A secure yet accessible health IT infrastructure is a fundamental requirement for all healthcare organizations.
As providers adopt more digital technologies, including electronic health records, data warehouses, advanced wireless networks, and more mobile devices, they must ensure that their infrastructure runs smoothly without exposing the organization to security vulnerabilities.
Data security issues often arise with HIT infrastructure as organizations begin to make the upgrade from legacy systems, which may include an older operating system that is no longer supported or medical devices that were not originally designed to be connected to the internet.
It only takes one unsecured device or network access point for an organization to have its data compromised, including the protected health information (PHI) of patients.
A current and secure HIT infrastructure will help providers prevent, detect, and recover from potential data breaches.
How do HIPAA rules apply to health IT infrastructure components, and how can organizations embrace new technologies while maintaining a high level of data security?
Applying HIPAA compliance to HIT infrastructure
Cybersecurity threats are becoming more elaborate and more difficult to combat. Healthcare providers need their HIT infrastructure to remain HIPAA compliant and while keeping daily operations running smoothly.
Organizations are connecting to health information exchanges, adopting electronic health record technology, deploying mobile strategies, and implementing connected medical devices. All of these actions could potentially expose an entity to online threats and even a HIPAA data breach.
Physical safeguards include the necessary physical measures, policies, and procedures in place to protect its “electronic information systems and related buildings and equipment from natural and environmental hazards, and unauthorized intrusion,” according to HHS.
These can include facility access controls (i.e. locks on doors and keypad entry) and device and media controls, such as ensuring that laptops and tablets are locked away when not in use.
Device security is essential as more smartphones, tablets, and laptops are able to connect to the network. If a device is lost or stolen, an unauthorized party may be able to access sensitive information through the device itself.
While physical safeguards are important for securing on-premise devices, the migration from legacy systems to a more virtualized network could lessen the amount of physical safeguards necessary at a facility.
Virtualization will bring more data agility and compliance concerns, which will likely lead to cloud security worries. The healthcare cloud is an increasingly popular data storage option, as it is hailed as being more secure and can help entities remove physical storage needs.
Cost savings, stronger disaster recovery, and a more scalable platform for internal requirements were top reasons healthcare organizations said they were moving to the cloud, according to the 2016 HIMSS Analytics Cloud Survey.
Healthcare cloud computing tripled from 2014 to 2016, the report stated. Forty-one percent of respondents said they plan to use cloud for HIE, an increase from the 20 percent reported in 2014. Additionally, 46.7 percent stated they planned to use the cloud for back office solutions, with 41 percent reporting cloud would be used for archived data.
The move to the cloud and virtualized machines emphasizes the need for comprehensive and current HIPAA technical safeguards.
Healthcare providers must consider access control, audit controls, integrity controls, transmission security, and authentication. Essentially, entities need to monitor how data is transferred, stored, and accessed at all times.
For example, a physician’s identity should be confirmed before she is able to access a network or EHR. A provider could opt for a multi-factor authentication process, ensuring that an individual who has been granted a certain level of access is the same person attempting to log on to the system.
Audit controls are also very important for HIT infrastructure security. Organizations should be recording or noting information system activity that contains or uses ePHI. In the event of a data breach, a provider could simply review the audit logs and see how a system or network was accessed.
Learning how to conduct regular risk assessments, which are required under HIPAA rules, will help covered entities maintain HIPAA compliance with physical, technical, and administrative safeguards. Organizations can identify potential areas where they might be putting PHI at risk, such as through an unsecured network or a lackluster authentication process.
Ensuring business associate compliance in a cloud-based ecosystem
More and more healthcare providers are looking to cloud service providers (CSPs) to supplement their HIT infrastructure development by helping with data storage and improve their cybersecurity measures. Entities need to understand how the healthcare cloud may impact daily workflow, and also how business associate relationships might affect the organization.
Organizations must enforce cloud security policies and ensure that any business associates align with their overarching security strategy.
When a business associate subcontracts with a CSP to create, receive, maintain, or transmit ePHI on its behalf, the CSP subcontractor itself is a business associate.
Business associates are an individual or entity that provides services to a covered entity. CSPs are considered business associates under the HIPAA Privacy Rule, according to HHS cloud computing guidance.
“When a covered entity engages the services of a CSP to create, receive, maintain, or transmit ePHI (such as to process and/or store ePHI), on its behalf, the CSP is a business associate under HIPAA,” the guidance states. “Further, when a business associate subcontracts with a CSP to create, receive, maintain, or transmit ePHI on its behalf, the CSP subcontractor itself is a business associate.”
Both the covered entity and business associate are “contractually liable for meeting the terms of the BAA and directly liable for compliance with the applicable requirements of the HIPAA Rules.”
A CSP is also considered a HIPAA business associate if it stores encrypted ePHI, even if it does not have a decryption key.
“While encryption protects ePHI by significantly reducing the risk of the information being viewed by unauthorized persons, such protections alone cannot adequately safeguard the confidentiality, integrity, and availability of ePHI as required by the Security Rule,” HHS maintained.
“Encryption does not maintain the integrity and availability of the ePHI, such as ensuring that the information is not corrupted by malware, or ensuring through contingency planning that the data remains available to authorized persons even during emergency or disaster situations.”
The same regulations would apply to an organization that helps a healthcare provider build or maintain its HIT infrastructure. All business associates are expected to maintain PHI security, according to the HIPAA Omnibus Rule.
“The Privacy Rule requires that a covered entity obtain satisfactory assurances from its business associate that the business associate will appropriately safeguard the protected health information it receives or creates on behalf of the covered entity,” HHS states on its website. “The satisfactory assurances must be in writing, whether in the form of a contract or other agreement between the covered entity and the business associate.”
Healthcare providers should create a business associate agreement (BAA) or a business associate contract that specifies each party’s responsibilities with PHI security.
“Where a covered entity knows of a material breach or violation by the business associate of the contract or agreement, the covered entity is required to take reasonable steps to cure the breach or end the violation, and if such steps are unsuccessful, to terminate the contract or arrangement,” HHS explains. “If termination of the contract or agreement is not feasible, a covered entity is required to report the problem to [OCR].”
A sample business associate agreement can be found on HHS’ website here.
Connected medical devices affect HIT infrastructure approach
Connected medical devices, including biomedical devices, physiological monitors, mobile medical apps, and MRI/CT/ultrasound scanners, will have a significant impact on an organization’s HIT infrastructure. These devices typically transmit data that can be used for analytics purposes, improved operations, and patient care.
Medical device cybersecurity issues are a top concern for individuals working in the connected medical device ecosystem, commonly known as the Internet of Things (IoT).
Legacy systems can sometimes become overwhelmed when a large number of devices are connecting to a wireless network. A provider’s network must be able to meet all access expectations without any downtime.
The average hospital room could contain as many as 15 to 20 medical devices. That number can grow depending on the number of rooms in a hospital ward.
Extreme Networks Director of Healthcare Solutions Bob Zemke told HITInfrastructure.com that connected IoT devices put massive strain on a network and can cause outages if the traffic is not managed and monitored properly.
“It has to be designed just like air traffic control,” Zemke said. “We have to look at the critical devices and how to prioritize them. We start with mission critical systems, life critical, telemetry, emergency communications, nurse call, then we look at maybe the business applications and systems, and everything else needed to support the clinicians' access and their devices. What bandwidth is left you typically have to provide for the patients.”
But healthcare organizations cannot prioritize access over security. Keeping the growing number of IoT devices secure is a top challenge for many providers, according to a 2017 Deloitte poll.
Thirty percent of the 370 surveyed professionals said identifying and mitigating potential risks in legacy and connected devices was the greatest cybersecurity challenge.
“Legacy devices can have outdated operating systems and may be on hospital networks without proper security controls,” said Russell Jones, Deloitte Risk and Financial Advisory partner, Deloitte & Touche LLP. “Connected device cybersecurity can start in the early stages of new device development, and should extend throughout the product’s entire lifecycle; but even this can lead to a more challenging procurement process. There is no magic bullet solution.”
There are also federal guidelines relating to medical device cybersecurity that should be considered as providers work to maintain their infrastructure security.
FDA published the final version of its “Postmarket Management of Cybersecurity in Medical Devices” in December 2016, which encourages medical device manufacturers to consider potential cybersecurity risks and vulnerabilities “throughout the product lifecycle, including during the design, development, production, distribution, deployment and maintenance of the device.”
FDA also stressed the importance of all healthcare stakeholders collaborating for comprehensive security.
“Public and private stakeholders should collaborate to leverage available resources and tools to establish a common understanding that assesses risks for identified vulnerabilities in medical devices among the information technology community, healthcare delivery organizations (HDOs), the clinical user community, and the medical device community,” FDA wrote.
There will be a continued emphasis for manufacturers to be working with healthcare institutions to try to protect the devices that are out there, and the networks on which they’re relying.
Yarmela Pavlovic, a partner in the FDA Medical Device practice at Hogan Lovells, explained that legacy devices are the biggest cybersecurity challenge right now for healthcare.
Devices that weren’t intended to be network-connected are sometimes being “jerry-rigged with WiFi connectors or other network connections,” she said.
Security can be especially challenging once certain devices are implemented in the healthcare setting, Pavlovic continued.
“Sometimes they’re used at home, but often they’re being implemented by a hospital,” she explained. “The network within which the device is operating has an impact on cyber-vulnerability. There will be a continued emphasis for manufacturers to be working with healthcare institutions to try to protect the devices that are out there, and the networks on which they’re relying.”
Lackluster cybersecurity measures for medical devices can also create larger problems than just a malfunctioning device. A blood pressure monitoring device could perhaps be connected to the cloud, but the device seems low-risk because it is only meant to monitor a patient’s vitals.
“If it is connected to the hospital network and also an external location like the cloud, then that connection may present a vulnerability for accessing the hospital network,” Pavlovic maintained. “The consequences could be significant from a cybersecurity perspective, even though the risk of the device in a medical sense is quite low.”
“One of the messages that FDA has really been hammering on is you need to think about cybersecurity more broadly than the intended use of the product,” she continued. “That is definitely a big piece of what they will continue to educate companies on.”
Covered entities should regularly educate organizational leaders and other staff members on current medical device cybersecurity guidelines to ensure an overall secure HIT infrastructure. FDA’s website discusses its medical device regulation, and will post updates and any device recalls or alerts.
Healthcare organizations are only going to continue to implement connected devices and connect to other networks to work toward providing proper patient care. Data security cannot be overlooked or postponed, whether it is in a medical device or in an entity’s physical safeguard approach.
HIT infrastructure security requires planning, with serious consideration of all physical and digital obstacles for connected solutions. This will also help with overall data flow and ensure that PHI remains secure on the network.