Data breaches are still on the rise in healthcare. 2021 accumulated 686 healthcare data breaches of 500 or more records in 2021, resulting in 45M exposed or stolen healthcare records. 2022 is off to a poor start with over 3.7M healthcare records compromised as of 3/2/2022.[1]
Healthcare organizations face a landscape that is increasingly riddled with complexities, threats, and a multitude of attack vectors. The pandemic take a toll on hospitals and ransomware attacks increased significantly. Nevertheless, healthcare organizations must continue to provide patient care through various avenues that necessitate emerging and advanced digital solutions, like edge computing. With that, comes cybersecurity risk. This can be challenging for even the most mature organizations, but there are many healthcare organizations that are still lagging behind and do not have the fundamentals of cybersecurity in place.
Cybersecurity frameworks for the healthcare industry
Frameworks are becoming increasingly more important to build that foundation, to measure improvements, and to drive results. Frameworks allow for a defensible and rational approach to managing your cybersecurity risks and complying with regulatory requirements. Many regulations purposely strike a balance between specificity and flexibility to allow organizations latitude in applying the requirements based upon their size, complexity, and risk assessment.
Established frameworks are adopted across industries, some are industry-specific, but all continue to evolve as cybersecurity risks evolve. Most recently we have seen the newly updated ISO 27002 standard published last month, the DoD has come out with CMMC 2.0 (NIST 800-171r2), and the National Institute of Standards and Technology (NIST) regularly publishes new and updated standards.
The need for a vertical-specific framework
Adoption of a particular framework can vary from industry to industry. One such framework is the HITRUST CSF that has been heavily adopted in the healthcare industry. The HITRUST CSF was established to provide prescription and consistency in the application of security and privacy controls for healthcare organizations. It provides for the protection of health data by creating a single framework that harmonizes various, related compliance requirements and industry standards. While HITRUST is no longer focused on only the healthcare industry, the adoption of the HITRUST CSF can help organizations in healthcare lay the foundation and continuously improve their cybersecurity posture and address existing and emerging threats.
The HITRUST CSF is valuable to healthcare organizations for the reasons mentioned above….it provides a defensible approach to compliance with HIPAA, it is prescriptive in control implementation, and is continually updated based upon the threats and risks the healthcare industry faces. The healthcare industry not only has to demonstrate cybersecurity risk management to regulators, but to business partners and clients as well. HITRUST offers certification for this purpose.
HITRUST has added two new assessments to provide organizations options. The assessment formerly known as the HITRUST CSF Validated Assessment could be daunting for some organizations to take on. Given this, HITRUST published in early 2022 what is called the Implemented, 1-Year (i1) Assessment. This assessment allows organizations to take a streamlined and a crawl, walk, run approach to assurance and certification.
The i1 Assessment is based upon a static set of 219 controls with substantial coverage for NIST SP 171 revision 2, The HIPAA Security Rule, and the AICPA Availability Trust Services Principle, evaluating the maturity of control implementation. This is an attractive assessment for organizations that need to demonstrate a moderate level of assurance and are willing to go through the assessment and certification process on an annual basis. It is also a good stepping stone to higher levels of assurance.
This does not replace the former HITRUST CSF Validated Assessment, which is now called the Risk-Based, 2 Year (r2) Assessment. The r2 Assessment’s requirements are risk-based, where the number of controls are dependent on scoping factors and will vary from organization to organization. The evaluation of the controls is very rigorous, analyzes policy, process, implemented, measured, and managed maturity, and demonstrates high assurance.
Also new in 2022 is the Basic, Current-state (“bC”) Assessment, which is a self-assessment focused on good security hygiene controls and is suitable for quick and low assurance requirements. There is coverage for NISTIR 7621: Small Business Information Security Fundamentals.
The bC, i1, and r2 provides various assurance options to meet organizational, partner, and client needs, and continues to reduce efforts in responding to third-party requests to demonstrate a sound, security posture.
A balance of risk and transforming the delivery of patient care necessitate adopting a framework that is sustainable and continually updated, especially as healthcare organizations invest in cybersecurity strategies like securing the edge.
[1] U.S Department of Health and Human Services Office of Civil Rights Breach Portal: Notice to the Secretary of HHS Breach of Unsecured Protected Health Information