In this third and final column in our short series on cybersecurity in healthcare, we take a deeper dive into two key resources from the Health Information Trust Alliance (HITRUST). In part 2, we explored HITRUST’s cybersecurity framework. This time, we’ll add to the picture by surveying HITRUST’s risk management framework (RMF) and methods for staying current with cyber threats.
The RMF complements the organization’s common security framework (CSF) by adding a process to help assess your cybersecurity platform along with methods to make best use of your CSF. If you do not have a CSF, are currently in the process of creating one, or are using the HITRUST CSF as a template to evaluate your own platform, the RMF can be a great assessment tool. Rather than starting from scratch, you can use the RMF to provide guidance for what you might need to change to ensure your CSF provides adequate cybersecurity. As we’ll see later in this column, not having a CSF and being able to show how you implement and assess it can be detrimental in the event of an audit by the Office for Civil Rights (OCR). For more information on developing a CSF, see the February Networking installment (part 2).
Recall from last month that the HITRUST CSF is defined by 14 security control categories which are broken down into 45 control objectives and finally detailed by 149 control specifications. The control specs are then mapped to healthcare standards and regulations.1
As the name suggests, an RMF outlines how to use a protocol or procedure to manage risk. Another way to look at it is that the RMF offers a structured process that combines information security and risk management activities into an ongoing cycle that protects against cyber attacks.2
The HITRUST RMF includes four major steps. Step one states: Identify Risks and Define Protection Requirements. The HITRUST CSF provides a change in the way healthcare IT administers ePHI security and privacy. It rationalizes industry regulations and standards into a single, all-encompassing framework designed for the healthcare industry while customized to the organization’s specific and unique needs.
Step two is to Specify Controls. The control items are embedded in the CSF and able to adapt multiple security control baselines. The baselines can differ by medical device modality. HITRUST allocates these baseline controls via three risk factors: organizational type and size (for example, a 350-bed hospital versus a physician practice, where each has different needs); system requirements (for instance, risk factors that might include a system’s ability to store ePHI); and regulatory requirements (as in regulations like the Federal Trade Commission’s Red Flags Rule). All of these controls are defined in the organization’s CSF and will result in a healthcare-specific baseline tailor-made to an organization’s clinical, business, and compliance obligations.
This leads to step three—Implement and Manage Controls. HITRUST has training available that includes third-party consultants in the CSF and CSF Assurance Program methods and tools. This training enables CSF implementation support to healthcare providers’ organizations, as recommended by the OCR. It allows for providers lacking the capability or capacity to implement and assess information security and privacy controls to outsource IT service.
Consultants can provide services like security operations, incident management, subsequent investigations, and disaster recovery. The available CSF resources and controls can be mapped to each of these services. The resultant map helps to show where security services might be failing to maintain compliance, according to step three.
Finally, in step four of the RMF process, Assess and Report, the CSF Assurance Program offers simple and consistent compliance assessment or results from reporting against a CSF and the authoritative regulations and standards it incorporates. Remember this approach is designed for the unique regulatory and business needs for organizations in the healthcare industry.
The other aspect to be aware of is the constant updating of the CSF and RMF. In general most active standards and other specifications are updated on an annual basis, as are the HITRUST documents. Unfortunately, cyber threats occur much more often than that—cyber criminals don’t adhere to the same timetable!
Luckily, HITRUST members are kept informed via monthly cyber threat and security briefings. You can sign up for a free membership via the HITRUST Web site, after which you’ll be notified of the date and time for the briefings via email.
HITRUST teams with the Department of Health and Human Services (HHS) to deliver these updates. The idea is to provide current and actionable information to help be prepared in a timelier manner than the annual update to the CSF and RMF can allow.3 The briefings feature security leaders who inform members about the latest threats to the healthcare industry. This includes sharing best practices for threat defense and response. The monthly briefings also help to identify early warning signs that might point to a breach.4
Data at Rest and on the Move
Prior to these open-source tools, healthcare organizations were on their own when it came to ensuring cybersecurity compliance. It was up to individual facilities to stay on top of all the current regulations and keep their frameworks up to snuff. When the National Institute of Standards and Technology (covered in part 1) and HITRUST came along, they created a viable, robust CSF template that maps to all the current regulations and helps ensure cybersecurity protection levels remain high. Both organizations allow you to customize a framework that best fits your needs and budget. This grassroots, community-driven approach to cybersecurity is long overdue.
Cyber attacks are serious business, and the growing use of technology makes cybersecurity harder to deploy. An increase in doctors’ use of smartphones provides more virtual doors directly into a secured network. Only 23% of healthcare organizations use mobile device encryption.5 This is a real problem since lost or stolen computers, hard drives, smartphones, and USB memory sticks are still the number one cause of HIPAA breaches. As new technology is introduced the rate of adoption typically outpaces efforts to ensure its security. Use of mobile devices are already ahead of some facilities’ ability to manage them adequately.
Mobile devices open security risks in two major ways. Data can reside on the device and be accessed (called “data at rest”). Also, the device can be a way of gaining live access to “moving data,” by hacking into ePHI traffic on the network or poking into the electronic medical record system at a healthcare organization.5 Plus, smartphones’ size makes them easier to lose than a laptop. USB sticks are even easier to misplace. There has been an ongoing increase of ePHI breaches from lost or stolen laptops, smartphones, third-party problems, and outright criminal attacks. The good news is that unintentional and intentional breaches from employees and insiders have been decreasing. While we continue to up the ante on the “wet layer” (the human interface) we seem to struggle with keeping pace with technology and physical control of our electronic devices!
ePHI breaches can also be expensive. Consider the $1.7 million dollar fine that the Alaska Department of Health and Human Services recently received.6 The department dutifully reported the breach from a stolen USB memory stick. The OCR followed up to investigate other potential violations of the HIPAA security rule. The OCR upped the fine when the investigation found that the Alaskans did not have sufficient policies and procedures in place to protect ePHI. The department didn’t do any risk analysis, didn’t implement enough risk management measures, and didn’t conduct security training for its workforce members, implement device and media controls, or address device and media encryption as required by HIPAA.
To avoid such horror stories at your organization, look into the HITRUST site. There is training available, as well as a backlog of the monthly briefings, the major documents (CSF & RMF) and resources for testing security. Cybersecurity continues to require constant vigilance!
Jeff Kabachinski is a healthcare IT pundit and technical strategist in Davidson, NC. For more information, contact chief editor Jenny Lower at firstname.lastname@example.org.
- HITRUST Alliance. (2015). HITRUST Common Security Framework 2015 version 7. HITRUSTalliance.net
- Health Information Trust Alliance (HITRUST). (2015, March 19). Risk Management Frameworks. 28. Frisco, Tex. Retrieved from hitrustalliance.net
- Association for the Advancement of Medical Instrumentation (AAMI). (2014, Spring). Cybersecurity News and Products. Horizons, p. 6.
- HITRUST Health Information Trust Alliance. (2016, February). HITRUST Monthly Cyber Threat Briefing. Retrieved from https://hitrustalliance.net
- Dolan, P. L. (2011, December 19). Smartphones blamed for increasing risk of health data breaches. Retrieved from AMA Association: ama-assn.org/amednews/2011/12/19/bil21219.htm
- S. Department of Health and Human Services’ (HHS). (2011). Alaska DHSS settles HIPAA security case for $1,700,000. Retrieved from Health Information Privacy: http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/examples/alaska-DHSS/index.html
Photo credit: © Binu Omanakkuttan | Dreamstime.com