The healthcare industry has been the target of countless hacking attempts despite adopting security protocols outlined in the Health Insurance Portability and Accountability Act (HIPAA) since 1996. Hackers have found innovative ways to create a data breach, leverage the high value of Protected Health Information (PHI) and create severe disruptions in the healthcare ecosystem. Over the last two decades, they have benefitted from loopholes in the IT architecture of healthcare organizations and the lack of security awareness training imparted to healthcare employees. Even today, it is not uncommon to hear about the next big data breach in a reputed chain of hospitals, diagnostic centers, or healthcare insurance companies, despite the growing advancements in security software, firewalls, and numerous methods to prevent a cyber attack. However, the truth about hacking attempts that failed is unknown.
There are many security regulations with benchmarks that make healthcare organizations consistently vigilant, including HIPAA. These contribute to the hidden success stories of failed hacking attempts and secure patient data. One such initiative is by the Office for Civil Rights (OCR), which enforces HIPAA compliance and shares regular updates about the dynamic nature of cyber threats to ensure the healthcare ecosystem is able to take preventive action.
Customers, vendors, regulatory bodies, and shareholders associated with the healthcare ecosystem have made a series of demands about compliance, regular attestation, and at times, certification. We have identified the top 5 security regulations in the healthcare ecosystem which are being considered by organizations and would like to share their differences regarding validity, impact of violations, cost, number of controls, etc. for your benefit.
HIPAA: HIPAA is a set of mandatory standards to manage the use and disclosure of patient data or Protected Health Information (PHI). HIPAA compliance is mandatory for all Healthcare Providers, Business Associates (Vendors of Healthcare Providers), Healthcare SaaS companies, subcontractors, and any organization that directly or indirectly works with PHI. HIPAA has been amended to include additional rules that expand its scope and applicability and help the healthcare ecosystem prevent cyber attacks. The Office for Civil Rights (OCR) enforces HIPAA, while the Department of Health and Human Services (HHS) regulates HIPAA compliance. The OCR regularly publishes recommendations on new issues affecting healthcare and investigates common HIPAA violations on a regular basis.
Organizations need to demonstrate HIPAA compliance by designing policies and procedures, conducting regular staff training, and ensuring their IT architecture and data privacy protocols are aligned with all HIPAA rules. They are also responsible for ensuring that their vendor contracts include mandatory HIPAA compliance protocols. HIPAA violations can lead to penalties, fines, and even jail time.
While the healthcare industry has been aware of HIPAA rules, due to the sharp increase in cyber attacks, their customers, vendors, and shareholders have begun asking for proof of compliance with other security regulations.
ISO 27001: ISO 27001 is a generic standard for information security developed and regulated by the International Organization for Standardization and is officially referred to as ‘ISO/IEC 27001’. It is part of the ISO/IEC 27000 family of standards for information security management. It is a very comprehensive set of controls covering the entire spectrum of information processing. ISO 27002 contains the implementation details and customization details of ISO 27001.
ISO 27001 is a triennial certification with annual surveillance audits. Organizations usually pursue this voluntary certification to become eligible for RFQs for B2B or B2G contracts owing to its extensive list of controls, which prove that they can secure customer data. The impact of a violation is severe since they stand to lose their reputation and revenue from contracts that were signed with the condition that they maintain their ISO 27001 certification. While healthcare customers have a moderate level of acceptance for ISO 27001 certification, it is being considered by larger organizations in addition to HIPAA.
SOC 2: SOC 2 is a data privacy standard for compliance developed by the American Institute of CPAs (AICPA). It defines the criteria for managing customer data based on five ‘trust service principles’ – security, availability, processing integrity, confidentiality, and privacy. Organizations undergo a SOC 2 examination and receive a SOC 2 Report, commonly referred to as a SOC 2 Certificate. The SOC 2 Certificate only assesses the maturity of controls during the time of the SOC 2 Audit period. Organizations need to renew their certification at regular intervals to prove their continuous compliance.
SOC 2 is popular in the US and is considered by healthcare organizations since it is moderately challenging to implement. At databrackets, we have supported several healthcare SaaS companies to prepare for their SOC 2 examination and test their controls before their SOC 2 audit. In our experience, the commitment to data privacy it commands is rigorous, and the benefits far exceed the financial investment.
NIST Security Guidelines: The NIST security guidelines are voluntary guidance based on existing standards, policies, and practices for organizations to better manage and reduce cybersecurity risks. NIST 800-53 and NIST Cybersecurity Framework (NIST CSF) are the leading security guidelines for managing and communicating cybersecurity posture amongst internal and external organizational stakeholders. While NIST guidelines do not lead to a certification by external authorized personnel, organizations use attestation to prove they comply with the specific NIST standard.
Regular maintenance and consistent vigilance are required to ensure you continue to comply with NIST CSF and NIST SP 800-53 rev 5. However, you don’t need to get re-assessed until a new version of the standard is published. Despite this flexibility, vendor contracts may require an attestation to a specific NIST Security Guideline because of the extensive controls which require substantial investment.
HITRUST CSF: HITRUST is specifically developed for organizations in the Healthcare ecosystem that want to leverage other leading security standards along with HIPAA regulations. HITRUST created and maintains the Common Security Framework (CSF), a certifiable framework to help healthcare organizations and their providers demonstrate their security and compliance in a consistent and streamlined manner. Several organizations view HITRUST CSF as the ideal benchmark for the healthcare ecosystem, which needs security protocols beyond HIPAA. Though this annual certification may sound like a panacea, the financial investment in implementing its dynamic mix of controls from various security standards is not viable for many organizations.
Comparisons
Comparing Top 5 Security Regulations for Healthcare | HIPAA and HITECH | ISO 27001
| SOC 2 | NIST Security Guidelines | HITRUST CSF (Common Security Framework) |
|---|---|---|---|---|---|
Description | HIPAA is mandated by the HHS and enforced by the OCR. HIPAA Compliance is mandatory for covered entities, business associates and subcontractors. Under the Act, there are 18 HIPAA identifiers or types of PHI that must be protected by all organizations that store, process and transmit it. HIPAA applies to the entire healthcare ecosystem. | ISO 27001 is a generic standard for information security developed by ISO. It is a very comprehensive set of controls covering the entire spectrum of information processing. ISO 27002 contains the implementation details and customization details of ISO 27001. | SOC 2 is a standard for compliance developed by the American Institute of CPAs (AICPA). It defines the criteria for managing customer data based on five ‘trust service principles’ – security, availability, processing integrity, confidentiality, and privacy. | The NIST security guidelines are voluntary guidance based on existing standards, policies, and practices for organizations to better manage and reduce cybersecurity risks. NIST 800-53 and NIST Cybersecurity Framework (NIST CSF) are the leading security guidelines for managing and communicating cybersecurity posture amongst internal and external organizational stakeholders. | HITRUST is specifically developed for organizations in the Healthcare ecosystem that want to leverage other leading security standards alongwith HIPAA regulations. HITRUST created and maintains the Common Security Framework (CSF), a certifiable framework to help healthcare organizations and their providers demonstrate their security and compliance in a consistent and streamlined manner. |
Type of Data | PHI and ePHI – 18 HIPAA Identifiers | All processes included in the ISMS | Customer data | Depends on what is decided as the scope. It may be all the data that the organization works with. | PHI and ePHI |
Controls based on | HIPAA Rules with emphasis on 3 safeguards – Physical, Technical & Administrative | ISO 27001 & ISO 27002 controls (140+ controls) | 5 Trust Services Criteria (61 controls) | NIST CSF Version 2 (75+ controls) and NIST SP 800-53 revision 5 (390+ controls) | 150+ controls |
Certification / Assessment | Assessment | Certification | Certification / Examination | Assessment | Certification |
Frequency / Validity | Annual | Triennial (once every 3 years) with annual surveillance audits | Annual | Maintenance is required to ensure you are continue to comply with NIST CSF / NIST SP 800-53 rev 5. You need to undergo a new assessment everytime a new version of the standard is published. | Annual |
Cost of Implementation, Readiness Prep and Assessment / Certification | >= $25,000 | $25,000 – $50,000 | $25,000 – $50,000 | >= $25,000 | $50,000 – $200,000 |
Readiness Prep | Optional | Recommended | Recommended | Optional | Recommended |
Mandatory / Voluntary | Mandatory | Voluntary | Voluntary | Voluntary | Voluntary |
Reports are reviewed by | OCR/HHS | B2B, B2C or B2G customers / vendors | B2B, B2C or B2G customers / vendors | B2B, B2C or B2G customers / vendors | B2B, B2C or B2G customers / vendors |
Level of Difficulty while implementing | Low | Moderate | Moderate | Moderate | High level of complexity |
Impact of violation | Penalties, Fines, Jail time | Certification will be revoked. Loss of business if clients make it mandatory. | SOC 2 Report will be revoked. Loss of business if clients make it mandatory. | It is a voluntary compliance standard. Loss of business if clients make it mandatory. | Certification will be revoked. Loss of business if clients make it mandatory. |
Acceptance Level by Clients
| Mandatory / High Acceptance | Voluntary / Moderate Acceptance | Voluntary / High Acceptance | Voluntary / Moderate Acceptance | Voluntary / High Acceptance |
* This comparison is based on our experience while supporting healthcare clients for over a decade. ** The cost is indicated in USD. With over a decade of experience with healthcare clients, we have observed the benefits of complying with a security standard beyond HIPAA. While customer requirements, RFQs, and vendor contracts usually drive this choice, we recommend organizations review their cyber hygiene from the perspective of risks they want to be prepared for and business priorities while selecting the appropriate additional standard to manage them. Partner with databrackets to secure patient data The only way to defend everything you’ve worked so hard to create is to be protect your systems from security lapses. With over a decade of industry experience and technical excellence, a dedicated team at databrackets can help you protect your organization from threats and adapt to healthcare industry’s unique requirements. Our certified experts have developed specialized Do-It-Yourself Assessments and we offer consulting and hybrid services for HIPAA, SOC 2, ISO 27001 and NIST. We conduct readiness prep assessments for SOC 2 and ISO 27001 as well. Contact us to know more about how our services can help your company. Related Links What is the difference between an Audit, Assessment and Certification? How to Select a Security Vendor Comparing NIST, ISO 27001, SOC 2, and Other Security Standards and Frameworks |