Hospitals and health care providers must often look to third party vendors offering cloud computing solutions, but are these companies well-prepared to meet the HIPPA / HITECH Act privacy and security requirements as well as other Federal rules, regulations and ordinances applicable to the commerce in the cloud? Key concerns are privacy and security, as cybersecurity is all about data! Data breaches will happen to your organization– it’s just a matter of when, how much data is taken, what losses are incurred and how your organization and/or its business associates can fix the breach at what cost. Statistically, over 33% of reported breaches can be found in the healthcare sector (which is more than two times the number of breaches reported in any other sector). 80% of breaches by hackers involve the use of employee stolen credentials and 76% of network intrusions exploit week or stolen credentials.
Recent Federal cybersecurity initiatives will require private sector attention by healthcare IT organizations and their cloud vendors. President Obama issued Presidential Policy Directive PPD-21 (February 12, 2013) on Critical Infrastructure Security and Resilience establishing a national policy on network cybersecurity protection for governmental and private sectors. President Obama also issued an Executive Order (February 12, 2013) on improving critical infrastructure cybersecurity with a focus on cyber threat information sharing to aid private sector entities in protecting and defending against cyber threats.
The National Institute of Standards and Technologies (NIST) has been empowered to lead these cybersecurity initiatives. It is focused on the establishment of a voluntary “Cybersecurity Framework” for reducing cyber risks to critical infrastructure. The NIST Cybersecurity Framework will identify existing cybersecurity standards and best practices and high-priority gaps for which new standards are needed as well as developing action plans to address gaps. The goal ultimately is the promotion of the wide adoption in both governmental and private sectors of best practices. The NIST has already acted to codify existing cybersecurity best practices in its April 2013 release of “Security and Privacy Controls for Federal Information Systems and Organizations (NIST SP 800-53).
Congress has been holding congressional hearings on cybersecurity threats for energy and communications networks. Recently House of Representatives has passed reintroduced bill H.R. 624, the Cyber Intelligence Sharing and Protection Act of 2013, which centers on real-time data sharing between federal government and private sector to combat cyber attacks.
Other governmental agencies tasked with oversight of interstate commerce and healthcare likewise are speaking up in these cybersecurity discussions. Federal Trade Commission is issuing guidelines and scheduling Q4 2013 public workshops on the “Internet of Things” regarding the dramatically growing capacity of smart devices to communicate and share information through the Internet, and cyber transactions causing concerns over privacy. Food and Drug Administration (FDA) issued on June 13, 2013 recommending measures related to cybersecurity of medical devices incorporating wireless, Internet- and network-connected features for the exchange of medical information between patients and health care providers and communication service providers.
To be well-prepared, healthcare IT departments need to start the dialog with their cloud service providers on how to anticipate and address new requirements. Vendors, hospitals and healthcare private industry groups should work together to create healthcare industry group best practices (based in whole or in part on Federal initiatives).