Cybersecurity is no longer a topic that healthcare organizations can ignore, especially with covered entities working toward interoperability, implementing connected medical devices, and utilizing EHRs.
There are several cybersecurity frameworks that have been created to help organizations across industries keep their networks secure, but what are healthcare entities required to implement?
While cybersecurity frameworks do not have the same pull as federal regulations, such as HIPAA rules and HITECH, they are still critical tools that covered entities and their business associates need to consider. Failing to carefully monitor networks and devices that connect to those networks could lead to sensitive patient data falling into the wrong hands.
Furthermore, a compromised medical device could put patient safety at risk, as adjustments to medication dosages or changes in how the device is operated could be life threatening. Ransomware attacks can also create patient safety issues, as healthcare providers could be unable to operate normally as they work to gain control of their EHR.
Cybersecurity frameworks have quickly become necessities for healthcare organizations, but it is important for entities to know some of the applicable options. That way, organizations can create a comprehensive and current approach to data security.
Reviewing common cybersecurity frameworks
One of the more common cybersecurity frameworks is the one issued by the National Institute of Standards and Technology (NIST). It was first published in February 2014, under a presidential executive order direction, and was last updated in January 2017.
Since the NIST CSF was first published, numerous industries – including healthcare – have adopted it.
The updated version is meant “to refine and enhance the original document and to make it easier to use,” Matt Barrett, NIST’s program manager for the Cybersecurity Framework said in a statement. “This update is fully compatible with the original framework, and the framework remains voluntary and flexible to adaptation.”
The latest version also discusses cybersecurity measurement, according to Barrett, which “will be critical to ensure that cybersecurity receives proper consideration in a larger enterprise risk management discussion.”
There are three key parts in the NIST CSF: the Framework Core, the Framework Profile, and the Framework Implementation Tiers.
“Through use of the Profiles, the Framework will help the organization align its cybersecurity activities with its business requirements, risk tolerances, and resources,” the CSF states. “The Tiers provide a mechanism for organizations to view and understand the characteristics of their approach to managing cybersecurity risk.”
This framework is also designed so organizations of varying sizes and in numerous industries can properly approach managing cybersecurity risk.
“Organizations will continue to have unique risks – different threats, different vulnerabilities, different risk tolerances – and how they implement the practices in the Framework will vary,” the document explains. “Organizations can determine activities that are important to critical service delivery and can prioritize investments to maximize the impact of each dollar spent.”
Another common cybersecurity framework is the Health Information Trust Alliance (HITRUST) CSF. This framework includes federal and state regulations, standards, and frameworks, and helps facilities cross-reference existing, globally recognized standards, regulations and business requirements.
As with NIST, the HITRUST CSF controls can be adjusted depending on the size, complexity and type of organization. HITRUST CSF also offers tools for performance assessments, managing remediation activities, and reporting and tracking compliance.
However, the HITRUST CSF was “developed in collaboration with healthcare and information security professionals,” according to the HITRUST website.
“The initial development of the CSF leveraged nationally and internationally accepted standards including ISO, NIST, PCI and HIPAA to ensure a comprehensive set of baseline security controls,” HITRUST states. “The CSF normalizes these security requirements and provides clarity and consistency, reducing the burden of compliance with these requirements that apply to healthcare organizations.”
- HITRUST Works Toward Stronger Patient Privacy Methods
- EHNAC, HITRUST Combine HIPAA Security Criteria, CSF Framework
Other security guidelines that may impact cybersecurity measures
While NIST and HITRUST are two of the more common cybersecurity frameworks healthcare organizations utilize, there are other important guidelines that may impact data security measures.
The Food and Drug Administration (FDA) monitors “reports of adverse events and other problems with medical devices,” and published the final version of its “Postmarket Management of Cybersecurity in Medical Devices,” in December 2016.
The FDA guidance applies to any marketed and distributed medical device, including devices containing software (e.g., firmware) or programmable logic. Software that constitutes a medical device, including mobile apps, also fall under the guidance. However, investigational devices are not susceptible to the postmarket guidance.
The guidance is for medical device manufacturers, but still holds important points for covered entities.
"For us to be able to identify and share those risks and vulnerabilities, that’s critical to solving the medical device cybersecurity problem."
“Public and private stakeholders should collaborate to leverage available resources and tools to establish a common understanding that assesses risks for identified vulnerabilities in medical devices among the information technology community, healthcare delivery organizations (HDOs), the clinical user community, and the medical device community,” the FDA wrote finalized document.
Intermountain Healthcare CISO and Assistant VP of Information Systems Karl West told HealthITSecurity.com in a January 2017 interview that there is a partnership between a provider and the medical device manufacturer. The FDA guidance provides a better chance to work together to identify risks, threats, and any vulnerability that may exist between the two parties.
“For us to be able to identify and share those risks and vulnerabilities, that’s critical to solving the medical device cybersecurity problem,” he said. “We’re actually pleased with the guidance.”
The Federal Trade Commission (FTC) also has guidance that is important for organizations to consider. The FTC has even noted how its own data security measures align with the NIST CSF.
“There’s really no such thing as ‘complying with the [NIST CSF],’” the agency explained on its website. “Instead, it’s important to remember that the Framework is about risk assessment and mitigation. In this regard, the Framework and the FTC’s approach are fully consistent.”
Areas that the NIST CSF wants organizations to evaluate are also ones that the FTC has been evaluating for years as it determines whether entities’ data security and processes are reasonable, the FTC added.
The FTC also has its Start with Security guidance, which includes 10 lessons for organizations that discuss how vulnerabilities could affect daily operations, as well as how those risks can be reduced.
“Applying the risk management approach presented in the Framework with a reasonable level of rigor—as companies should do—and applying the FTC’s Start with Security guidance will raise the cybersecurity bar of the nation as a whole and lead to more robust protection of consumers’ data,” the FTC explained.
There is also the FTC Act, which requires organizations – including healthcare entities – to be clear and straight forward in their processes.
“Your business must consider all of your statements to consumers to make sure that, taken together, they don’t create a deceptive or misleading impression,” the FTC states in its guidance. “Even if you believe your authorization meets all the elements required by the HIPAA Privacy Rule, if the information surrounding the authorization is deceptive or misleading, that’s a violation of the FTC Act.”
“Tell consumers the full story before asking them to make a material decision – for example, before they decide to send or post information that may be shared publicly,” the FTC stated. “Review your user interface for contradictions and get rid of them.”
- Practice Fusion Health Data Privacy Case Gets FTC Final Order
- FDA Drafts Health Data Sharing Guidance for Medical Devices
How cybersecurity frameworks apply to healthcare providers
Prior to NIST finalizing its cybersecurity framework, it took in comments from organizations in numerous industries, including healthcare.
The Healthcare Information and Management Systems Society (HIMSS) explained in its comments that the Framework can be enhanced, especially as healthcare would utilize the framework.
“Since many healthcare organizations could benefit from improving their risk management process and better address cybersecurity risk, the NIST Cybersecurity Framework could be useful in helping healthcare organizations improve their security posture,” HIMSS wrote.
However, HIMSS noted that the framework “could be more useful to healthcare stakeholders by providing metrics and other tools to measure progress with the Framework.” Furthermore, applying certain HIPAA regulations into the NIST Cybersecurity Framework could also assist the healthcare industry in its approach to cybersecurity.
HIMSS explained that “the HIPAA Privacy Rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization.” Therefore, Section 3 of the Framework that addresses how to use it, could be updated to include the HIPAA Privacy Rule.
“In addition, the HIPAA Security Rule could be incorporated, as appropriate, into the discussion regarding the use of the NIST Cybersecurity Framework,” HIMSS stated.
While HITRUST is more specific to healthcare, it also made changes to further help the industry streamline its approach to cybersecurity.
"The healthcare industry is plagued by well-meaning yet inefficient processes, standards and protocols."
In October 2016, the Electronic Healthcare Network Accreditation Commission (EHNAC) and HITRUST announced that they were collaborating to streamline their accreditation and certification programs.
The collaboration will allow CSF certified organizations “to leverage that assessment in obtaining accreditation for one of EHNAC’s 18 stakeholder-specific accreditation programs,” the organizations explained in a statement. Entities that are accredited by EHNAC will not be affected by the change.
“The healthcare industry is plagued by well-meaning yet inefficient processes, standards and protocols,” HITRUST CEO Daniel Nutkis said in a statement. “It is through this partnership with EHNAC, and potentially other like-minded standards organizations, that we are growing our vision of helping the industry eliminate the complexity relating to information protection and compliance.”
EHNAC has been focused on risk mitigation, and working to help organizations reduce the risk of a breach incident, cyberattack, or ransomware attack, EHNAC Executive Director Lee Barrett told HealthITSecurity.com.
“We had heard from a lot of organizations that as they go through different types of certification, such as EHNAC, HITRUST, and others, that the internal cost for them to go through the various certifications and accreditations is very significant,” he said. “The organizations say that in many cases they have to answer similar types of questions, responses, or self-assessments.”
A January 2017 KLAS and CHIME study also found that three-quarters of surveyed healthcare organizations are following the NIST CSF. Thirty-one percent of those surveyed said their organization utilizes the HITRUST security framework, while 19 percent said they use SANS CIS controls.
The second annual HIMSS Analytics HIT Security and Risk Management Study also asked healthcare organizations about cybersecurity frameworks. In those findings, 61 percent of respondents said they are using the NIST Cybersecurity Framework, while 36 percent said they utilize HITRUST. Thirty-six percent also reported that they use Information Technology Infrastructure Library (ITIL).
- ICIT Explains NIST Guide Impact on Healthcare Cybersecurity
- EHNAC, HITRUST Eliminate Data Security Redundancies