Skip to content

HEALTHCARE CYBER SECURITY POLICIES
AND REGULATIONS

Medical device cybersecurity governance is a way of controlling the confidentiality, integrity, and availability of protected health information (PHI). At its core, cyber security governance is embedded into the life-cycle management of medical devices from onboarding through replacement, and every policy, process, and procedure in-between.

Establishing effective cyber security governance within a healthcare delivery organization will improve processes and procedures used to identify and mitigate risks, improve processes that properly identify and validate appropriateness of medical devices, establish classifications of cyber security risks, strengthen risk controls, as well as build internal and external relationships needed to secure protected information. Without effective cyber security governance, patients, their data, and the hospitals that manage it, remain at high risk of cyber-attack

Establishing effective cyber security governance within a healthcare delivery organization will improve processes and procedures used to identify and mitigate risks, improve processes that properly identify and validate appropriateness of medical devices, establish classifications of cyber security risks, strengthen risk controls, as well as build internal and external relationships needed to secure protected information. Without effective cyber security governance, patients, their data, and the hospitals that manage it, remain at high risk of cyber-attack

Establishing the policies, procedures, and processes required to create cyber security comprehensive governance is a multistep process.

1. Managing Key Players
In addition to external stakeholders such as regulatory agencies and medical device manufacturers, it is imperative to identify who the internal stakeholders are, what are their roles and responsibilities, how will they contribute to and be impacted by the governance program.
a. Understanding who the stakeholders and key players are
b. Establishing roles for stakeholders and key players
c. Creating a communication plan
d. Training

2. Perform a Risk Assessment
The goal of performing a risk assessment is to identify risks for mitigation. As best practice, risk assessments are performed in all industries using mostly similar approaches, documented in universal ISO standards.
a. Inventory and categorize assets
b. Review organizational policies, procedures, and processes
c. Review regulatory requirements
d. Analyse system for risks
e. Evaluate and rate risks for priority

 

Without these best practices, cybersecurity governance programs often fail. Most commonly, failure stems from incomplete inventories, incomplete risk assessments, a disjointed management approach, and failure to keep up with change. This is where Emeritus can help. We understand that implementing a successful cybersecurity governance program is a significant undertaking. It requires close coordination of a multitude of internal and external stakeholders, specialty software for managing assets, users, and data protection, well-thought out plans, training, and continuous improvement.

Compliance is a critical component of any healthcare security program. Regulatory compliance processes and strategies give guidance to healthcare organizations to ensure that regular actions are being taken to keep information safe and secure. While there is a myriad of compliance regulations of different levels and for different types of organizations, there are specific compliance regulations in place to ensure data protection efforts. This is important in this digital age where healthcare organizations store large amounts of protected data in electronic medical records and through the use of medical devices that are connected to hospital networks.

Breaches of sensitive data and protected health information (PHI) have a negative impact from a financial standpoint and a reputational standpoint. Oftentimes, a sizable breach can take out a small to mid-sized healthcare organization altogether with financial implications that make recovering and rebuilding virtually impossible. Data breaches in the healthcare sector are growing exponentially, with a reported 2,953 publicly reported breaches in just the first three quarters of 2020 accounting for a 51% increase compared to the same time period in 2019. With cyberattacks threatening the hospital system daily, patients are relying on it to provide a high level of security and strict adherence to the federally regulated mandates that are in place to protect their personal information.

Healthcare organizations, by nature, need to store and share large amounts of personal data across many platforms in order to provide high quality care. Because of this, they are subject to strict compliance laws. Part of this means that hospitals, medical clinics, long term care facilities, and the like have to prove compliance by taking the following steps:

  • Providing adequate server security
  • Providing adequate encryption
  • Instituting a cyber security training program

The United States healthcare system is classified as critical infrastructure and as such is protected by several federal agencies within the Department of Health and Human Resources (HHS) but depending on the threat several other agencies may get involved such as the Department of Homeland Security (DHS) and the Federal Bureau of Investigations (FBI). Protecting health data is a goal of regulating bodies that both control design and development of medical devices, like the Food and Drug Administration (FDA), as well as regulating bodies that control the healthcare delivery organizations, like the Centers for Medicare and Medicaid Services (CMS) and the Office of Civil Rights (OCR). Careful coordination among these entities and others help to ensure guidance is provided throughout the industry to manage cyber security threats

The FDA controls the pre and post-market actions of medical device manufacturers through their Center for Devices and Radiological Health (CDHR). Specific to the cybersecurity of medical devices, the FDA has released two main guidance documents; Content of Premarket Submissions for Management of Cybersecurity in Medical Devices and Postmarket Management of Cybersecurity in Medical Devices. The former helps manufacturers meet regulatory requirements in design and development while the latter enforces postmarket surveillance of the device once in the clinical setting. Postmarket surveillance of medical devices is closely regulated. For example, hospitals are expected to report problems with medical devices to the FDA or the manufacture, including cybersecurity problems. The FDA also regulates recalls and safety enhancement communications between various stakeholders in the medical device supply chain (US FDA, 2016).

The two main regulations associated with protecting health information are the HIPPA and the Health Information Technology for Economic and Clinical Health Act (HITECH) and are enforced through the Office of Civil Rights within the executive branch Health and Human Services (HHS). HIPAA, the older of the two laws, established national protections for medical records and personal health information privacy and security. The law requires healthcare delivery organizations to enact safeguards to protect patient data as well as sets limits to their data’s usage. With the implementation of the AARA the HITECH act was enacted to clarify and create stronger enforcement of the HIPAA rules. It promotes interoperability and expands the use of electronic health records through the meaningful use incentive. Strict penalties were established for HIPAA-covered entities and are enforced by the OCR.

The Centers for Medicare and Medicaid have become one of the most influential regulators of healthcare delivery organizations. As the payor of almost half of all healthcare services, CMS is able to create rules that govern CMS-covered entities, which are most healthcare delivery organizations in the US. CMS provides guidance relating to information security through a handbook called the CMS information security and privacy virtual handbook which pointes to frameworks such as System Lifecycle and numerous policies and processes such as the Security Assessment and Authorization process, Security Control Assessment process, and the Information System Security and Privacy Policy. These policies and procedures are the tools by which CMS helps hospitals protect health data and maintain their accreditation (CMS Info, 2019).

One particular mandate, the HIPAA Breach Notification Rule, requires compliant organizations and their business associates to notify patients following a data breach. In addition to healthcare providers, cloud service providers (CSPs) and other business associates of healthcare organizations must also comply with HIPAA privacy, security, and breach notification rules. This ensures that all parties involved in a breach are taking action steps to disclose it to the appropriate parties affected.

Many compliance experts will agree that the steps to be in regulatory compliance typically include the following:

  • Determine your individual organization's requirements and plans on how to implement these mandates.
  • Document and clearly define compliance processes. The written report should include specific instructions for each role involved and how to maintain individual and company-wide compliance.
  • Monitor changes to policies and determine if they apply to the current state of your organization. Compliance requirements are updated constantly and your company needs to reflect these changes as well.

With the healthcare sector being one of the biggest targets in cybercrime, larger steps needed to be taken to defend against hacking. Aside from the uncovering and misuse of personal information, cyberattacks account for huge financial losses and are expected to grow exponentially without proper mitigation efforts. Ransomware attacks alone cost healthcare organizations $20.8 billion in downtime in 2020, double the amount it cost in 2019, according to a Comparitech report cited by CynergisTek. The responsibility is great for organizations to hold tight to federal compliance mandates to consult with an MSSP to beef up security efforts.

In the Cybersecurity Act of 2015, Congress established the Healthcare Industry Cybersecurity (HCIC) Task Force to address the challenges the healthcare industry faces when securing and protecting itself against cybersecurity incidents. According to the June 2017 publication entitled “Report On Improving Cybersecurity In The Healthcare Industry,” the directives of the task force are as follows:

analyze how industries, other than the healthcare industry, have implemented strategies and safeguards for addressing cybersecurity threats within their respective industries
analyze challenges and barriers private entities (excluding any State, tribal, or local government) in the healthcare industry face securing themselves against cyber attacks
review challenges that covered entities and business associates face in securing networked medical devices and other software or systems that connect to an electronic health record
provide the Secretary with information to disseminate to health care industry stakeholders of all sizes for purposes of improving their preparedness for, and response to, cybersecurity threats affecting the healthcare industry
establish a plan for implementing title I of this division, so that the Federal Government and health care industry stakeholders may in real-time, share actionable cyber threat indicators and defensive measures
report to the appropriate congressional committees on the findings and recommendations of the task force regarding carrying out subparagraphs (A) through (E)

The very nature of integrative healthcare requires a certain degree of information sharing among different entities. Involved in the transmission of, oftentimes, highly sensitive data are payment applications, insurance companies, outside hospitals, and medical/testing/care facilities to name just a few. Depending on the size of the organization, that can account for dozens to hundreds of individuals accessing a single Katie to review at any given time. This open culture of shared information poses certain risks when it comes to cybersecurity so it’s important to find a balance between allowing it to function progressively and keeping it safe.

LET US HELP YOU!