The Healthcare Cybersecurity Framework: A Top Defense Against Data Breaches and Attacks

Healthcare IT vendors have an immense responsibility for an organization’scybersecuritywhen they partner on software and solutions, especially as breaches and cyberattacks are on the rise in the healthcare industry. Digital technology and connectivity have led to significant improvements in healthcare delivery, but increased integration enables more exposure to cyberattacks that can impact care delivery, safety, and privacy.

More than93 percentof healthcare organizations experienced adatabreach between 2017 and 2020, and 57 percent have had more than five data breaches during the same time frame. Furthermore, researcherCybersecurity Venturespredicts healthcare will suffertwo to three timesmore cyberattacks in 2021 than the average amount for other industries and that ransomware attacks on healthcare organizations will grow fivefold by 2021.

In response to healthcare’s significant and growing cybersecurity threats, leading vendor organizations safeguard their systems and their partners by following a cybersecurity framework. A defensible protocol holds vendors accountable to routine audits and compliance measures at a regular cadence, ensuring both parties keep cybersecurity programs active and optimized.

Sharing Responsibility: The Cybersecurity Vendor-Partner Relationship

In a vendor-partner relationship, both parties often share the security responsibility, varying according to the type of hosted infrastructure. For example, in Figure 1, an on-premises (or self-hosted) solution, the responsibility and ownership fall more with the partner and move to the vendor as the hosted model moves towards software as a service (SaaS).

In contrast to the SaaS model in Figure 1, a vendor (such as Health Catalyst and its hostedData Operating System (DOS™))平世界杯厄瓜多尔vs塞内加尔波胆预测台使用平台即服务(PaaS)模型，并在功能允许的情况下向SaaS发展。In a PaaS model, shared responsibilities between the vendor and partner exist in three main areas:

• Identity and directory infrastructure.
• Applications.
• Network controls.

Avoiding and Withstanding Attacks Requires a Hybrid Centralized and Decentralized Healthcare Cybersecurity Framework

A healthcare IT vendor cybersecurity framework aims to prevent data breaches from occurring. Sometimes, however, bad actors evade even the most robust measures. For example, on December 13, 2020, theCybersecurity & Infrastructure Security Agency(CISA) issued its second of five-ever-ordered directivesfor its federal civilian agencies to shut down animminent threat涉及来自供应商的软件。一个民族国家的攻击者破坏了该供应商的产品代码，从而影响依赖该软件监控和管理其网络基础设施的组织的供应链。这次攻击的影响只在第一波，而且会持续很长时间。

虽然即使是最全面的安全基础设施也不能保证避免所有威胁，但一个安全框架必须足够强大，以便医疗保健网络安全团队在逻辑上捍卫他们的网络安全实践，即使是在黑客入侵后的恐慌中。换句话说，我们的目标是建立一个分层的防御策略，这样任何一层的妥协都不会影响整个系统。

To galvanize cybersecurity across the organization, C-suite leadership must support the program. The chief information security officer (CISO) establishes centralized security principles through a formalized organizational information security management program. The full C-suite supports processes and standards for decentralized execution and adherence.

In this hybrid centralized and decentralized healthcare cybersecurity model, the CISO is ultimately accountable for the cybersecurity program, which reaches through each of the other C-level business units to set prioritization for security and privacy compliance objectives. Strong C-suite and board alignment also helps align project investments.

The CISO can earn organizationwide support for centralized security principles with ongoing third-party audits and certifications. As external, objective checkpoints, third-party independent reports (versus self-audit) identify gaps and misaligned practices, holding security teams accountable to established standards and scheduled evaluations. The third-party independent perspective offers a credible reference point for from outside an organization’s view and eliminates blind spots. Involving a third party also adds value to other external vendors with credibility to leverage in their own vendor security risk assessments.

Inside the Healthcare Cybersecurity Framework: Third-Party Audits and Certifications

The operational policies and procedures in place in a vendor-partner relationship are paramount in achieving compliance with the two entities’ regulatory and certification strategies. In the security posture in a shared-responsibility model, the partner depends on its vendor. In the healthcare industry, theHealth Insurance Portability and Accountability Act(HIPAA) is the prevailing regulatory framework. HIPAA typically defines the partner as the covered entity (CE) and its vendor as the business associate (BA). The CE is responsible for performing due diligence in vendor risk assessments on its BAs to assess inherited risk where third parties fulfill services or products.

The BA has a fiduciary duty to its partner, and in the context of HIPAA, to notify its partner when it discovers a security incident, breach, or disclosure under the terms defined in thebusiness associate agreement(BAA). This arrangement allows the partner to fulfill its regulatory requirement of reporting such material events to appropriate authorities, following a strategic cybersecurity framework.

The following examples of ongoing third-party audits and certifications support the cybersecurity framework. These measures help organizations maintain cybersecurity standards and assure healthcare organizations that their vendors treat seriously the stewardship to protect the confidentiality, integrity, and availability of the data:

Service Organization Controls

Health Catalyst utilizesSystem and Organization Controls(SOC) compliance that comprises a cybersecurity risk management reporting framework. Organizations that comply demonstrate they are managing cybersecurity threats and have effective processes and controls in place to detect, respond to, mitigate, and recover from breaches and other security events.

• TheSOC 1^®reports provide information about a service organization’s control environment relevant to the partner’s internal controls over financial reporting. At Health Catalyst, for example, the SOC 1 report covers the design and operating effectiveness of controls relevant to the organization’s cloud hosting solution. Vendor organizations receive SOC 1 Type II report perStatements on Standards of Attestation Engagements(SSAE) No. 18 (Reporting on Controls at a Service Organization) and theInternational Standard on Assurance Engagements (ISAE) 3402服务组织的控制保证报告。
• TheSOC 2^®report is annual, third-party independent assessments of a control environment. The SOC 2 report is based on theAmerican Institute of CPAs’(AICPA)Trust Services Criteriaand is issued annually following the AICPAAT Section 101它的证明活动。该报告提供了一份为期12个月的回顾性审计报告。详细介绍了与医疗保健云托管解决方案中包含客户数据的任何系统相关的控制的设计和运行有效性。At Health Catalyst, the SOC 2 report addresses three of the five AICPATrust Services Criteria(security, availability, and confidentiality).

HIPAA

Vendors may use HIPAA as a basis for their security and privacy framework. These third-party audits measure the compliance with HIPAA and assure that the organization has a HIPAA-compliance program with adequate measures for saving, accessing, and sharing individual medical and personal information.

Business Associate Agreements

Some organizations will sign BAAs at their partner’s request. These agreements ensure that partners can meet the HIPAA andHealth Information Technology for Economic and Clinical Health Act(HITECH) compliance requirements.

The Electronic Healthcare Network Accreditation Commission

Electronic Healthcare Network Accreditation Commission(EHNAC) is a national standard that indicates healthcare stakeholders have met or exceeded EHNAC’s criteria. These stakeholders include electronic healthcare networks, financial services organizations, medical billers, third party administrators, outsourcers, ePrescribing networks, Healthcare Information Service Providers (HISP), Practice Management Systems vendors, and others.

The EHNAC criteria include conformance with federal healthcare reform legislation, including HIPAA, HITECH,American Recovery and Reinvestment Act, theAffordable Care Act, the HIPPAOmnibus Rule，以及其他适用的州立法。此外，这些标准还包括隐私性、安全性和保密性;技术性能;业务实践;和资源。EHNAC的认证是基于独立的同行对一个实体在行业既定标准的水平上的表现能力的评估。认证过程允许申请人审查其当前的绩效水平，并使这些水平符合行业确立的最低标准、最佳实践，并符合适用的联邦和州医疗改革立法。

HITRUST

TheHITRUSTcybersecurity framework (CSF) leverages nationally and internationally accepted standards, including ISO,National Institute of Standards and Technology(NIST),PCI Security Standards Council, and HIPAA, to ensure a comprehensive set of baseline security controls. The CSF normalizes these security requirements and provides clarity and consistency, reducing the burden of compliance with the varied requirements that apply to organizations.

International Organization for Standardization

TheInternational Organization for Standardization(ISO)27001is a globally recognized, standards-based approach to security that outlines requirements for an organization’s cybersecurity management system.

The NIST Cybersecurity Framework

TheNIST CSFguides organizations on how to improve their ability to prevent, detect, and respond to cybersecurity risks. TheNIST 800-53该标准是一种出版物，建议对联邦信息系统和组织进行安全控制，并为所有联邦信息系统(除为国家安全设计的系统外)提供文件安全控制。

The Best Defensive Against Ongoing Cybersecurity Threats: An Active and Optimized Healthcare Cybersecurity Program

As statistics show, healthcare data breaches and cyberattacks are rarely isolated, infrequent events, but rather ongoing threats requiring constant vigilance. And with the mounting drive for more connectivity throughout the industry, health systems and their IT vendors must prioritize an active and optimized cybersecurity framework in their digital and operational strategies. The most secure protocols define the security responsibility in the vendor-partner relationship and hold vendors accountable to routine audits and compliance measures.

Additional Reading

你想了解更多关于这个话题吗?Here are some articles we suggest:

1. COVID-19 Healthcare Cybersecurity: Best Practices for a Remote Workforce
2. How Artificial Intelligence Can Overcome Healthcare Data Security Challenges and Improve Patient Trust
3. Pairing HIE Data with an Analytics Platform: Four Key Improvement Categories
4. Exceptions to Information Blocking Defined in Proposed Rule: Here’s What You Need to Know
5. Three Must-Haves for a Successful Healthcare Data Strategy

Download

---

PowerPoint Slides

你想使用或分享这些概念吗?Download the presentation highlighting the key main points.

Click Here to Download the Slides

The Healthcare Cybersecurity Framework: A Top Defense Against Data Breaches and Attacksfrom世界杯葡萄牙vs加纳即时走地