The healthcare industry is progressing towards a more mature cybersecurity posture. However, given it remains a popular attack target, more attention is needed. Results from the Cost of a Data Breach Report 2023 reported that healthcare has had the highest industry cost of breach for 13 consecutive years, to the tune of $10.93M. In 2022, the top 35 global security breaches exposed 1.2 billion records, and 34% of those attacks hit the public sector and healthcare organizations.
Regulators have responded by requiring more guidance to the healthcare industry. The Cybersecurity Act of 2015 (CSA), Section 405(d), Aligning Health Care Industry Security Approaches, is the government’s response to increase collaboration on healthcare industry security practices. Lead by HHS, the 405(d) Program's mission is to provide resources and tools to educate, drive behavioral change, and provide cybersecurity best practices to strengthen the industry's cybersecurity posture.
Additionally, Section 13412 of the HITECH Act was amended in January 2022 that requires that HHS take "Recognized Security Practices" into account in specific HIPAA Security Rule enforcement and audit activities when a HIPAA-regulated entity is able to demonstrate Recognized Security Practices have been in place continuously for the 12 months prior to a security incident. This voluntary program is not a safe harbor, but could help mitigate fines and agreement remedies and reduce the time and extent for audits.
The Recognized Security Practices
Recognized Security Practices are standards, guidelines, best practices, methodologies, procedures, and processes developed under:
- The National Institute of Standards and Technology (NIST) Cybersecurity Framework
- Section 405(d) of the Cybersecurity Act of 2015, or
- Other programs that address cybersecurity that are explicitly recognized by statute or regulation
It is apparent that healthcare organizations are being guided and even incentivized to follow a programmatic approach to cybersecurity and adopt a recognized framework.
How can a cybersecurity framework help?
By creating a common language: Adopting a cybersecurity framework and developing a strategy to implement it allows key stakeholders to start speaking a common language to address and manage cybersecurity risks. The strategy will align business, IT, and security objectives. The framework is leveraged as a mechanism in which to implement the cybersecurity strategy across the organization, which will be monitored, progress and budget reported upon to senior leaders and the board, communication, and synergies with control owners and staff. Individual users and senior executives will start to speak a common cybersecurity language, which is the first step to creating a cyber risk-aware culture.
By sustaining compliance: Adherence to a cybersecurity framework ensures that healthcare organizations comply with relevant regulations and industry standards, such as HIPAA. Compliance can help organizations avoid legal penalties, financial losses, and reputational damage.
By improving cybersecurity risk management practices: The core of implementing cybersecurity risk management is understanding the most valuable assets to the organization so that appropriate safeguards can be implemented based upon the threats. A key challenge to the healthcare industry's cybersecurity posture is knowing what data needs to be protected and where that data is. Accepted frameworks are built on sound risk management principles.
By increasing resilience: Cyberattacks can disrupt critical healthcare services and can be costly, with expenses related to incident response, system recovery, and legal liabilities. Adopting a cybersecurity framework can help organizations minimize the financial impact of a breach or attack by improving their incident response capabilities, minimizing the impact of the breach, and recovering more quickly.
By demonstrating trust: Patients entrust their personal and medical information to healthcare providers. Implementing a cybersecurity framework demonstrates a commitment to safeguarding that information and maintaining patient trust.
The bottom line is that adopting a cybersecurity framework helps to protect sensitive data, maintain business continuity, preserve the organization's reputation, minimize the potential impact of attacks, and create transparency in cybersecurity practices, ultimately resulting in a cyber risk-aware culture.
Sounds beneficial, right? But what cybersecurity framework?
Email us at [email protected] to get your free cyber security risk assessment today and see how secure you are.