In this blog post
The healthcare industry is segmented into key sectors namely hospitals, pharmaceuticals, life sciences, telemedicine, health insurance, and medical equipment. Almost every aspect of these sectors is overseen by either a private regulatory body or the government — federal, state, or local. The presence of multiple layers of authority operating under both public and private auspices has created a complex process of compliance. The American healthcare system, recognized as one of the largest in the world, has benefitted immensely from these regulations, although it is a huge challenge for healthcare players to ensure adherence to constantly evolving regulations.
However, in recent years, the healthcare industry has become a goldmine for cybercriminals. Facing a barrage of cyberattacks that disrupted vital services has had a huge impact on business and exposed highly sensitive data. The growing risk from cybersecurity threats has forced the U.S government to take stringent measures against data breaches and misuse of privileged information. Various legislations have been passed and implemented for Health IT. The U.S. Department of Health and Human Services (HHS) is one of the principal regulatory authorities. This blog discusses the three primary regulations governed by the authorities to regulate the US healthcare industry.
The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is a federal law covering a range of areas, including the establishment of national standards for electronic health care transactions. The Act protects sensitive patient health information from being disclosed without the patient’s consent or knowledge. Governed by the HHS Office for Civil Rights, HIPAA includes a Privacy Rule and a Security Rule.
- HIPAA Privacy Rule focuses on using and disclosing an individual’s ‘Protected Health Information (PHI). The Rule contains standards for individuals’ rights to understand and control how their health information can be used.
- HIPAA Security Rule is a subset of information covered by the Privacy Rule. Focused exclusively on electronic Protected Health Information (e-PHI), HIPAA Security Rule does not apply to verbal or written PHI.
The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 authorizes The U.S. Department of Health and Human Services (HHS) to create programs focused on improving healthcare quality, efficiency, and safety through Health IT. The HITECH Act expanded the focus on privacy and security protection available under HIPAA. The Act focuses on increasing the adoption rate of electronic health records for privacy and security reasons among healthcare providers. Enforced since November 2009, the HITECH Act contains four subtitles from A-D.
- Subtitle A focuses on the promotion of health information technology
- Subtitle B is dedicated to the testing of health information technology
- Subtitle C covers grants and loans funding
- Subtitle D is concerned with the privacy and security of electronic health information
Founded in 2007, HITRUST stands for the Health Information Trust Alliance. HITRUST is a framework created by security industry experts, including 149 control specifications, incorporating requirements from NIST, ISO, and HIPAA. The “HITRUST approach” ensures that the components are aligned, maintained, and remain comprehensive to support an organization’s information risk management and compliance program. This approach helps healthcare players effectively manage information risk, data, and compliance. Ideally considered an extension of the HIPAA and HITECH guidance, the framework defines specific control elements to support the regulations’ general guidance. The certification by the HITRUST Alliance enables vendors and covered entities to demonstrate compliance to HIPAA requirements based on a standardized framework.
Healthcare IT is also subject to other laws and regulations that are focused on protecting patient information and improving transparency. Some of them are
- Anti-kickback Statute prohibits the exchange of anything of value, referral of business reimbursable by federal health care programs.
- Ethics in Patient Referrals Act of 1989 or Stark Law limits physicians from referring patients to laboratory services with a financial interest.
- The Federal False Claims Act or the Lincoln Law imposes liability on persons or companies who defraud government programs.
- The Physician Payments Sunshine Act 2010 was established to improve financial relationship transparency between healthcare providers and pharmaceutical manufacturers.
Measures for regulatory compliance and enhanced cybersecurity
Although the U.S government has implemented several regulations, it is up to healthcare players to look at data protection from a more holistic perspective than ‘just compliance’. Healthcare organizations must become resilient in their approach to protecting patient information and medical data. To that end, here are some of the best practices that must be followed to protect against data breaches.
- Educate healthcare staff through security awareness training to avoid human negligence/error
- Restrict access to patient data & applications through multi-factor authentication & biometrics
- Implement data usage controls and restrict actions such as unauthorized email sends, web uploads, or printing
- Log and monitor the use of medical supplies to detect suspicious activity or usage
- Implement data encryption to prevent attackers from deciphering patient information
- Secure mobile devices by implementing guidelines and whitelisting policies
- Mitigate connected device risks through continuous monitoring
- Conduct regular risk assessments to identify vulnerabilities
- Utilize off-site data backup as an option for disaster recovery
- Evaluate the compliance of business associates as part of security measure
GAVS offers best-in-class solutions and high-quality cybersecurity services – including medical device security, to healthcare organizations. Cybersecurity platforms can be configured to support and enforce regulatory security and privacy requirements. To learn more about our security offerings for healthcare, please visit https://www.gavstech.com/healthcare/.