Healthcare faces an escalating risk of cyberattacks, with standards like HIPAA no longer guaranteeing protection. Take steps to secure your healthcare organization's data with these 7 cybersecurity frameworks, deciphered for medical professionals.
A history of under-investment in data security and vulnerable legacy systems has put healthcare organizations in a dangerous position if they do not rapidly take steps to protect their information. Data is at the heart of patient outcomes in healthcare, and health systems risk losing their most valuable assets to bad actors if they do not quickly adapt to the new reality of risk. Luckily, several institutions maintain best-practice frameworks to secure their crucial data. Below are 7 industry-leading cybersecurity frameworks deciphered for healthcare.
HIPAA is a starting point for securing health data for most organizations. The law, passed in 1996, provides a set of standards that every health organization must follow regarding electronic healthcare transactions, code sets, unique health identifiers and security. These standards are introduced as code sets, the most recent of which was published in 2013. Some of the standards include:
Although HIPAA compliance is more secure than nothing, it remains a bare legal minimum for health systems. Ideally, additional levels of security measures must be taken.
The National Institute of Standards and Technology (NIST) aims to improve the standards set by the HIPAA Security Rule by laying the groundwork for a more strategic, dynamic approach for compliant organizations. Rather than a simple checklist, the NIST CSF includes a system to identify weak points, respond, and recover from data breaches/attacks. Its CSF framework is organized into five core functions:
A white paper by Symantec goes into depth on the framework’s provisions for healthcare.
Organizations looking for a straightforward approach to securing their data may be interested in the community-driven CIS Controls framework. Maintained by community volunteers with experience in their respective industries, the CIS Controls framework provides a set of tools for hardware and software management, emphasizing offsite data redundancy. It offers a tiered set of implementation groups, so organizations can find the exact set of tools appropriate for their needs.
ISO 27000 sets itself apart from the other framework options by being an international standard, meant to stack up to the EU’s more stringent data protection requirements. Like NIST, it has subsets for different kinds of organizations, with ISO 27799 being the designation for healthcare. Organizations looking for very strict data protection should investigate the ISO series of standards.
HITRUST’s CSF differentiates itself from NIST and ISO by being a single overarching framework for security and privacy. As a bonus, HITRUST offers a reporting model for SOC 2 as part of the assessment and implementation of controls required by the CSF.
SOC 2 is a certification for data security pioneered by the American Institute of CPSs. Instead of a rigid set of requirements applied universally, SOC 2 certifications are tailored to an organization's needs. SOC certifications are issued with 5 principles in mind:
For the highest standards of cybersecurity, health organizations can opt for PCI compliance. PCI is an evolving set of standards derived from the banking sector, designed to protect against credit card fraud. But since medical information can be used to gain access to a victim’s finances, malevolent hackers will target healthcare organizations, making PCI standards also applicable here.
The framework includes rigid standards for how information is sent, received, stored, and discarded. While the IT department will usually be tasked with implementing PCI, the department of a health system that handles bank processing and merchant agreements is held responsible for maintaining the standard.
CIS Controls, ISO, and HITRUST, as well as other options, offer distinct standards that build on the level of security offered by HIPAA compliance. Whichever framework is right for your organization, it is important to implement it at all ins and outs of data in the health system, and leadership should set up a roadmap to ensure that their organization continues to achieve compliance in the future. For more information about health cybersecurity, here are 5 Steps to protect your Medical Organization’s Data.