Healthcare information security and the relevance of security certifications

By Travis Lansdell

In healthcare, one of the greatest responsibilities any organization has is safeguarding the protected health information (PHI) of the members or patients it serves. Everyone in healthcare knows this and understands the responsibility. Nevertheless, data breaches, ransomware and malware attacks are a frequent occurrence at healthcare organizations because the information is so valuable in the hands of bad actors.

“There have also been notable changes over the years in the main causes of breaches,” according to the HIPAA Journal. “The loss/theft of healthcare records and electronic protected health information dominated the breach reports between 2009 and 2015. Our healthcare data breach statistics show the main causes of healthcare data breaches are now hacking/IT incidents, with unauthorized access/disclosure incidents also commonplace.”

From 2009 to 2021 the number of data breaches involving 500 or more records has been steadily increasing. In December 2021 alone, there were more than 56 breaches of 500 or more records, a 24.5% increase from November. During all of 2021, there were 714 healthcare data breaches of this type, affecting more than 40 million people.

From 2005 to 2019, more than 249 million were impacted by healthcare data breaches, according to the journal Healthcare.

While PHI data breaches are often in the news, and protecting that information is a critical function of healthcare organizations, employee information, intellectual property and other types of data must be secured, as well.

There are four main ways that healthcare data or any data for that matter may be exposed or stolen:

• Hacking by bad actors
• Unauthorized access by employees within the organization
• Theft or loss
• Incorrect information disposal

Certification best practices

All healthcare organizations have a fiduciary responsibility to protect the healthcare data of those who use their services, employee information and other confidential data related to the business.

Comprehensive policies and procedures, strategic operational security practices, and tactical, layered cybersecurity defenses all help protect the business. Certifications, however, also serve a purpose by revealing an organization’s security processes for inspection by, or asserting an organization’s security capabilities to, the organization’s customers. The ability for a customer to review their provider’s security capabilities is critical to the customer’s own security program, and certifications and third-party attestations help streamline this process.

There are several types of certifications or security attestations a company can pursue as part of its security program. Some certifications are designed for companies that handle credit card transactions, some focus on the security of specific applications; others focus on PHI. Some certifications state that a company complies with the security requirements, but when you look behind the scenes of the certification the company may be only 70 percent compliant, for example.

I recommend organizations consider ISO 27001, published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), which is the world's largest developer of voluntary international standards.

ISO 27001 is the gold standard for information security certification because:

• An organization is compliant or it’s not. While an ISO certification will have a defined scope, there aren't degrees of compliance, which can lead to a false sense of security or a customer having to engage in a time-consuming review of the organization’s level of compliance.
• The security framework is widely understood and has been adopted by public and private organizations around the world.
• Certification confirms the organization operates a fundamentally sound, risk-focused professional security program based on an open security standard that has been tested for decades.

While no health information system is truly “secure” in the sense that it won’t be hacked, is impervious to malware or won’t fall prey to a disgruntled employee, ISO 27001 certification provides broad assurance that an organization’s security program is healthy, robust and uses an ongoing risk-centric approach for security management.

To help ensure specialized information security needs, companies should also explore other certifications, reports or attestations that have a specific focus on financial, employee or other types of data. These certifications can help an organization better understand how its security measures will perform in these areas.

• SOC (Service and Organization Controls) 2 Type I & Type II reports: These are the global standard for demonstrating strong security in software services. SOC 2 reports don’t certify an organization, rather they are a report describing a specific service’s (typically a software service) alignment with several trust principles defined by the AICPA (American Institute of CPAs). A SOC 2 report, particularly a Type II report, provides extremely valuable tactical security information to the organization’s customers.
• A third-party HIPAA attestation specifically ensures an organization complies with HIPAA requirements and should be an attestation that all healthcare companies require of their providers.

Alleviate customer concerns

A strong information security framework, such as ISO 27001, also serves to alleviate concerns of current and prospective customers. Security certifications, reports on compliance and attestations from third parties provide customers with confidence that the organization takes information security seriously. They also demonstrate an organization’s commitment to maintaining a strong information security program.

Ultimately, a certification that is aligned with a comprehensive, broadly adopted, well understood and risk-focused information security framework serves both the organization’s own interests and those of its customers.

Raise the bar

All healthcare organizations are at different points in their information security journey, but for those looking to get to the next level, I recommend taking a critical look at the organization's entire environment from the viewpoint of a comprehensive security management framework like that provided by ISO 27001 and embracing a risk-driven approach to information security management.

Doing so raises the bar not only for your organization but for every company in your industry by fostering healthy and progressive competition. Any advances an organization can make to secure customers’ data are a step forward in defeating bad actors—internal or external—who are always looking for new ways to appropriate information or cause harm.

Travis M. Lansdell, CISSP, is Chief Information Security Officer at Modivcare.