The healthcare industry is progressing towards a more mature cybersecurity posture. However, given it remains a popular attack target, more attention is needed. Results from The Cost of a Data Breach Report 2023 reported that healthcare has had the highest industry cost of breach for 13 consecutive years, to the tune of $10.93M. In 2022, the top 35 global security breaches exposed 1.2 billion records, and 34% of those attacks hit the public sector and healthcare organizations.
Regulators have responded by requiring more guidance to the healthcare industry. The Cybersecurity Act of 2015 (CSA), Section 405(d), Aligning Health Care Industry Security Approaches, is the government’s response to increase collaboration on healthcare industry security practices. Lead by HHS, the 405(d) Program's mission is to provide resources and tools to educate, drive behavioral change, and provide cybersecurity best practices to strengthen the industry's cybersecurity posture.
Additionally, Section 13412 of the HITECH Act was amended in January 2022 that requires that HHS take "Recognized Security Practices" into account in specific HIPAA Security Rule enforcement and audit activities when a HIPAA-regulated entity is able to demonstrate Recognized Security Practices have been in place continuously for the 12 months prior to a security incident. This voluntary program is not a safe harbor, but could help mitigate fines and agreement remedies and reduce the time and extent for audits.
The Recognized Security Practices
Recognized Security Practices are standards, guidelines, best practices, methodologies, procedures, and processes developed under:
- The National Institute of Standards and Technology (NIST) Cybersecurity Framework
- Section 405(d) of the Cybersecurity Act of 2015, or
- Other programs that address cybersecurity that are explicitly recognized by statute or regulation
It is apparent that healthcare organizations are being guided and even incentivized to follow a programmatic approach to cybersecurity and adopt a recognized framework.
How can a cybersecurity framework help?
By creating a common language: Adopting a cybersecurity framework and developing a strategy to implement it allows key stakeholders to start speaking a common language to address and manage cybersecurity risks. The strategy will align business, IT, and security objectives. The framework is leveraged as a mechanism in which to implement the cybersecurity strategy across the organization, which will be monitored, progress and budget reported upon to senior leaders and the board, communication, and synergies with control owners and staff. Individual users and senior executives will start to speak a common cybersecurity language, which is the first step to creating a cyber risk-aware culture.
By sustaining compliance: Adherence to a cybersecurity framework ensures that healthcare organizations comply with relevant regulations and industry standards, such as HIPAA. Compliance can help organizations avoid legal penalties, financial losses, and reputational damage.
By improving cybersecurity risk management practices: The core of implementing cybersecurity risk management is understanding the most valuable assets to the organization so that appropriate safeguards can be implemented based upon the threats. A key challenge to the healthcare industry's cybersecurity posture is knowing what data needs to be protected and where that data is. Accepted frameworks are built on sound risk management principles.
By increasing resilience: Cyberattacks can disrupt critical healthcare services and can be costly, with expenses related to incident response, system recovery, and legal liabilities. Adopting a cybersecurity framework can help organizations minimize the financial impact of a breach or attack by improving their incident response capabilities, minimizing the impact of the breach, and recovering more quickly.
By demonstrating trust: Patients entrust their personal and medical information to healthcare providers. Implementing a cybersecurity framework demonstrates a commitment to safeguarding that information and maintaining patient trust.
The bottom line is that adopting a cybersecurity framework helps to protect sensitive data, maintain business continuity, preserve the organization's reputation, minimize the potential impact of attacks, and create transparency in cybersecurity practices, ultimately resulting in a cyber risk-aware culture.
Sounds beneficial, right? But what cybersecurity framework?
Adaptable framework for healthcare
The HITRUST CSF was originally developed specifically for the healthcare industry, is based upon ISO 27001 and incorporates a number of recognized frameworks, including NIST CSF. Most organizations have multiple compliance requirements and must adjust security requirements based on their threat landscape and then manage risks accordingly. Security requirements are always evolving and an adaptable framework is sorely needed to reduce the burden of CISOs and staff in continually updating their frameworks. As threats evolve, as regulations and frameworks change, so does the HITRUST CSF.
HITRUST achieves the benefits listed above, but implementing a cybersecurity framework is a journey. Organizations need to achieve incremental wins and reduce risk….the HITRUST CSF allows for a stepping stone approach.
New in the CSF v. 11 is control nesting in the three (3) different types of assessments. The assessment types are:
- HITRUST Essentials, 1-Year (e1) Readiness and Validated Assessment (40 basic controls)
- HITRUST Implemented 1-Year (i1) Readiness and Validated Assessment (182 static controls based upon threat intelligence)
- HITRUST Risk-based, 2-Year (r2) Readiness and Validated Assessment *based upon scoping factors)
This creates a progressive journey to implementing a cybersecurity framework while allowing success, adoption, and transparency.
Involved with HITRUST since its inception and one of the original assessors, AT&T Cybersecurity can help you with your HITRUST journey.