Traditionally, the gold standard for healthcare cybersecurity has been HIPAA compliance. HIPAA rules set solid guidelines for how to protect patient information, and failing to comply can result in high fines.
More and more, though, it is becoming clear that while the HIPAA Security Rule provides solid guidelines for providers, it may not be sufficient on its own to deal with all of the cybersecurity challenges of the twenty-first century. In the first half of 2019, 32 million patient records were breached, and the majority of these breaches were caused by hacking. The majority of providers have experienced a breach, with the most common problem being ransomware. Healthcare cybersecurity is, thus, a growing field, especially with more and more patient information being stored digitally and transferred to different devices.
The HIPAA Security Rule is a regulatory framework to assist institutions in managing HIPAA compliance. It contains six main sections:
The specific ways to implement the Rule vary by provider, and are affected by an entity's size, specific nature, etc.
The National Institute of Standards and Technology's Cybersecurity Framework for healthcare was introduced in the fall of 2013. These are voluntary standards that call for a much higher level of security and compliance.
Much of the NIST framework is not, in fact, industry specific and can be applied across industry, but the health industry version takes into account HIPAA standards, clinical engineering (including smart medical devices that connect to the network), differences in inactivity timeouts, etc. It can be further customized to your institution's specific needs and concerns.
The goals of the framework are to help identify risks, protect systems from them, and respond to cybersecurity events.
The HIPAA Security Rule also requires risk assessment, but it is generally limited to protecting covered patient information. It does require a proper security management process, workforce training, facility access, etc. However, the CSF goes further. First of all, it scales beyond the critical infrastructure covered by HIPAA.
It also moves away from typical checkbox thinking, which regulatory compliance tends to lead towards. The framework includes:
The goal is to increase awareness of risk in general; while HIPAA risk assessment is important, NIST goes a little further than that and helps organizations limit liability and the risk of a breach. It also covers areas that were not originally involved in HIPAA compliance. The NIST risk management framework is also easy for vendors and contractors to adopt, and contractors in other industries may be using a framework which is at least somewhat similar.
The framework provided by NIST is cohesive and can be used in a continuous cycle to ensure that updates happen frequently and as needed. As a voluntary set of guidelines, it can be adjusted and customized as needed, and institutions can provide feedback into the system to help them improve their cybersecurity and pass on what they have learned to others.
HIPAA compliance has long been considered sufficient, but a variety of factors have combined to make protecting healthcare information a priority. These include:
The very technologies which are improving patient outcomes and safety are also making providers more vulnerable to cyberattacks than ever before, and in some cases, convenience is racing ahead of privacy and security.
Personal information is now being stored on patients' phones, on implanted or wearable devices, on hospital beds, etc, rather than in one centralized location. This provides far more points of entry to a hacker and requires a new approach to network security.
Finally, HIPAA, by its nature, moves slowly. Updating regulations takes time and technology moves faster than the law can be adjusted. NIST, on the other hand, can be changed frequently to allow for new developments, especially in fast-growing areas. Information security teams are able to stay flexible and keep updating, and thus stay not just in compliance, but ahead of the regulators.
HIPAA compliance is no longer enough for healthcare providers. If you are concerned about cybersecurity risk (and you should be), then you need to do both HIPAA and NIST risk assessments to help you know how to move forward to protect the vital information your institution works with. The framework protects both patients and employees and can help you avoid costly (and reputation-destroying) databreaches, ransomware, issues with malicious insiders, and more.
GreyCastle Security offers both HIPAA and NIST risk assessments for healthcare providers. Contact us to find out how we can help you assess your risk and put together your own framework for protecting critical infrastructure and futureproofing your cybersecurity plans.