Everyone who participates in the United States healthcare system either as a patient, provider business associate, or subcontractor either knows or should know about the Health Insurance Portability and Accountability Act of 1996, Pub. L. 104-191 (Aug. 21, 1996). Industry participants should also have implemented requisite standards espoused by the Privacy Rule, Security Rule, Breach Notification Rule and the Health Information Technology for Economic and Clinical Health Act, Pub. L. 111-5 (Feb. 17, 2009).
Another law, which is also relevant to healthcare industry participants, the Cybersecurity Act of 2015, Pub. L. 114-113 (Dec. 18, 2015) (“CSA”) leveraged the insights from both the private and the government stakeholders through the Healthcare and Public Health (“HPH”) Sector Critical Infrastructure Security and Resilience Public-Private Partnership. Section 405(d), Aligning Health Care Industry Security Approaches, required the United States Department of Health and Human Services (“HHS”) to convene a Task Group.
On December 28, 2018, the Office of the Assistant Secretary for Preparedness and Response released its publication, Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (“HICP”). The overall objective is to raise awareness and provide guidance on the prevention, detection, and correction of a cybersecurity event.
The purpose of this article is to provide some of the highlights of the HICP, as well as practical applications, which may assist with HIPAA/HITECH Act compliance. In turn, this can reduce the risk of a breach and the associated costs.
The December 2018 HHS Health Industry Cybersecurity Practices Publication
HICP was mandated by the Cybersecurity Act of 2015 and evolved over approximately two years through the collective efforts of both government and industry participants.
“The publication includes a main document, two technical volumes, and resources and templates.” The focus of both the main document and the technical volumes is identifying and mitigating threats by providing best practices. Eric Hagen, Deputy Secretary of HHS describes the framework as practical, understandable, implementable, industry-led, and consensus-based voluntary cybersecurity guidelines to cost-effectively reduce cybersecurity risks for healthcare organizations of varying sizes. Although the document itself is not legally binding, this guidance may become important for demonstrating reasonable security risk management standards throughout the healthcare industry.
The HICP emphasized the need for mobilization and coordination of resources across the spectrum of public and private stakeholders, including hospitals, IT vendors, medical device manufacturers, and government to minimize risks and impact to patient information and care.
The publication also highlights the impact of cyberattacks on healthcare small businesses. U.S. physicians remain one of the most vulnerable groups with 4 in 5 experiencing some form of a cybersecurity attack.
Other specifics include the following:
- Fifty-eight percent of malware attack victims are small businesses.
- In 2017, cyber-attacks cost small and medium-sized businesses an average of $2.2 million.
- Sixty percent of small businesses go out of business within six months of an attack.
- Ninety percent of small businesses do not use any data protection at all for company and customer information.
The HICP also highlights five of the most relevant and current threats facing the healthcare industry, which can originate from insider, accidental, or external intentional act. These include e-mail phishing attacks, ransomware attacks, loss or theft of equipment or data, insider, data loss, and attacks against connected medical devices. The biggest concern is the potential to adversely impact the health and safety of patients.
In order to adequately address these five threats, the HICP suggests ten practice recommendations, which are practical for organizations of all sizes.
The recommendations include:
- E-mail protection systems
- Endpoint protection systems (hub-and-spoke approach that protects all endpoints (e.g., servers, desktops, laptops, smartphones and other IoT devices).
- Access management (i.e., minimize the risk of unauthorized access through physical and technical safeguards)
- Data protection and loss prevention
- Asset management
- Network management
- Vulnerability management
- Incident response
- Medical device security
- Cybersecurity policies and procedures
The HICP recommendations are consistent with the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) and the security requirements of the Security Rule.
Practical Applications of the Guidance
NIST and industry professionals alike have espoused the utilization of an enterprise risk management (“ERM”) framework to mitigate risk. Structures like the HICP and NIST Cybersecurity Framework (“NIST CSF”) provide guidance that can serve as the foundation of an enterprise-level security risk management program.
The NIST Cybersecurity framework was a result of a 2013 Presidential Executive Order – Improving Critical Infrastructure Cybersecurity, which called for the development of a voluntary risk-based cybersecurity framework based on industry standards and best practices to help private sector organizations manage cybersecurity risks. Released in 2014, the NIST CSF creates a common language to address and manage cybersecurity risk in a cost-effective manner based on business needs and was the product of 10 months of collaboration between government and private sector security experts. At its core, the NIST CSF provides a set of activities, outcomes, and informative references providing the detailed guidance for developing individual organizational risk management profiles.
The primary objectives in any cybersecurity framework should include the following five principles: detect, protect, identify, recover, and respond. The last three terms are often bundled into a single term: correction. Although the NIST CSF and HICP are applicable across a variety of industries, there is particular significance to the healthcare sector because of the Security Rule and the HITECH Act. Here are five suggested components that lay the foundation of an enterprise security program: (1) designated security officer; (2) adequate policies and procedures; (3) annual risk analysis; (4) technical safeguards; and (5) training.
Designated Security Officer
Security within an organization is everyone’s responsibility. Pursuant to the Security Rule, 45 CFR § 164.308, every organization must designate a security officer or manager to lead, implement, and manage the security program. Considered an administrative safeguard, it requires all covered entities to identify a “HIPAA Security Officer” who is responsible for the development and implementation of the policies and procedures to ensure the protection of ePHI.
Security Policy Framework
Security policies and procedures and documentation required include an organization’s leadership goals for managing security risk and protecting the organization assets. As set forth in 45 CFR § 164.316, in accordance with § 164.306, requires that the framework also includes standards, procedures, and guidelines that govern the implementation of the security program across all business units and functions. Under HIPAA, healthcare organizations must implement policies and procedures to protect the integrity and privacy of patient health information in accordance with the Security and Privacy Rules.
These policies and procedures should be updated at least annually and when there is a significant change in a law or a standard.
Annual Risk Analyses
The security program must continuously assess threats and vulnerabilities in order to identify, measure, and prioritize risks to the organization’s assets that access, process, and store healthcare information. 45 CFR § 164.308(a)(1)(ii)(A) requires that covered entities and business associates conduct an annual risk analysis. “Conducting a risk analysis is the first step in identifying and implementing safeguards that comply with and carry out the standards and implementation specifications in the Security Rule.” Notably, individuals use “risk assessment” and “risk analysis” interchangeably. There is a difference, so be certain to clarify. “Risk analysis is the assessment of the risks and vulnerabilities that could negatively impact the confidentiality, integrity, and availability of the electronic protected health information (e-PHI) held by a covered entity, and the likelihood of occurrence.” This is different than the risk assessment that is conducted once a potential breach event has been identified.
The Security Rule defines technical safeguards as “the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.” An enterprise security architecture enables healthcare organizations to implement necessary technologies that minimize risk to protected health information (“PHI”) and other sensitive data. A layered approach to applying security controls allows organizations to protect PHI and dependent applications, systems, and networks. User activity and other security event monitoring allows an organization to efficiently detect and mitigate security incidents that lead to data breaches, system downtime, and network intrusions. Examples include access controls, encryption, and penetration testing.
Security Awareness and Training Program
Pursuant to 45 CFR § 164.530, HIPAA security training is mandatory. Training that includes both the Privacy Rule and security awareness aspects, as well as role-based security training, is essential to educating employees about their roles and responsibilities in protecting the confidentiality, integrity, and availability of PHI. In turn, this helps to create a strong culture of compliance, in addition to keeping users current on common threats (e.g., phishing and ransomware attacks). Users that are trained and equipped with the tools needed to perform their duties securely are the first line of defense against security threats.
It is vital to appreciate that these five items are only a small portion of the technical, administrative, and physical safeguard requirements under the Security Rule.
In a world and in an industry where technology continues to evolve, it is imperative that healthcare industry participants utilize publications such as HICP and NIST. Failure to utilize these standards may lead to increased legal, financial, regulatory, and reputational costs. Implementing an enterprise risk management approach can assist in mitigating risks and increasing compliance with HIPAA, the HITECH Act, and other related laws and regulations. In sum, reading the HICP and implementing its suggestions is worth the time investment.
For more information on HIPAA, check out First Healthcare Compliance’s HIPAA Privacy and Security book, a user-friendly resource that provides professionals the practical knowledge they need to meet challenges in today’s highly regulated healthcare industry. The book is available through the First Healthcare Compliance shop and on Amazon.
Rachel V. Rose – Attorney at Law, PLLC (Houston, Texas) – advises clients on healthcare, cybersecurity, and qui tam matters. She also teaches bioethics at Baylor College of Medicine. Ms. Rose has consecutively been named by Houstonia Magazine as a Top Lawyer (Healthcare) and to the National Women Trial Lawyer’s Top 25. She can be reached at firstname.lastname@example.org.
William J. McBorrough is Chief Security Advisor at the Washington D.C. based information security consulting firm, MCGlobalTech. Mr. McBorrough advises clients across the healthcare sector on matters of security and compliance. Mr. McBorrough has served on the faculty of various universities, including University of Maryland University College and George Mason University. He can be reached at email@example.com.
Published in BC Advantage 14.2 issue