The healthcare industry is a veritable honeypot for cybercrime, replete with vast amounts of sensitive digital information that expands in number and scope daily, including personal medical data and payment card details. This data is increasingly attractive to hackers, particularly those using ransomware to lock out organizations and hold onto sensitive information until the organization pays up.
During the coronavirus pandemic, with hospitals and healthcare providers already stretched to their limits, bad actors have ramped up their attacks.
Not only do these breaches expose patient data and payment details, they can also close down hospitals
, putting lives at risk.
Compliance in the Healthcare Industry: Laws and Regulations
Because the industry is a key target for hackers, it is subject to a range of regulations that help protect patient and financial data. Although compliance does not guarantee the safety of healthcare data, it's an important first step in any cybersecurity strategy. Not to mention the significant fines and other costs to those in the industry unable to meet regulatory mandates.
Here are the key compliance requirements, critical laws, and regulations that healthcare organizations must be made aware and with which they must comply:
Healthcare Insurance Portability and Accountability Act (HIPAA)
Medical professionals today can often access electronic patient health information (ePHI) from anywhere, on laptops, smartphones, or home computers. This capability has been crucial for providing health services virtually during the pandemic.
However, healthcare data must be always protected, both to ensure its confidentiality and its integrity. The Healthcare Insurance Portability and Accountability Act of 1996 (HIPAA)
aims to do just that. It applies to all healthcare providers and has requirements for patient health around its creation, collection, maintenance, and transmission. The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 further extended HIPAA requirements to business associates.
The Office of Civil Rights within the U.S. Department of Health and Human Services enforces HIPAA compliance and levies steep fines against providers as well as business associates who violate HIPAA provisions.
HIPAA's Security Rule requires covered entities to maintain reasonable administrative, technical, and physical safeguards. The regulation doesn't prescribe specific security practices, and each organization must determine what is considered “reasonable" based on its unique circumstances.
The Four Core Requirements of the HIPAA Security Rule
- Ensure the confidentiality, integrity, and availability of all ePHI that organizations create, receive, maintain, or transmit.
- Identify and protect against “reasonably anticipated" threats to the security or integrity of the information.
- Protect against unauthorized use and disclosure.
- Ensure workforce compliance with the requirements.
Healthcare Information Trust Alliance Common Security Framework (HITRUST)
The Healthcare Information Trust Alliance (HITRUST) developed a Common Security Framework (CSF)
based on a variety of federal and state regulations, frameworks, and standards. The CSF provides regulated healthcare organizations with a common set of standards they can adopt and use to evaluate vendors.
HITRUST issues CSF certification to businesses that successfully meet its rigorous requirements. HITRUST compliance shows that the vendor has met the requirements for managing and protecting sensitive patient data.
The HITRUST CSF uses a risk-based approach that includes three core factors:
- Organizational factors, such as geographic scope and business volume.
- Regulatory factors that are based on compliance requirements specific to the organization's circumstances, including sector and geography.
- System factors that impact data management risks, such as data storage and transmission, internet access, third-party access, number of users, and number of daily transactions.
- The framework also allows for alternate management, technical, or operational controls to be applied under specific conditions.
Payment Card Industry Data Security Standard (PCI DSS)
The Payment Card Industry Data Security Standard (PCI DSS) is not a government regulation but rather a set of industry rules that payment card issuers and financial institutions enforce for merchants and service providers who accept payment cards. The PCI Security Standards Council develops and maintains the PCI DSS, which also applies to anyone who stores, processes, or transmits cardholder data.
Rapidly rising deductibles in the healthcare industry mean more patients are putting co-pays and deductibles on their credit and debit cards, making healthcare providers holders of personal financial information and card details.
Like other merchants, healthcare providers must assess their compliance, remediate vulnerabilities, and report compliance to the respective financial institution or payment card brand.
PCI-DSS has a set of six core objectives, each with specific requirements:
- Build and maintain a secure network—using a firewall and strong password practices.
- Protect stored cardholder data—including encryption of cardholder data when it's transmitted over open, public networks.
- Maintain a vulnerability management program—using and regularly updating anti-virus software and development of secure apps.
- Implement strong access control measures—including restricted access to data based on roles, and unique IDs for those with access.
- Regularly monitor and test networks—tracking and monitoring access to networks and data, and regularly testing security.
- Maintain an information security policy—covering both employees and contractors.
Compliance with these rules and regulations encompasses core security processes that are central to protecting the sensitive data held by healthcare organizations.
The Six Core Objectives of PCI-DSS
Data encryption provides an additional layer of security for sensitive information if hackers successfully access your organization's systems. This makes the data much more difficult to steal, hold ransom, or use in committing fraud.
PCI DSS requires that cardholder data and personally identifiable information (PII) are encrypted both in storage and when in transit over public or private networks. Similarly, HIPAA requires that covered entities should “implement a mechanism to encrypt PHI whenever deemed appropriate."
Network firewalls are recommended for HIPAA compliance, although they are not specifically required. HIPAA only requires that controls are reasonable and appropriate, and that organizations determine what “reasonable and appropriate" means through a risk assessment.
Nonetheless, it would be difficult to find a risk assessment that didn't recommend firewalls. Hardware, software, and web application firewalls should all be investigated to assess the right approach.
In addition, the firewall must be set up and configured properly as well as regularly maintained. This last element is critically important—if the firewall is not maintained, the network can be compromised.
Four Basic Firewall Configuration Best Practices:
- Use VPNs: Set up virtual private networks (VPNs) for remote access.
- Set inbound/outbound rules: Decide what traffic comes in and out of your network.
- Add or close switch ports: Segment different networks with switch ports (e.g., Internet, office, EMR).
- Create security settings: Set security settings for each switch port, particularly if you're using segmentation.
3. Intrusion Detection
PCI DSS requires intrusion detection, and although HIPAA does not directly mandate it, few risk assessments would exclude it.
Intrusion detection systems (IDS) work in tandem with firewalls to prevent attacks, with the IDS monitoring any traffic inside the firewall for evidence of malicious behavior.
4. Logging and Data Collection
Under HIPAA logging requirements, all covered entities and business associates must have audit controls in place. So, your organization must implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI.
A HIPAA-compliant audit log should include this information:
- User logins
- Changes made to databases
- Addition of new users
- New users' level of access
- Files accessed by users
- Operating system logs
- Firewall logs
- Anti-malware logs
These logging and data collection requirements cover not only electronic patient data, but paper versions too, which need to be “signed out" when in use.
5. Required Policies and Procedures
HIPAA mandates that covered entities maintain written policies and procedures addressing three general topics: the privacy rule, the security rule, and breach notification.
HIPAA's privacy rule allows a covered entity to disclose patient details only with written authorization, and in limited situations. Your organization's written policy should include compliant disclosure forms that are appropriate for your healthcare provider type and cover different forms of authorization.
The security rule mandates that all patient records are maintained securely. Part of compliance is having a written policy in place to tell your employees about their responsibilities, such as not using insecure public Wi-Fi hotspots to transmit confidential information.
Organizations also need to have a breach notification policy in place, which should form part of the written manual and address each aspect of the law. The policies and procedures manual is often the first document auditors request when ensuring compliance, so it's essential that it is comprehensive and kept up to date.
6. Vendor Management
Since HIPAA covers healthcare providers as well as their business associates, it's clear that the law extends to third parties as well.
Third-party suppliers are often targeted by hackers because they may not be able to finance expensive cybersecurity measures to the same degree larger healthcare organizations do. But the onus is on the provider to ensure that all of its associates are compliant. This is not only true at the point of onboarding, but throughout the business relationship, so organizations need to regularly monitor the supplier's status.
Look for HITRUST CSF certification when vetting vendors to remove any doubt that they are compliant.
7. Smart Management of Compliance Requirements
For healthcare providers, cyber threats are multiplying. Not only are healthcare organizations increasingly targeted by hackers, but they are also amid an industry-wide digital transformation.
Monitoring new threat intelligence and vulnerabilities across a widening sphere of digital infrastructure requires an ever-increasing cybersecurity team, one that few providers can afford.
Even with the best and largest security team at your disposal, it's difficult to know where to focus efforts when new vulnerabilities are discovered every day and you're continuously adopting and integrating new technologies.
Centralizing compliance management and maximizing cybersecurity efforts can both be accomplished when implementing effective security operations. Expert firms can help identify and monitor threats, train security personnel, and optimize threat detection and response—many of them hold expertise specific to the healthcare industry.
Get in touch today to learn about our team of security operations experts and their work with healthcare providers across the country.