- February 12, 2020
- Posted by: Rudy Silva
- Category: Blog
And how GoldSky cyber security can help fill in security gaps
Healthcare practices struggle with privacy and cyber security. If you’re in the industry, this isn’t news to you, but it is nonetheless a statement of fact.
The unfortunate reality is that healthcare experiences twice as many cyberattacks as other industries, and still lags behind when it comes to privacy protection.
Within the past 17 years since the HIPAA Privacy Rule was published, there has been limited guidance from the government on how to properly implement privacy controls or integrate them into their security program if they have one.
In January, NIST (National Institute of Standards and Technology) published version 1.0 of a Privacy Framework guidance document. The Privacy Framework can be an excellent guidebook for healthcare organizations who need help with implementing privacy into their practice operations.
In this post, we’re going to go over why the healthcare industry still struggles with privacy and cyber security. We’ll also break down what this new NIST Privacy Framework can do to help and how healthcare practices could benefit from the guidance provided by a cyber security firm like GoldSky.
Healthcare Practice’s Current Struggles With Privacy & Cyber Security
Concerns over privacy in healthcare have only grown as technology has become more prevalent.
While emerging technology can indeed improve patient awareness and care, the adoption of such “health tech” has been slowed by privacy and security concerns. The majority (53 percent) of patients are open to health tech and believe it can improve the patient-provider relationship, while 62 percent said it keeps them more in-tune with their healthcare.
However, these same study respondents have concerns about security and privacy. Just 38 percent believe that the proper security measures are in place to protect their privacy while 26 percent are simply unaware if safeguards exist. More troublesome is that their worries are shared by healthcare workers themselves.
The 2017 State of Privacy and Security Awareness Report found that 78 percent of healthcare employees showed a lack of preparedness when it comes to how to deal with privacy and security threats.
According to Cynergistek’s annual report on the state of healthcare cybersecurity, hospitals and healthcare practices have an average of just 46 percent conformance with the National Institute of Standards and Technology (NIST) Cybersecurity Framework. And even though the HIPAA security rule has been around for years, only 72 percent of healthcare practices meet its requirements.
Simply put: healthcare organizations aren’t able to keep up with advancing technology and are leaving patient data vulnerable to attacks. They struggle with interpreting and implementing the privacy aspects of HIPAA. There are significant gaps in healthcare security functions and controls that need to be addressed.
The NIST framework can definitely help organizations manage privacy risk. But this new framework is just that — a guide to be followed, not a solution in itself. It’s a great tool, but healthcare organizations require additional assistance from companies like GoldSky Cyber Security. GoldSky will step in and do the heavy lifting for your practice to implement measures to help meet HIPAA security and privacy requirements. GoldSky will also adapt the NIST framework to your organization’s unique needs or established security program.
How a Healthcare Practice Can Meet HIPAA Privacy Requirements
Although this privacy framework is fresh on the scene, the final Privacy Rule within HIPAA was originally published in 2000 (3 years prior to the Security Rule). It then became a requirement of HIPAA in 2003 and is one of the longest-standing privacy regulations in the country.
Unfortunately, the Privacy aspects of HIPAA have been very difficult for healthcare practices to implement because the guidance provided by HHS does not adequately state how to practically achieve the requirements. This is especially true for how to integrate them into the practice’s over-all security program. The regulations are in place, but there is little information available to help practices make sure they meet those demands.
Many organizations don’t even understand what exactly it means to be “compliant.” In fact, compliancy itself is a bit of a misnomer as there is no checklist in place to declare a practice as compliant.
While it can be a complicated process to fully lock down sensitive data on your own, working with a cyber security firm like GoldSky can help practices interpret and implement measures to meet the HIPAA requirements.
GoldSky Security does this by providing:
- HIPAA security risk assessment
- HIPAA security and privacy compliance assessments
- Training, workshops, and advisory
Using the NIST Privacy Framework
NIST is a non-regulatory federal agency of the U.S. Commerce Department. Established in 1901 and operated by the Office of Civil Rights, NIST was designed to promote innovation and competitiveness by advancing standards.
A Cyber Security Framework (CSF) was first added to NIST in February 2013 when Executive Order 13636 was issued by President Obama.
The NIST CSF was established to help organizations better understand and improve their cyber security risk management. It also aimed to provide security controls for federal agencies and critical infrastructure systems.
The NIST CSF has five frameworks at its core:
- Identify – develop an understanding of how to discover and manage cybersecurity risks
- Protect – limit or contain the impact of cyber security events
- Detect – define how to identify cyber security events
- Respond – outline how to take action after a cyber security event is detected
- Recover – how to repair and restore any services that were affected by the cyber security event
Following this framework can provide organizations with the pillars it needs to manage cyber security risks. This represents a sort of “cheat sheet” that companies can follow because being HIPAA compliant does not necessarily mean that all of your organization is fully secure. Healthcare practices should actually view being HIPAA compliant as a base security measure (keeping in mind that many organizations aren’t even doing that much).
This original framework was supplemented by the NIST 800-66 guidance. This guidance provides practices with an additional resource to follow and implement the Security Rule aspects of HIPAA. It helps practices better understand the rule, its standards, and security concepts.
NIST’s new Privacy Framework is designed to be complementary to the existing NIST CSF, NIST 800-66, and the Privacy guidance provided by HHS. Each framework keeps in mind that technology is in a state of constant change and can evolve along with it. This will help organizations protect sensitive information in the dynamic and challenging cyber security environment.
According to the 2019 HIMSS Cyber Security Survey, 74 percent of healthcare organizations experienced a significant cyber security incident. Healthcare information must always be protected, making a cyber security program a must.
By following the NIST CSF, NIST 800-66, and the new Privacy Framework, healthcare practices can protect themselves against common cyber security threats like ransomware, malware, and malicious insiders.
How GoldSky Cyber Security Solutions Can Help Healthcare Organizations Interpret & Implement Solid Privacy Programs
Remember that the NIST CSF and Privacy Framework are tools and not solutions. They are a great starting point, but healthcare organizations need to be able to effectively utilize the framework.
Thankfully, the framework is highly customizable to fit the unique needs of any healthcare practice. Often, if a control requirement doesn’t apply, it can be adjusted or eliminated to fit the way the practice operates, and compensating measures can be implemented to ensure the practice is still meeting the requirements of the HIPAA Privacy and Security rules .
This is where healthcare organizations can get a bit lost in trying to implement the framework alone. But you don’t have to — you can leave it to the experts at GoldSky Cyber Security Solutions.
GoldSky will first give a full security risk assessment of your organization’s cyber security based on the requirements from HIPAA. The requirements will be modified to your practice’s individual needs and adapted to how your practice operates. GoldSky will interpret and customize the HIPAA requirements to match up with how your organization does business.
GoldSky will then utilize the Privacy Framework provided by NIST to create a cyber security program that will protect your company against cyber-attacks. The result is a comprehensive healthcare cyber security program.
Make sure your healthcare practice privacy is secure today.
With offices in Denver, Orlando, Tampa, Nashville and Washington D.C GoldSky offers reliable 24/7/365 security solutions to the entire US. Get in touch to learn more about how GoldSky can keep your data secure today.