Every organization faces cybersecurity threats to its digital assets, potentially compromising sensitive data or disrupting business operations. Implementing a comprehensive cybersecurity framework can help organizations prevent threats, mitigate attacks, and maintain business operation continuity. What is cybersecurity framework implementation, and how does cybersecurity compliance work? Read on to learn more.
Applications of Cybersecurity Frameworks
What is cybersecurity framework implementation? It involves organizations establishing practices to protect digital assets from cybersecurity risks based on existing recommendations, guidelines, or standards issued by industry-governing entities.
When first considering or beginning an implementation, referring to applicable compliance regulations for guidance provides the best roadmap and cybersecurity framework examples. The most common and widely applicable of these frameworks include:
- HIPAA for the healthcare industry
- PCI DSS for the payment card industry
Cybersecurity frameworks focused on compliance often depend on your specific industry and business activities—some cybersecurity frameworks apply to multiple industries while others are more tailored. Compliance with relevant industry cybersecurity frameworks can help protect your data, systems, networks, or applications from potential cyberattacks, especially with the help of a trusted compliance advisor.
What is Cybersecurity Framework Implementation in Healthcare?
Organizations within or adjacent to the healthcare industry are frequent targets for threat actors due to the vast amounts of sensitive protected health information (PHI) processed therein. So what is cybersecurity framework implementation for healthcare organizations? It involves compliance with HIPAA, which protects the sensitivity and integrity of PHI.
Learning how to implement cyber security frameworks such as HIPAA starts with understanding the critical aspects of the cybersecurity standards and frameworks.
What is HIPAA?
As the main compliance framework for organizations in the healthcare industry, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) protects the privacy of PHI during processing, storage, or transmission. Established by the Department of Health and Human Services (HHS), HIPAA comprises four rules, each focusing on a critical component of HIPAA compliance.
HIPAA Privacy Rule
The Privacy Rule establishes specific types of health information as PHI, recommending permitted uses and disclosures thereof. The Privacy Rule pertains to covered entities and their business associates, including:
- Health plans
- Healthcare providers
- Healthcare clearinghouses
- Business associates
For covered entities and their business associates, HIPAA’s cybersecurity framework requirements still apply in full. Therefore, organizations must first determine whether they fit the Privacy Rule classification for covered entities and their business associates.
Privacy Rule Covered Entities
What organizations are considered HIPAA Privacy Rule-covered entities? Those classified as follows must comply:
- Health plans – Organizations that “provide or pay the cost of medical care,” including:
- Insurance providers for health, dental, vision, or prescription drugs
- Health maintenance organizations (HMOs)
- Medicare, Medicaid, and associated insurance providers
- Long-term care insurance providers
- Group health plans sponsored by employers, government, or churches
Exceptions to organizations that are considered health plans include:
- Group health plans with less than 50 participants and solely sponsored by an employer that established and maintains the plan
- Government-funded programs that do not primarily provide or pay the cost of healthcare (e.g., food stamps programs)
- Programs that primarily provide healthcare (e.g., community health centers)
- Insurance entities providing only specific insurance (e.g., workers’ compensation, auto, property, or casualty insurance)
However, insurance entities running separable lines of business, one of which is a health plan, are required to comply with HIPAA stipulations for the health plan line of business.
- Healthcare providers – Organizations that provide healthcare services, including:
- Institutional providers (e.g., hospitals)
- Non-institutional providers (e.g., physicians, specialized practitioners)
- Billing service providers
- Healthcare clearinghouses – Organizations that process information from a nonstandard into a standard format or vice versa, including companies providing:
- Billing services
- Repricing services
- Community health information management
- Clearinghouse transactions involving network value addition or switching
Typically, clearinghouses will only receive PHI when processing transactions as business associates of health plans, healthcare providers, or their respective business associates. In such instances, the Privacy Rule only applies to certain clearinghouse PHI uses and disclosures.
Privacy Rule-Covered Business associates
What is cybersecurity framework classification for business associates of covered entities, per the Privacy Rule? Business associated conduct transactions on behalf of covered entities, specifically those involving the use and disclosure of PHI, such as:
- Billing and claims processing
- Data analysis
- Utilization review services
However, services conducted by business associates for a covered entity are limited to:
- Legal services
- Actuarial and accounting
- Data aggregation
- Administrative and management
- Financial services
Organizations are also not considered business associates if they provide services that do not involve uses and disclosures of PHI or the exposure to PHI is incidental, if at all.
Privacy Rule Permitted Uses and Disclosures
One of the critical protections for PHI under the Privacy Rule applies to permitted uses and disclosures thereof. If your organization has to use and disclose PHI without an individual’s authorization, it should be under specific circumstances, including:
- Information disclosure to the given individual it pertains to (except for access or accounting disclosures)
- Healthcare operations such as treatment and payment
- Providing the opportunity to agree or object
- Incident-related to otherwise permitted use and disclosure
- In public interest or for related beneficial activities
- Research purposes involving limited datasets
Covered entities must use proper professional and ethical judgment in implementing permitted uses and disclosures. Cybersecurity framework implementation per the HIPAA Privacy Rule requires your organization to comply with the stipulated provisions to define and appropriately secure transactions involving PHI. A similar approach to accessing and disclosing (non-PHI) sensitive data will help inform broader and non-healthcare framework implementations.
HIPAA Security Rule
Once your organization has determined its entity classification under the Privacy Rule, cybersecurity framework implementation involves adhering to the Security Rule provisions. These extend protections to electronic PHI (ePHI) during creation, maintenance, and transmission.
Per the Security Rule, covered entities must implement:
- Protocols to secure integrity and confidentiality of ePHI
- Threat detection and mitigation of threats to PHI
- Protections for permitted uses and disclosures
- Ongoing compliance measures
Covered entities can protect ePHI integrity by implementing safeguards stipulated by the Security Rule. These safeguards can help healthcare organizations new to compliance determine how to implement cyber security frameworks such as HIPAA.
HIPAA Security Rule administrative safeguards cover processes and policies for ongoing ePHI protection. Specific safeguards include:
- Security management – Your organization can implement threat detection measures to identify common threats and vulnerabilities to ePHI, including:
- Information access management – Your organization can secure access to ePHI via:
- Role-based access, limiting ePHI access to only business-use cases defined by individuals’ specific roles
- Privileged account usage, limiting ePHI access to only authorized users
- Access monitoring to identify unusual events related to accessing ePHI
- Workforce training and management – Implementation of policies to ensure continuity of cybersecurity measures for all personnel, specifically around:
- Password usage policies (e.g., use of strong passwords, minimizing visible password storage at workstations)
- Detecting patterns of commonly exploited phishing and related social engineering attacks
- Preventing accidental exposure of ePHI via unattended workstations providing access to ePHI or improper disposal of printed PHI
Administrative safeguards can help establish secure PHI transaction policies.
Organizations must minimize exposure to ePHI via physical safeguards that limit access, including:
- Secured access to facilities – Access control measures can help prevent malicious actors from accessing workstations, servers, or filing cabinets containing PHI. These physical safeguards may include:
- Card key access control to prevent unauthorized access to areas storing ePHI
- Personnel managed access control (e.g., security desk, receptionist desk)
- Device and workstation security – Your organization can secure devices containing ePHI such as common-use workstations and personal-use devices (e.g., laptops, tablets). Specific safeguards include:
- Password-protected workstations, even on secured floors
- Automatic logoff for common-use and personal workstations
- Limiting printing, download, or transfer of ePHI from common-use workstations via web applications or other commonly-used portable storage devices
- Ensuring disposal of paper PHI via shredding
- Device encryption
Physical safeguards can help protect your organization from malicious threat actor intrusion.
Per the Security Rule, the technical safeguards organizations must also implement include:
- Access control – Covered entities can implement technical measures and policies to prevent unauthorized access to ePHI. Specifically, organizations can:
- Minimize personnel password re-use across multiple accounts
- Implement personnel use of strong difficult-to-decipher passwords
- Institute password change policies every few months
- Audit controls – Monitoring of access control events and other such events to identify vulnerabilities to ePHI via:
- Identity and access management (see above)
- Identifying applications in need of security patches
- Recycling of hardware and devices at end-of-life cycles, specifically those used for ePHI storage
- Log activity for compliance reviews
- Integrity controls – Your organization can ensure that ePHI is not accidentally altered or destroyed via controls, including:
- Limiting PHI modifying privileges to authorized users
- Preventing deletion of PHI from any system, except by privileged users
- Implementing security notifications for unauthorized or unusual ePHI modification events
- Transmission security – Covered entities should prevent unauthorized access to ePHI transmitted over electronic networks. Specifically, covered entities should ensure appropriate transmission encryption protocols for any ePHI transmission to their business associates.
The administrative, physical, and technical safeguards outlined in the Security Rule provide examples of the implementation scopes of common cybersecurity standards and frameworks, specifically those relating to the healthcare industry.
HIPAA Enforcement and Breach Notification
Regarding regulatory authority enforcement of HIPAA, cybersecurity framework implementation also requires understanding the Breach Notification Rule. This stipulates requirements for organizations to report a breach (i.e., any improper use or disclosure of PHI) should one occur. A covered entity must report any breach to impacted parties, the Secretary of the HHS (via a Breach Report), and local media outlets when more than 500 participants are impacted.
As most compliance frameworks require incident reporting, your cybersecurity framework’s processes and policies must account for these efforts regardless of applicable regulations.
The Enforcement Rule provides non-compliance fines and penalties for covered entities found to violate HIPAA compliance. The enforcement of the Privacy and Security Rules is overseen by the Office for Civil Rights (OCR) and, in some cases, the Department of Justice (DOJ). Generally speaking, the fines and penalties for HIPAA non-compliance can be steep, both financially, legally, and reputationally.
Working with an experienced compliance specialist can help your organization define how to implement cyber security frameworks, such as HIPAA—including reporting procedures.
Payment Card Industry Cybersecurity Framework Implementation
What is the cybersecurity framework implementation in the payment card industry? The most widely applicable cybersecurity framework is the Payment Card Industry Data Security Standards (PCI DSS), which protects the security of card payment transactions.
Specifically, organizations covered by the PCI DSS are required to protect cardholder data (CHD) from potential cybersecurity threats. Your organization can implement the PCI DSS framework by determining which requirements apply to your organization’s specific digital assets.
How Can You Implement PCI DSS Requirements?
Your organization can secure critical components of your card processing systems and storage environments based on the six goals and 12 Requirements of the PCI DSS v.3.2.1. These include:
- Network and systems security
- R1: Protecting CHD by installing and maintaining firewalls
- R2: Avoiding the use of vendor-supplied defaults for security parameters such as system passwords
- CHD protection
- R3: Protecting stored CHD
- R4: Securing CHD transmission across public networks via encryption
- Vulnerability management
- R5: Protecting systems from malware and viruses using updated programs or software
- R6: Securing systems and applications
- Access control security
- R7: Restricting access to CHD based on business need
- R8: Securing access to system components via user authentication
- R9: Limiting and restricting physical access to CHD
- Network monitoring and testing
- R10: Monitoring of access to networks and CHD
- R11: Regular security system and processes testing
- Information security policy
- R12: Ensuring ongoing information security for personnel
Each PCI DSS Requirement contains multiple recommendations for securing CHD, which can be challenging to navigate for companies new to compliance. Working with an experienced PCI compliance advisor can help your organization define what is a cybersecurity framework implementation as it relates to the PCI DSS framework.
Critical Protections for PCI DSS Sensitive Data
Some of the PCI DSS critical stipulations provide a robust framework for protecting all sensitive data, not just CHD. PCI Requirements you may wish to implement for general protections include:
- Minimizing storage of sensitive data, except under strict and legitimate business need purposes
- Separating sensitive data environments from external traffic (e.g., use of segmentation methods)
- Ensuring strong access control measures (e.g., strong password policies)
- Ongoing testing and monitoring of networks for vulnerabilities via penetration testing
- Managing and updating organization-wide policies for robust security
Achieve Robust Cybersecurity Framework Implementation
Compliance with widely applicable cybersecurity frameworks can help your organization protect critical digital assets. What is cybersecurity framework implementation for organizations at risk for cyber threats? It requires your organization to define security policies that provide robust industry-standard cybersecurity protection for IT infrastructure.