Healthcare Cyber Security Policies and Regulations
Compliance is a critical component of any healthcare security program. Regulatory compliance processes and strategies give guidance to healthcare organizations to ensure that regular actions are being taken to keep information safe and secure. While there is a myriad of compliance regulations of different levels and for different types of organizations, there are specific compliance regulations in place to ensure data protection efforts. This is important in this digital age where healthcare organizations store large amounts of protected data in electronic medical records and through the use of medical devices that are connected to hospital networks.
Breaches of sensitive data and protected health information (PHI) have a negative impact from a financial standpoint and a reputational standpoint. Oftentimes, a sizable breach can take out a small to mid-sized healthcare organization altogether with financial implications that make recovering and rebuilding virtually impossible. Data breaches in the healthcare sector are growing exponentially, with a reported 2,953 publicly reported breaches in just the first three quarters of 2020 accounting for a 51% increase compared to the same time period in 2019. With cyberattacks threatening the hospital system daily, patients are relying on it to provide a high level of security and strict adherence to the federally regulated mandates that are in place to protect their personal information.
Healthcare organizations, by nature, need to store and share large amounts of personal data across many platforms in order to provide high quality care. Because of this, they are subject to strict compliance laws. Part of this means that hospitals, medical clinics, long term care facilities, and the like have to prove compliance by taking the following steps:
- Providing adequate server security
- Providing adequate encryption
- Instituting a cyber security training program
The United States healthcare system is classified as critical infrastructure and as such is protected by several federal agencies within the Department of Health and Human Resources (HHS) but depending on the threat several other agencies may get involved such as the Department of Homeland Security (DHS) and the Federal Bureau of Investigations (FBI). Protecting health data is a goal of regulating bodies that both control design and development of medical devices, like the Food and Drug Administration (FDA), as well as regulating bodies that control the healthcare delivery organizations, like the Centers for Medicare and Medicaid Services (CMS) and the Office of Civil Rights (OCR). Careful coordination among these entities and others help to ensure guidance is provided throughout the industry to manage cyber security threats
The FDA controls the pre and post-market actions of medical device manufacturers through their Center for Devices and Radiological Health (CDHR). Specific to the cybersecurity of medical devices, the FDA has released two main guidance documents; Content of Premarket Submissions for Management of Cybersecurity in Medical Devices and Postmarket Management of Cybersecurity in Medical Devices. The former helps manufacturers meet regulatory requirements in design and development while the latter enforces postmarket surveillance of the device once in the clinical setting. Postmarket surveillance of medical devices is closely regulated. For example, hospitals are expected to report problems with medical devices to the FDA or the manufacture, including cybersecurity problems. The FDA also regulates recalls and safety enhancement communications between various stakeholders in the medical device supply chain (US FDA, 2016).
The two main regulations associated with protecting health information are the HIPPA and the Health Information Technology for Economic and Clinical Health Act (HITECH) and are enforced through the Office of Civil Rights within the executive branch Health and Human Services (HHS). HIPAA, the older of the two laws, established national protections for medical records and personal health information privacy and security. The law requires healthcare delivery organizations to enact safeguards to protect patient data as well as sets limits to their data’s usage. With the implementation of the AARA the HITECH act was enacted to clarify and create stronger enforcement of the HIPAA rules. It promotes interoperability and expands the use of electronic health records through the meaningful use incentive. Strict penalties were established for HIPAA-covered entities and are enforced by the OCR.
One particular mandate, the HIPAA Breach Notification Rule, requires compliant organizations and their business associates to notify patients following a data breach. In addition to healthcare providers, cloud service providers (CSPs) and other business associates of healthcare organizations must also comply with HIPAA privacy, security, and breach notification rules. This ensures that all parties involved in a breach are taking action steps to disclose it to the appropriate parties affected.
Many compliance experts will agree that the steps to be in regulatory compliance typically include the following:
- Determine your individual organization’s requirements and plans on how to implement these mandates.
- Document and clearly define compliance processes. The written report should include specific instructions for each role involved and how to maintain individual and company-wide compliance.
- Monitor changes to policies and determine if they apply to the current state of your organization. Compliance requirements are updated constantly and your company needs to reflect these changes as well.
With the healthcare sector being one of the biggest targets in cybercrime, larger steps needed to be taken to defend against hacking. Aside from the uncovering and misuse of personal information, cyberattacks account for huge financial losses and are expected to grow exponentially without proper mitigation efforts. Ransomware attacks alone cost healthcare organizations $20.8 billion in downtime in 2020, double the amount it cost in 2019, according to a Comparitech report cited by CynergisTek. The responsibility is great for organizations to hold tight to federal compliance mandates to consult with an MSSP to beef up security efforts.
In the Cybersecurity Act of 2015, Congress established the Healthcare Industry Cybersecurity (HCIC) Task Force to address the challenges the healthcare industry faces when securing and protecting itself against cybersecurity incidents. According to the June 2017 publication entitled “Report On Improving Cybersecurity In The Healthcare Industry,” the directives of the task force are as follows:
- analyze how industries, other than the healthcare industry, have implemented strategies and safeguards for addressing cybersecurity threats within their respective industries
- analyze challenges and barriers private entities (excluding any State, tribal, or local government) in the healthcare industry face securing themselves against cyber attacks
- review challenges that covered entities and business associates face in securing networked medical devices and other software or systems that connect to an electronic health record
- provide the Secretary with information to disseminate to health care industry stakeholders of all sizes for purposes of improving their preparedness for, and response to, cybersecurity threats affecting the healthcare industry
- establish a plan for implementing title I of this division, so that the Federal Government and health care industry stakeholders may in real-time, share actionable cyber threat indicators and defensive measures
- report to the appropriate congressional committees on the findings and recommendations of the task force regarding carrying out subparagraphs (A) through (E)
The very nature of integrative healthcare requires a certain degree of information sharing among different entities. Involved in the transmission of, oftentimes, highly sensitive data are payment applications, insurance companies, outside hospitals, laboratories, and pharmacies just to name just a few. Depending on the size of the organization, that can account for dozens to hundreds of individuals accessing a single patient record any given time. This open culture of shared information poses certain risks when it comes to cybersecurity so it’s important to find a balance between allowing it to function progressively and keeping it safe.