As US healthcare organizations increase their reliance on health information technology for purposes such as data sharing, process automation, and system interoperability, their attack surface expands rapidly.
The health industry is most vulnerable to ransomware attacks, data theft, and endpoint compromise.
- Ransomware attacks can enter a system through relatively simple pathways, such as phishing emails. They have much higher stakes in the healthcare industry because data loss at a patient care facility not only causes inconvenience but also puts patient safety at risk. Cybercriminals can take advantage of this urgency by leveraging it to demand higher sums of money and faster payment to release critical data, like medical records.
- Patient data in health records can be sold on the darknet and used to commit lucrative cybercrimes, such as insurance fraud and identity theft.
- The connectivity of modern Internet of Things (IoT) medical devices makes them ideal attack vectors for hackers – gaining unauthorized access to just one unsecured device compromises the entire network security of all connected devices and computer systems.
Like the financial industry, the US healthcare sector is also heavily regulated. Healthcare providers and other related entities must implement effective cybersecurity programs to identify, mitigate, and prevent cyberattacks.
8 Most Critical Cybersecurity Regulations and Frameworks in the Healthcare Industry
In 2021, healthcare had the highest total average data breach cost of any industry – US$9.23 million. Further, 44,993,618 health records were exposed or stolen in 2021, making it the second-highest year for breached records.
Compliance with healthcare regulations does more than help organizations avoid hefty fines.
Another benefit of compliance is the likelihood of experiencing security posture maturity at a more consistent and measurable rate.
Gaining certification with recognized security frameworks provides additional credibility for organizations and allows them to assess their compliance with regulations.
Such frameworks remove the labor-intensive task of designing a cybersecurity roadmap from scratch.
If budget or time is scarce, even just complying with the framework requirements helps organizations assess their security posture and identify areas of compliance and non-compliance.
A clear vision of how to achieve cyber resilience helps ensure all capability gaps are addressed and sets a clear pathway towards security posture maturity.
Below are 8 of the top cybersecurity regulations and frameworks that US healthcare organizations should keep front of mind when developing their information security policies. It's important to understand that regulations and frameworks are two very different. This post explains the difference between the two.
The list is not presented in any intentional order and provides the following information about each regulation/framework:
- Is compliance mandatory?
- Which countries are covered?
- What are the penalties for non-compliance (if compliance is mandatory)?
- Additional resources
1. National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure
The National Institute of Standards and Technology (NIST) Cybersecurity Framework is a comprehensive set of industry guidelines with the aim of mitigating organizational cyber risks.
NIST has released a wide range of cybersecurity publications, including NIST 800-53.
NIST 800-53 originally established security controls and privacy controls that were only applicable to federal and government entities. The publication’s latest revision (Revision 5), has a broader focus that also applies to non-government entities, including the healthcare sector.
Revision 5 has seen the integration of privacy controls into security controls, creating a unified set of controls for systems and organizations.
Is NIST Compliance Mandatory?
NIST compliance is mandatory for all federal entities and their contractors to comply with NIST.
NIST compliance is voluntary for all private sector businesses, including private healthcare.
It’s advisable for healthcare organizations to achieve NIST compliance to reap the following benefits:
- No Cost: The NIST Framework is free, allowing organizations to invest in a more robust cybersecurity program without compromising quality for budget.
Using a proven framework rather than creating one from scratch also enables organizations to better allocate their resources to other risk management efforts.
- Flexibility: The NIST framework can be adopted across all industries, including healthcare. NIST’s adaptability also allows it to maintain relevance as organizations scale their cybersecurity programs.
- Integrations: Complying with several frameworks and regulations quickly becomes a complicated endeavor, especially when considering additional internal risk management and compliance requirements. NIST minimizes many of the complications arising from diverse compliance requirements by mapping seamlessly into other frameworks and regulations, like HIPAA and ISO 27001.
Which Countries Does NIST Cover?
Organizations in any country can adopt NIST as it maps to globally-recognized standards.
What are the Penalties for Not Complying with NIST?
Non-compliance with NIST results in the loss of all federal funding for government agencies, and their contractors and third-party vendors.
In the United States, NIST compliance is enforced under the Federal Information Security Management Act (FISMA).
NIST Compliance Resources
The following resources are helpful guides for achieving and maintaining NIST compliance:
- Compliance Guide: NIST CSF and the Healthcare Industry (UpGuard)
- Tips for NIST SP 800-53 Compliance (UpGuard)
- NIST SP 800-53, Revision 5 Control Mappings to ISO/IEC 27001 (NIST)
- NIST Risk Management Framework (NIST)
2. Health Insurance Portability and Accountability Act (HIPAA)
HIPAA is a series of US federal laws signed into effect in 1996, with the purpose of regulating the disclosure and protection of health information in the country.
The act consists of three main rules – the Privacy Rule, Security Rule, and Breach Notification Rule.
The HIPAA Privacy Rule aims to define and limit the circumstances in which an individual's healthcare information may be used or disclosed by covered entities.
Covered entities cannot use or disclose protected health information (PHI), including electronic health protected information (ePHI) unless:
- The Privacy Rule permits or requires it; or
- The subject of the information (or a representative) provides written authorization.
There are only two situations when PHI must be disclosed:
- When an individual or their representative requests access to it, or an accounting of disclosures.
- When HHS is undertaking a compliance investigation, review, or enforcement action.
The Security Rule states that covered entities and their business associates must conduct a risk assessment. Risk assessments help organizations achieve and maintain HIPAA compliance by highlighting areas of compliance and uncovering any compliance gaps which pose a security risk.
The Breach Notification rule states that covered entities and their business associates must provide notification following a breach of unsecured protected health information.
Is HIPAA Compliance Mandatory?
HIPAA compliance is mandatory for the following entities in the United States:
- Health plans
- Health care providers
- Health care clearinghouses
- Business associates
Which Countries are Covered by HIPAA?
HIPAA only applies to the United States. However, most other countries have their own national equivalents.
What are the Penalties for HIPAA Non-Compliance?
Non-compliant covered entities may be liable for civil penalties through the Office for Civil Rights (OCR), under the Department of Health and Human Services (HHS).
Penalties range from $100 to $50,000+ per violation, with a Calendar Year Cap of $1,500,000.
Certain violations of the Privacy Rule may also be subject to criminal prosecution.
HIPAA Compliance Resources
The following resources are helpful guides for achieving and maintaining HIPAA compliance:
- HIPAA Privacy Rule Summary and Compliance Tips (UpGuard)
- The HIPAA Privacy Rule (HHS)
- The HIPAA Security Rule (HHS)
- The HIPAA Breach Notification Rule (HHS)
3. Center for Internet Security (CIS) Critical Security Controls
The CIS controls prioritize a set of 18 (previously 20) actions that help protect organizations against cyber attacks. These controls include:
- CIS Control 1: Inventory and Control of Enterprise Assets
- CIS Control 2: Inventory and Control of Software Assets
- CIS Control 3: Data Protection
- CIS Control 4: Secure Configuration of Enterprise Assets and Software
- CIS Control 5: Account Management
- CIS Control 6: Access Control Management
- CIS Control 7: Continuous Vulnerability Management
- CIS Control 8: Audit Log Management
- CIS Control 9: Email Web Browser and Protections
- CIS Control 10: Malware Defenses
- CIS Control 11: Data Recovery
- CIS Control 12: Network Infrastructure Management
- CIS Control 13: Network Monitoring and Defense
- CIS Control 14: Security Awareness and Skills Training
- CIS Control 15: Service Provider Management
- CIS Control 16: Application Software Security
- CIS Control 17: Incident Response Management
- CIS Control 18: Penetration Testing
Is Compliance With the CIS Controls Mandatory?
No, the CIS Controls are not mandatory but recommended to enhance healthcare cybersecurity.
For the highly-regulated healthcare industry, the CIS Controls provide a streamlined starting point for strengthening cyber defense and complying with other mandatory requirements.
Which Countries Do the CIS Controls Cover?
The CIS Controls are internationally recognized and suitable for organizations of all sizes.
CIS Controls Compliance Resources
The following resources are helpful guides for achieving and maintaining CIS Controls compliance:
- What are the CIS Controls for Effective Cyber Defense? (UpGuard)
- The 18 CIS Critical Security Controls (CIS)
4. Control Objectives for Information and Related Technology (COBIT)
COBIT is an IT governance and management framework developed by the Information Systems Audit and Control Association (ISACA). The most recent version of COBIT is COBIT 2019.
COBIT 2019 aims to align IT activities with broader organizational objectives through six (previously five) principles:
- Provide Stakeholder Value
- Holistic Approach
- Dynamic Governance System
- Governance Distinct from Management
- Tailored to Enterprise Needs
- End-to-End Governance System
The comprehensive coverage of COBIT 2019 ensures healthcare organizations have clear visibility over how their cybersecurity risks are being managed, regulatory compliance requirements, and the value of investing in an in-depth information security policy.
Using the COBIT maturity model, healthcare organizations can also identify IT capability gaps and effectively plan how to bridge them.
Is COBIT Mandatory?
No, COBIT is not mandatory but is recommended in the healthcare industry as a foundation for achieving a unified governance structure, enabling streamlined care and lower costs.
Which Countries Does COBIT Cover?
COBIT is a globally-recognized and utilized framework.
- Control Objectives for Information Technologies Resources (ISACA)
- Governing Digital Transformation Using COBIT 2019 (ISACA)
5. ISO/IEC 27001
The standard was developed by both the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). It consists of a set of standards that cover information security management systems (ISMS), information technology, information security techniques, and information security requirements.
For healthcare organizations, implementing ISO 27001 is an effective approach to regulating, managing, and handling sensitive data, like patient information. Once established, an ISMS ensures there are efficient processes in place to identify and mitigate cyber risks and an incident response plan in effect should a security incident occur.
The latest version of the standard is ISO/IEC 27001:2013, released in 2013.
Is ISO 27001 Mandatory?
ISO/IEC 27001 is not a mandatory requirement in most countries, but it’s strongly recommended for healthcare organizations to implement ISO 27001 due to the high volume of cyber attacks and strict regulations in the healthcare industry.
Which Countries Does ISO 27001 Cover?
ISO 27001 is an internationally recognized information security standard.
ISO 27001 Resources
- What is ISO 27001? A Clear and Concise Explanation for 2022 (UpGuard)
- ISO 27001 Implementation Checklist (UpGuard)
- ISO/IEC 27001:2013 (ISO)
6. HITRUST (originally Health Information Trust) Common Security Framework (CSF)
The HITRUST Alliance aims to “safeguard sensitive information and manage information risk for global organizations across all industries and throughout the third-party supply chain” through its risk and compliance management frameworks and methodologies.
The organization works with leaders in privacy, information security, and risk management, across several industries in both the public and private sectors.
HITRUST developed the HITRUST CSF to assist healthcare organizations and their cloud service providers with demonstrating their cybersecurity measures and compliance clearly and efficiently.
The framework is mapped on US healthcare laws HIPAA and the HITECH Act, which enforce requirements surrounding the use, disclosure, and safeguarding of personally identifiable information (PII) across the industry.
The HITRUST CSF is sectioned into 19 different domains:
- Information Protection Program
- Endpoint Protection
- Portable Media Security
- Mobile Device Security
- Wireless Security
- Configuration Management
- Vulnerability Management
- Network Protection
- Transmission Protection
- Password Management
- Access Control
- Audit Logging & Monitoring
- Education, Training, and Awareness
- Third-Party Assurance
- Incident Management
- Business Continuity & Disaster Recovery
- Risk Management
- Physical & Environmental Security
- Data Protection & Privacy
Covered health entities and their cloud service providers can also use HITRUST as a benchmark for measuring compliance against other industry frameworks, such as ISO 27001, NIST, HIPAA, COBIT, and PCI DSS.
Is HITRUST Compliance Mandatory?
HITRUST is not compulsory for organizations. However, any organization that produces, accesses, stores, or exchanges information relating to personal health should achieve HITRUST compliance in order to clearly demonstrate their compliance with mandatory industry regulations, such as HIPAA.
Such organizations include healthcare vendors, pharmacies, hospitals, insurance companies, and physicians’ offices. As a highly-regarded security framework, HITRUST certification builds credibility for these organizations.
Which Countries Does the HITRUST CSF Cover?
The HITRUST CSF is a globally-certifiable program that can be customized and adapted to different organizations according to their type, size, systems, and compliance requirements.
HITRUST CSF Resources
The following resources are helpful guides for achieving and maintaining CIS Controls compliance:
7. Quality System Regulation (QSR)
The United States Food and Drug Administration (FDA) is enforcing stricter cybersecurity requirements for medical devices during the design process. These requirements aim to reduce the risk of operational shutdown should a device become compromised by unauthorized access.
The FDA states “Cybersecurity is a shared responsibility among stakeholders, including Original Equipment Manufacturers (OEMs), healthcare establishments, healthcare providers, and independent service organizations (ISOs).”
In addition to this shared stakeholder responsibility, medical device manufacturers must ensure their risk management, design controls, maintenance, surveillance, and response processes integrate effective security controls.
Example controls include implementing device user authentication and encrypting any patient data stored on devices for stronger data protection.
The QSR further defines the requirements device manufacturers must follow to protect connected medical devices from cybercriminals. Device manufacturers must ensure design changes are verified and validated, which includes software patching in response to identified vulnerabilities.
Is QSR Compliance Mandatory?
All medical device manufacturers must comply with the QSR to address all cybersecurity risks associated with their products.
While QSR compliance is not directly the responsibility of other healthcare entities, the FDA advises “all interested stakeholders [should] collaborate on methods or pathways that could be used to efficiently develop, validate, and implement software changes for medical devices.”
Which Countries Does the QSR Cover?
Any medical device supplier wishing to sell their products in the United States must comply with the QSR.
What are the Penalties for QSR Non-Compliance?
The FDA can enforce several different types of penalties for non-compliant organizations, ranging in severity from warning letters, to fines of up $500,000 for corporations, and criminal prosecution.
The following resources are helpful guides for achieving and maintaining QSR compliance:
- Strengthening Cybersecurity Practices Associated with Servicing of Medical Devices: Challenges and Opportunities (FDA)
- The FDA’s Role in Medical Device Cybersecurity (FDA)
- CFR - Code of Federal Regulations Title 21 (FDA)
8. Payment Card Industry Data Security Standards (PCI DSS)
The Payment Card Industry Data Security Standards (PCI DSS) is a set of standards designed to prevent credit card fraud and protect credit card holders from personal data theft.
All healthcare organizations that accept payment cards for goods and services must comply with PCI DSS.
The PCI DSS outline controls for securing the three primary stages of the credit card data lifecycle, including:
- Credit card data processing
- Credit card data storage
- Credit card data transfer
Which Countries Does PCI DSS Cover?
PCI DSS is an internationally-recognized standard.
Is PCI DSS Compliance Mandatory?
Compliance is mandatory for any organization, that stores, processes, or transmits cardholder data.
What are the Penalties for PCI DSS Non-Compliance?
Non-compliant organizations face fines ranging from $5,000 - $100,000 per month until they achieve verified compliance.
PCI DSS Compliance Resources
The following resources are helpful guides for achieving and maintaining PCI DSS compliance:
- PCI Compliance Without the Headache (UpGuard)
- Best Practices for Cybersecurity Compliance Monitoring in 2021 (UpGuard)
- Payment Card Industry (PCI)Data Security Standard Self-Assessment Questionnaire (PCI Security Standards)
How to Maintain Cybersecurity Compliance in the Healthcare Sector
The following cybersecurity best practices can help healthcare organizations achieve and maintain compliance with regulations and recognized frameworks.
Implement Zero-Trust Architecture (ZTA)
Zero-trust architecture views all network activity as a security threat until the user proves otherwise.
The scrutinizing nature of the architecture adds an additional layer of security against unauthorized access to sensitive information.
ZTA is now a mandatory requirement under Joe Biden's Cybersecurity Executive Order.
Implement a Third-Party Risk Management (TPRM) Solution
An ideal TPRM solution should also identify and map vendors’ security assessment responses against regulatory requirements to uncover areas of compliance and non-compliance.
Identify and Remediate Data Leaks
Data leaks are not only a prime indicator of an impending data breach but also likely violate regulatory requirements.
An effective data leak detection solution can help identify these exposures in real-time across both the internal and third-party attack surface to ensure regulatory compliance.
Invest in an Attack Surface Monitoring Solution
An attack surface monitoring solution identifies vulnerabilities that result in data breaches much faster than manual methods.
UpGuard helps healthcare organizations mitigate data breaches and improve security posture to meet the regulatory requirements and comply with recognized frameworks.