or exposes the organization to hackers? Outsourcing firms can create career paths for workers, allowing them to become proficient at one skill before introducing others.

When vetting potential IT outsourcing partners, ask about employee longevity of the people who will service the account. What specialized training and/or certifications has each person achieved?

4. Build a road map to success

Be wary of any company offering point solutions to cybersecurity challenges. Healthcare technology systems are intricately connected, and any change in one area may have negative impacts in other areas. A competent outsourcing firm will take a modular approach, “owning” a particular function and employing a framework approach that ensures that every potential scenario has been addressed.

Any engagement should begin with an assessment of the current state of software and people. The vendor will then create a roadmap to close critical gaps and establish standard operating and reporting procedures going forward. When performed properly, outsourcing can give FQHC leaders peace of mind that a critical function is no longer a source of worry.

5. Insist on specific healthcare knowledge

There’s no doubt that healthcare IT is highly specialized. In addition to normal privacy and security issues, healthcare organizations also must abide by HIPAA requirements for protected health information. Any potential vendor must speak the language of healthcare fluently and possess the ability to secure a wide variety of technology aspects. This isn’t a one-size-fits-all scenario.

Even the smallest FQHC may have dozens of technology connections from the EHR or practice management system that link to laboratory systems, pharmacy, imaging, billing/claims, medical devices, telehealth, facility management, and many more. During the vetting process, get references from current healthcare clients. Ask them tough questions about staffing levels, new implementations, and how the vendor handled any blips or difficulties during the engagement.

Make the smart choice

In 2023, the number of healthcare data breaches reported to the Office of Civil Rights held steady. However, the number of breached records set a record at nearly 158 million, three times the figure from 2022.

Through mid-August of this year, more than 450 healthcare providers reported breaches affecting nearly 48 million records. And that doesn’t include catastrophic breaches reported by Change Healthcare that could affect more than 100 million records or the Ascension breach that will likely be significant as well.

Cybersecurity is a critical challenge for any healthcare organization but can be particularly challenging for FQHCs, which often run leaner and have fewer resources than other healthcare organizations.

Outsourcing particular IT functions or the entire IT department makes sense for organizations that want to maximize their technology assets and their protection from cyber events.

 

This article was written by Lance Reid from MedCity News and was legally licensed through the DiveMarketplace by Industry Dive. Please direct all licensing questions to legal@industrydive.com.

Subscribe for Insights

Subscribe