Cybersecurity in Healthcare: Going Beyond the HIPAA Security Rule

Cybersecurity in healthcare comes with an extra layer of complexity. Healthcare organizations must protect electronic protected health information (ePHI) to comply with HIPAA. HIPAA violations can result in large fines and reputation damage that can follow an organization for years.

Along with their ePHI obligations, the healthcare industry has the same cybersecurity concerns as other industries: securing their networks, protecting payment information, safeguarding sensitive data, etc. Understandably, healthcare organizations prioritize securing the ePHI they possess because it carries a lot of risk. The focus on ePHI can result in other cybersecurity needs falling through the cracks.

Other cybersecurity challenges the healthcare industry faces include:

• Medical devices with network connectivity may not go through the same procurement process as other IT equipment, creating vulnerable access points that bad actors can exploit.
• Large staffs with diverse roles and responsibilities regarding patient data can make security training challenging.
• Siloing patient data away from other data can make applying security controls throughout the enterprise difficult.

This article will explore some security resources and frameworks that can help healthcare businesses create a well-rounded cyber program that protects all data and IT infrastructure.

The HIPAA Security Rule

The HIPAA Security Rule was put in place to protect the integrity, confidentiality, and availability of all ePHI. Specific requirements include:

• Perform assessments to identify risks and vulnerabilities to ePHI and implement the necessary security measures to address those risks.
• Designate a security official responsible for developing and implementing the policies and procedures required by the Security Rule.
• Ensure the staff who work with ePHI have appropriate authorization, supervision, and access.
• Only authorize access to ePHI when such access is appropriate for the user’s or recipient’s role.
• Train all workforce members on security policies and procedures.
• Implement policies and procedures to identify and respond to suspected or known security incidents and mitigate their impact.
• Establish procedures for responding to events that damage information systems that contain ePHI.
• Perform a periodic technical and non-technical assessment of how well policies and procedures meet the requirements of the Security Rule.
• Implement hardware, software, and/or procedural mechanisms to record and examine activity in information systems that contain or use ePHI.
• Ensure ePHI is not improperly altered or destroyed.
• Implement security measures to guard against unauthorized access to ePHI being transmitted over an electronic network.

The HIPAA Security Rule went into effect in 2005. The last major update to the rule was in 2013 with the Omnibus Rule. Proposed updates to the rule are currently going through the rulemaking process, but remain in question after the administration change.

The HIPAA Security Rule is outdated. It was implemented before cloud computing, SAAS applications, and AI became commonplace. Organizations should view the rule’s requirements as a bare minimum for protecting ePHI and preventing cyberattacks. Some areas where the rule is lacking include:

• Third-party risk management
• Security training that goes beyond HIPAA requirements
• Breach notification
• Addressing evolving threats

Security Standards that Work for Healthcare

To build a cybersecurity program they can trust, healthcare organizations need to leverage security frameworks and standards that are more rigorous than HIPAA. Here are some options:

NIST SP 800-66

NIST 800-66 is a good starting point for organizations looking to build a robust security program. It is a collection of guidance and resources to help organizations better understand the HIPAA Security Rule. Organizations can use 800-66 to design and implement policies, procedures, and controls that will effectively protect ePHI and meet the rule’s requirements.

Within the framework, organizations will find guidance on:

• Conducting risk assessments
• Identifying security controls to reduce risks to ePHI
• Managing employee access to ePHI
• Employee security training
• Incident response
• Third-party risk management
• Device security

NIST CSF

The NIST Cybersecurity Framework (NIST CSF) is a logical next step for organizations ready to take a broader cybersecurity approach that extends beyond the HIPAA Security Rule/NIST 800-66. NIST CSF is a broad framework that covers all elements of cybersecurity. The widely used framework is comprised of risk-based guidelines that were crafted using well-established cybersecurity practices.

NIST CSF is broken down into six framework functions, each containing a set of categories and subcategories.

Identify: Understand and manage cybersecurity risks to systems, assets, data, and capabilities.

Protect: Implement safeguards to ensure the delivery of critical services and the protection of sensitive information.

Detect: Identify and react to cybersecurity events quickly.

Respond: Develop and implement actions to take following a detected cybersecurity incident.

Recover: Develop and implement plans to restore services and capabilities damaged in a cybersecurity event.

Govern: Align cybersecurity policies, procedures, and controls with the organization’s objectives, risk appetite, and regulatory requirements.

HHS 405(d)

HHS 405(d) is a collaborative program between the Health Sector Coordinating Council and the federal government to strengthen the cybersecurity posture of the Healthcare and Public Health (HPH) sector. The program provides resources, products, and tools to help healthcare organizations improve their cybersecurity posture.

One of the resources they produce is the Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients document. The publication explores five threats common in HPH:

1. Social engineering
2. Ransomware attacks
3. Loss or theft of equipment or data
4. Insider, accidental, or malicious data loss
5. Attacks against network-connected medical devices

The HICP Technical Volumes (Volume 1 for small businesses and Volume 2 for medium and large organizations) detail how organizations can mitigate these risks through the following actions:

1. Email Protection Systems
2. Endpoint Protection Systems
3. Access Management
4. Data Protection and Loss Prevention
5. Asset Management
6. Network Management
7. Vulnerability Management
8. Security Operation Centers and Incident Response
9. Network Connected Medical Devices
10. Cybersecurity Oversight and Governance

These documents can be valuable tools for conducting HIPAA risk assessments because they are more attuned to current cyber threats.

HITRUST

The HITRUST CSF is a certifiable framework originally designed for healthcare but has become industry-agnostic. It is a rigorous and highly respected framework that results in healthcare organizations having the highest standards for data security. HITRUST encompasses other standards, including NIST, ISO 27001, PCI DSS, HIPAA, and GDPR, allowing organizations to demonstrate compliance with multiple standards and regulations.

There are three HITRUST assessment options, so organizations can select the one that best meets their needs.

HITRUST Essentials, 1-year (e1)

The e1 is designed as a low-effort assessment focusing on basic cybersecurity hygiene and addressing what HITRUST identified as the most critical cybersecurity practices. It is designed for vendors whose risk may not be high enough to warrant the more extensive assessments but do need to demonstrate a verifiable commitment to basic security standards.

HITRUST CSF Implemented, 1-year (i1) Validated Assessment

The i1 is a midrange option in terms of time, effort, and cost. Companies with cybersecurity controls in place but without thorough policy and process documentation should consider the i1.

HITRUST CSF Risk-based, 2-Year (r2) Assessment

The r2 is the gold standard for security certifications in the healthcare industry. It requires the most significant commitment to obtain, but it is a highly regarded certification that demonstrates an organization is dedicated to the highest level of data security.

To learn more about addressing cybersecurity challenges in healthcare, watch the Aligning Cybersecurity Controls with Healthcare Compliance Obligations podcast below.

CompliancePoint has a team of experienced professionals dedicated to helping healthcare organizations strengthen their cybersecurity programs. We also help our customers achieve HIPAA compliance and HITRUST certification. Reach out to us at connect@compliancepoint.com to learn more about our services.