Bad actors are now focusing on healthcare organizations and partners more than ever before
A history of under-investment in data security and vulnerable legacy systems has put healthcare organizations in a dangerous position if they do not rapidly take steps to protect their information. Data is at the heart of patient outcomes in healthcare, and health systems risk losing their most valuable assets to bad actors if they do not quickly adapt to the new reality of risk. Luckily, several institutions maintain best-practice frameworks to secure their crucial data. Below are 7 industry-leading cybersecurity frameworks deciphered for healthcare.
HIPAA
HIPAA is a starting point for securing health data for most organizations. The law, passed in 1996, provides a set of standards that every health organization must follow regarding electronic healthcare transactions, code sets, unique health identifiers and security. These standards are introduced as code sets, the most recent of which was published in 2013. Some of the standards include:
- Encrypted email attachments if they are sent beyond a firewalled, internal server
- Organizations and associates must create “Procedures for creating, changing, and safeguarding passwords”
- Organizations must consider using encryption for ePHI, but may use an alternative if it provides equivalent protection. The decision to not use encryption must be documented. Advanced Encryption Standard (AES) 128, 192 or 256-bit encryption, OpenPGP, and S/MIME
- All HIPAA-related documents must be retained for 6 years since creation, or 6 years since policy implementation
- Medical records must be retained and disposed of in accordance with state law
- Disposed PHI must be rendered “unreadable, indecipherable and otherwise cannot be reconstructed.”
- Data breaches must be reported to affected individuals no later than 60 days after the discovery of the breach
Although HIPAA compliance is more secure than nothing, it remains a bare legal minimum for health systems. Ideally, additional levels of security measures must be taken.
NIST CSF
The National Institute of Standards and Technology (NIST) aims to improve the standards set by the HIPAA Security Rule by laying the groundwork for a more strategic, dynamic approach for compliant organizations. Rather than a simple checklist, the NIST CSF includes a system to identify weak points, respond, and recover from data breaches/attacks. Its CSF framework is organized into five core functions:
- IDENTIFY physical and information assets and establish a risk management strategy as appropriate for the organization’s risk tolerance and business environment;
- PROTECT the assets and data from malicious attacks or
unintentional compromise; - DETECT and monitor the environment for security events
and incidents; - RESPOND to attempted or successful attacks; and
- RECOVER from the attack, while using the lessons learned
to adjust security policies and fill in any existing gaps
A white paper by Symantec goes into depth on the framework’s provisions for healthcare.
CIS Controls
Organizations looking for a straightforward approach to securing their data may be interested in the community-driven CIS Controls framework. Maintained by community volunteers with experience in their respective industries, the CIS Controls framework provides a set of tools for hardware and software management, emphasizing offsite data redundancy. It offers a tiered set of implementation groups, so organizations can find the exact set of tools appropriate for their needs.
ISO 27000 Series
ISO 27000 sets itself apart from the other framework options by being an international standard, meant to stack up to the EU’s more stringent data protection requirements. Like NIST, it has subsets for different kinds of organizations, with ISO 27799 being the designation for healthcare. Organizations looking for very strict data protection should investigate the ISO series of standards.
HITRUST
HITRUST’s CSF differentiates itself from NIST and ISO by being a single overarching framework for security and privacy. As a bonus, HITRUST offers a reporting model for SOC 2 as part of the assessment and implementation of controls required by the CSF.
SOC 2
SOC 2 is a certification for data security pioneered by the American Institute of CPSs. Instead of a rigid set of requirements applied universally, SOC 2 certifications are tailored to an organization's needs. SOC certifications are issued with 5 principles in mind:
- Security – data protected against unauthorized access
- Availability -
- Processing Integrity – data reaches the right people at the right time
- Confidentiality – certain data, such as plans or intellectual property, is restricted to people within the organization using encryption and firewalls
- Privacy – data that is personally identifiable (i.e. SSN, address, health, race, sexuality, religion) is given an additional level of protection
PCI
For the highest standards of cybersecurity, health organizations can opt for PCI compliance. PCI is an evolving set of standards derived from the banking sector, designed to protect against credit card fraud. But since medical information can be used to gain access to a victim’s finances, malevolent hackers will target healthcare organizations, making PCI standards also applicable here.
The framework includes rigid standards for how information is sent, received, stored, and discarded. While the IT department will usually be tasked with implementing PCI, the department of a health system that handles bank processing and merchant agreements is held responsible for maintaining the standard.
Choosing a Cybersecurity Framework for your Organization’s Needs
CIS Controls, ISO, and HITRUST, as well as other options, offer distinct standards that build on the level of security offered by HIPAA compliance. Whichever framework is right for your organization, it is important to implement it at all ins and outs of data in the health system, and leadership should set up a roadmap to ensure that their organization continues to achieve compliance in the future. For more information about health cybersecurity, here are 5 Steps to protect your Medical Organization’s Data.
