Health Care security: time to open the can of wormsInformation Assurance, Governance, Risk and Compliance

Begin Learning Cyber Security for FREE Now!

Already a Member Login Here

Home Forums Information Assurance, Governance, Risk and Compliance Health Care security: time to open the can of worms

This topic contains 7 replies, has 5 voices, and was last updated by  emb021 2 years, 2 months ago.

Viewing 8 posts - 1 through 8 (of 8 total)
  • Author
  • #86168


    There is an annual meeting of medical imaging professionals called the RSNA. The last two years have had a single presentation (with 2-3 speakers) regarding cyber security within the health care enterprise. Any discussion outside of these rooms seems to be met with belligerent resistance that this is somehow “out of scope” for a global enterprise that moves private and sensitive data on a massive scale.

    My bias is obvious: I find this ridiculous. Clearly 3 other speakers out of the 100K international attendees (and some 50 or so presentation attendees) agree with me. I find this apathy alarming.

    The general sense is that this is “an IT problem”. While I do not disagree entirely, even the most cursory understanding of data security knows that the weakest links in a security solution are often outside of the domain of IT services. In other words, I am sure they are doing their part, but it is not enough– and not everything is for them to fix.

    In my frustration, I am making an effort. I may be just one of a handful of people who see the problem here– and wants to do something about it– but I do not see this problem fixing itself.

    HIPAA is a start, but it’s just words. We need guidance.

    So, I am gathering allies. I think the Cybrary community can help educate me so that I can educate others.

    Please help me improve myself and help me provide a means to secure the data in healthcare (I’m starting with imaging, but there’s no reason to stop there). We all deal with healthcare at one time or another; it is in all of our interests to assure ourselves in its integrity.



    So heres the biggest thing with healthcare and security: there is no standardization. Theres some rules and regulations to follow, but other than the loosely coupled provider networks, the industry as a whole has no overarching level of trust and standardization. If I was working for a large medical organization and holding large amounts of records and data on my patients, and all of a sudden, I was supposed to give some rinky-dink ,mom-and-pop medical organization access to my data, how can I ensure that we can securely communicate? How can I be sure that they are following the same level of protection for those records and for their data at rest? How Can I ensure that the people accessing my information are authorized to actually access this?

    Because these networks weren’t built around a common framework, and have to adhere to certain standards, its going to be immensely difficult just to get everyone on the same page. In terms of security, how many doctor’s offices have you gone to, and saw that in your doctor’s room, they had their computer unlocked with no screen saver on? I also often hear of doctors who tell their IT people that they want exemptions to policies (if they even have them in the first place) for their computers, because having to log in repeatedly is an inconvenience to them.

    Healthcare security is an uphill battle, and trying to get it organized is a huge challenge.



    Take a look at HITRUST. A bunch of big players in the healthcare industry pulled together about 30 frameworks (including PCI-DSS) and created the Common Security Framework (CSF). It’s much more prescriptive than HIPAA guidelines. It seems to me the reason for it is to get the ‘rinky-dinks’ to step up. I imagine a day when HITRUST compliance will be a pre-requisite for doing business with a large healthcare corporation.



    Yes, HITRUST is the Healthcare industry standard framework to be able to comply with HITECH regulation. Cybrary needs some training on this.



    Health Information Trust Alliance HITRUST Certification

    The HITRUST Common Security Framework (CSF) is a comprehensive and certifiable security framework used by healthcare organizations and their business associates to efficiently approach regulatory compliance and risk management. HITRUST unifies recognized standards and regulatory requirements from NIST, HIPAA/HITECH (Health Information Technology for Economic and Clinical Health Act of 2009), ISO 27001, PCI DSS, FTC, COBIT, and can be completed according to SOC 2 criteria, making it the most widely-adopted security framework in the U.S. healthcare industry.

    Benefits of Obtaining a HITRUST Certification

    As a company that handles ePHI, having a HITRUST certification demonstrates its compliance with the required safeguards in place to protect the data. It will assist your company by:
    •Satisfying the requirement by many health organization that their Business Associates are in compliance with the HITRUST CSF.
    •Providing a competitive advantage by demonstrating that your company has implemented the necessary controls to safeguard sensitive ePHI and mitigated the risk of it being compromised.
    •Establishing a security framework that incorporates a variety of standards and regulatory requirements including those associated with a SOC 2 / AT 101 assessment.

    HITRUST Alliance

    Official Website of The Office of the National Coordinator for Health Information Technology (ONC) Certification



    Thank you for your responses. I was not previously aware of HITRUST certification. This seems like a good starting point. I may have more questions after I have gotten an overview.

    Does Cybrary have resources toward HITRUST certification that I could point an organization toward?



    “HITRUST is the Healthcare industry standard framework to be able to comply with HITECH regulation.”

    No it’s not.

    Using HITRUST is no guarantee that you are compliant with HIPAA/HITECH. Please don’t mislead people. HHS (Health and Human Services) does not recognize HITRUST, they do not recommend HITRUST, and have said if you have it, its no guarantee you’re compliant.

    HITRUST is very difficult to deal with because they have gone overboard with a “everything plus the kitchen sink” approach to dumping in more and more regulations, many of which have zilch to do with healthcare.

    Getting a HITRUST certification as an individual is very expensive, if not impossible. Its not like getting a CISSP. You can’t get it unless your company wants to get involved with doing HITRUST certification, which is very expensive. Similar to getting PCI’s QSA.

    • This reply was modified 2 years, 2 months ago by  emb021.


    “Does Cybrary have resources toward HITRUST certification that I could point an organization toward?”


    All the info on getting HITRUST certification is at the HITRUST website.

    And if you want to get HITRUST certification as an individual, your organization will have to signup with HITRUST, and you will need to go to HITRUST HQ to take their class followed by the test. It’s not like CISSP or other certifications where you can take a variety of methods to get prepped, then go to a local testing center to take.

    FWIW, my company looked into this, and in sending me to training. The cost just wasn’t worth it as few of our many healthcare clients were interested in getting HITRUST certified. We have helped 3 clients get prepared for certification, but the many others we work with are not getting it and have no interest in getting it. The few that did, only did so as they were forced to by insurers.

Viewing 8 posts - 1 through 8 (of 8 total)

You must be logged in to reply to this topic.

Our Revolution

We believe Cyber Security training should accessible for everyone, everywhere. Everyone deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is the world's largest community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

We recommend always using caution when following any link

Are you sure you want to continue?