Cyber Regulatory Support

The United States healthcare system is classified as critical infrastructure and as such is protected by several federal agencies within the Department of Health and Human Resources (HHS) but depending on the threat several other agencies may get involved such as the Department of Homeland Security (DHS) and the Federal Bureau of Investigations (FBI). Protecting health data is a goal of regulating bodies that both control design and development of medical devices, like the Food and Drug Administration (FDA), as well as regulating bodies that control the healthcare delivery organizations, like the Centers for Medicare and Medicaid Services (CMS) and the Office of Civil Rights (OCR). Careful coordination among these entities and others help to ensure guidance is provided throughout the industry to manage cyber security threats

The FDA controls the pre and post-market actions of medical device manufacturers through their Center for Devices and Radiological Health (CDHR). Specific to the cybersecurity of medical devices, the FDA has released two main guidance documents; Content of Premarket Submissions for Management of Cybersecurity in Medical Devices and Postmarket Management of Cybersecurity in Medical Devices. The former helps manufacturers meet regulatory requirements in design and development while the latter enforces postmarket surveillance of the device once in the clinical setting. Postmarket surveillance of medical devices is closely regulated. For example, hospitals are expected to report problems with medical devices to the FDA or the manufacture, including cybersecurity problems. The FDA also regulates recalls and safety enhancement communications between various stakeholders in the medical device supply chain (US FDA, 2016).

The two main regulations associated with protecting health information are the HIPPA and the Health Information Technology for Economic and Clinical Health Act (HITECH) and are enforced through the Office of Civil Rights within the executive branch Health and Human Services (HHS). HIPAA, the older of the two laws, established national protections for medical records and personal health information privacy and security. The law requires healthcare delivery organizations to enact safeguards to protect patient data as well as sets limits to their data’s usage. With the implementation of the AARA the HITECH act was enacted to clarify and create stronger enforcement of the HIPAA rules. It promotes interoperability and expands the use of electronic health records through the meaningful use incentive. Strict penalties were established for HIPAA-covered entities and are enforced by the OCR.

The Centers for Medicare and Medicaid have become one of the most influential regulators of healthcare delivery organizations. As the payor of almost half of all healthcare services, CMS is able to create rules that govern CMS-covered entities, which are most healthcare delivery organizations in the US. CMS provides guidance relating to information security through a handbook called the CMS information security and privacy virtual handbook which pointes to frameworks such as System Lifecycle and numerous policies and processes such as the Security Assessment and Authorization process, Security Control Assessment process, and the Information System Security and Privacy Policy. These policies and procedures are the tools by which CMS helps hospitals protect health data and maintain their accreditation (CMS Info, 2019).

One particular mandate, the HIPAA Breach Notification Rule, requires compliant organizations and their business associates to notify patients following a data breach. In addition to healthcare providers, cloud service providers (CSPs) and other business associates of healthcare organizations must also comply with HIPAA privacy, security, and breach notification rules. This ensures that all parties involved in a breach are taking action steps to disclose it to the appropriate parties affected.

Many compliance experts will agree that the steps to be in regulatory compliance typically include the following:

• Determine your individual organization’s requirements and plans on how to implement these mandates.
• Document and clearly define compliance processes. The written report should include specific instructions for each role involved and how to maintain individual and company-wide compliance.
• Monitor changes to policies and determine if they apply to the current state of your organization. Compliance requirements are updated constantly and your company needs to reflect these changes as well.

With the healthcare sector being one of the biggest targets in cybercrime, larger steps needed to be taken to defend against hacking. Aside from the uncovering and misuse of personal information, cyberattacks account for huge financial losses and are expected to grow exponentially without proper mitigation efforts. Ransomware attacks alone cost healthcare organizations $20.8 billion in downtime in 2020, double the amount it cost in 2019, according to a Comparitech report cited by CynergisTek. The responsibility is great for organizations to hold tight to federal compliance mandates to consult with an MSSP to beef up security efforts.

In the Cybersecurity Act of 2015, Congress established the Healthcare Industry Cybersecurity (HCIC) Task Force to address the challenges the healthcare industry faces when securing and protecting itself against cybersecurity incidents. According to the June 2017 publication entitled “Report On Improving Cybersecurity In The Healthcare Industry,” the directives of the task force are as follows:

• analyze how industries, other than the healthcare industry, have implemented strategies and safeguards for addressing cybersecurity threats within their respective industries
• analyze challenges and barriers private entities (excluding any State, tribal, or local government) in the healthcare industry face securing themselves against cyber attacks
• review challenges that covered entities and business associates face in securing networked medical devices and other software or systems that connect to an electronic health record
• provide the Secretary with information to disseminate to health care industry stakeholders of all sizes for purposes of improving their preparedness for, and response to, cybersecurity threats affecting the healthcare industry
• establish a plan for implementing title I of this division, so that the Federal Government and health care industry stakeholders may in real-time, share actionable cyber threat indicators and defensive measures
• report to the appropriate congressional committees on the findings and recommendations of the task force regarding carrying out subparagraphs (A) through (E)

The very nature of integrative healthcare requires a certain degree of information sharing among different entities. Involved in the transmission of, oftentimes, highly sensitive data are payment applications, insurance companies, outside hospitals, laboratories, and pharmacies just to name just a few. Depending on the size of the organization, that can account for dozens to hundreds of individuals accessing a single patient record any given time. This open culture of shared information poses certain risks when it comes to cybersecurity so it’s important to find a balance between allowing it to function progressively and keeping it safe.