February 25, 2019
Today, the healthcare industry has become prone to cyber-attacks, just like in any other sector. One notable fact within all those fields is the similarities in existing as well as emerging threats. At the same time, there is an increasing need for organizations to reassure their customers and regulators that their networks and systems have incorporated adequate security measures. One way of achieving this goal includes complying with various recognized security standards and frameworks. In most cases, the frameworks are adopted across all sectors, but there is a crucial need to develop specific cyber security frameworks to manage risks in different industries.
Entities in the healthcare industry can follow several security compliance frameworks to develop policies and procedures necessary to secure the confidentiality, integrity, and availability of information systems and data. Currently, there are numerous frameworks that are widely tried, tested, and trusted in the healthcare industry. In most cases, organizations face challenges when selecting the right compliance programs to meet their security and compliance needs. They are required to deal with several concerns, such as cost of compliance, complexity, certifications, and stand inconsistencies. This whitepaper is important since it highlights the most popular cybersecurity compliance frameworks and standards that can be deployed by entities in the healthcare sector. The report features the capabilities as well as shortcomings of each framework and gives critical information which can be used as a guidance for organizations while selecting the right framework for enhancing their security posture and for meeting compliance requirements.
Framework #1: HIPAA
The Health Insurance Portability and Accountability Act is the United States legislation that promotes data privacy by providing security requirements for protecting health information. HIPAA has gained prominence over the years, especially with the proliferation in cyberattacks targeting healthcare providers. To achieve the objective, the Department of Health and Human Services published HIPAA privacy Rule and the HIPAA Security Rule to establish national standards for protecting certain health information stored or transmitted in electronic form and to operationalize protections by addressing the technical and non-technical safeguards that covered entities must put in place to secure electronic protected health information (e-PHI). The Office for Civil Rights (OCR) is mandated with the responsibility enforcing the Privacy and Security Rules with civil money penalties and voluntary compliance activities. HIPAA’s Security Rule applies to health plans, healthcare clearing houses, and any other healthcare provider who stores or transmits medical information in electronic form. Overall, HIPAA has enabled to a great deal the protection of privacy of health information while promoting the adoption of new technologies to improve service delivery in healthcare sector.
Framework #2: CIS Critical Security Controls
Center for Internet Security (CIS) is a nonprofit organization that maintains numerous Critical Security Controls developed to help minimize the risk of cyber-attacks. CIS lists security controls based on their priorities, with the most crucial one appearing at the start. Some of the areas of focus include creating inventory of assets, managing vulnerabilities, and controlling the use of administrative privileges. In most cases, no single security framework can be sufficient in providing privacy to a covered entity. It is, therefore, more effective to use CIS Critical Security Controls alongside other frameworks discussed in this report.
Framework #3: COBIT
COBIT is an IT governance framework and supporting tool that allows organizations to bridge the gap between control requirements, business risks, and technical issues. The framework helps in policy development and good practice for IT control in an organization. It provides an implementable set of controls over information technology and organizes them around a logical framework of IT-related processes and enablers. Today, healthcare providers such as hospitals and insurance companies are joining other entities including financial institutions, governments, and private corporations in adopting COBIT that has become an integrator for IT best practices by harmonizing other standards. The framework further allows covered entities to optimize resources while mitigating risks. Seemingly, COBIT focuses more on efficiency and effectiveness of IT environment, rather than information security linked to business issues. However, the framework is used to implement practices provided by other information security standards such as the NIST Cyber Security Framework and ISO27001/2.
Framework #4: ISO 27000 Series
ISO 27000 family of standards is broad in scope and can be applied in the healthcare industry to address the challenging and ever-evolving requirements of information security in a sector that handles highly sensitive and personal data. A good example is ISO27002 that represents a good mix of international acceptance level and full comprehensiveness and dedication for information security practices build around process and policy management. ISO27002 focuses on elements, such as security policy, organizing information security, asset management, human resource security, physical and environmental security, communication and operations management, access control, business continuity management, and information security incident management. On the other hand, ISO/IEC 27001, the internationally acknowledged management system standard for information security, can be implemented in the healthcare industry to ensure that covered entities identify and mitigate the risks related to handling sensitive information.
Framework #5: NIST RMF
In an organization, the development and deployment of security controls for their system is part of a security program focused on managing organizational goals. NIST’s Risk Management Framework offers a process that integrates security and risk management activities into the system development life-cycle. On the NIST RMF web page, the framework is described as a “risk-based approach to security control selection and specification,” that “considers effectiveness, efficiency, and constraints due to applicable laws, directives, Executive Orders, policies, standards, or regulations.” All these elements are crucial to an effective information security program in the healthcare sector. Healthcare industry players can adopt RMF to proactively and progressively manage risks while identifying solutions or controls to reduce such risks to acceptable levels. Since RMF considers several other frameworks and methodologies, a covered entity can utilize well defined privacy controls that help in complying with policies and regulations. Ultimately, NIST RMF ensures that the healthcare sector does not only provide patient care, but secure services to customers.
Framework #6: NIST CSF
Healthcare industry is also adopting the National Institute of Standards and Technology (NIST) Cyber Security Framework (CSF) as an outstanding framework for organizations in the sector to regularly evaluate their current cyber security risk posture and remedy discovered issues to acceptable levels. NIST CSF focuses on five core functions: identify, protect, detect, respond, and recover, which are crucial in cyber security space. Healthcare players can utilize this framework as a foundation for developing a robust cyber security system to detect and mitigate cyber risks on an ongoing basis. NIST CSF can be viewed as a straightforward strategy for organizations to determine risks and enhance their cyber security policies, procedures, and operations. Healthcare providers can use the framework to identify gaps in their security programs and to deploy recommended practical approaches to address the functions to achieve an automated and effective risk management.
Framework #7: FDA
Since all medical devices carry both benefits and risks, FDA promotes a strategy that ensures that the devices are distributed with a reasonable assurance that the benefits to users outweigh the risks. As more medical devices get hooked to the Internet and healthcare providers networks, the risk of potential cyber security threats increases, which potentially impacts on the effectiveness of the device and the safety of patients’ information. Fortunately, FDA provides recommendations that can be utilized to mitigate and manage cyber security threats. For instance, the framework requires medical device manufacturers (MDMs) and healthcare delivery organizations (HDOs) to take measures to ensure appropriate safeguards are in place. Manufacturers should remain vigilant about detecting risks associated with their medical devices. Covered entities are also responsible for developing and implementing appropriate mitigation to address risks to patients’ safety and ensure proper system and device performance.