The information that health providers, technology vendors, and others who manage data for patients are responsible for is highly sensitive. Health data managers have an obligation to make sure that the data they handle is protected due to hacking, carelessness, or accidentally providing unauthorized access.
The guidelines for security standards are different depending on which country or state you are located in. Two common sets of guidelines include ISO 27001 (applicable internationally) and HIPAA (applicable in the United States). There are also two security standards that can be applied that provide more direct rules than guidelines, ISO 27799 and HITRUST Common Security Framework. These two sets of security standards have significant overlap, but each does have specific requirements that are distinct from one another.
The Healthcare Insurance Portability and Accountability Act, or HIPAA, was signed into law in 1996 to improve the accountability and portability of health insurance coverage. This was the start of the government pushing for the computerization of patient records and led to the HIPAA Privacy and Security rules which governed how entities secure managed the patient data they worked with.
The HIPAA Privacy and Security rules establish a set of security standards which must be addressed by “covered entities”, which are encoded in four rules:
- HIPAA Privacy Rule
- HIPAA Security Rule
- HIPAA Enforcement Rule
- HIPAA Breach Notification Rule
These rules are subjective, meaning that there aren’t a list of approved security solutions, technology vendors, or pieces of software that you can implement, work with, or buy that will automatically allow you to consider yourself “HIPAA Compliant. That’s where ISO 27799 and HITRUST Common Security Framework can provide a firm set of requirements to help guide your security strategy.
ISO 27001 / ISO 27799
There are two international security standards can be used in combination with one another to address the protection of sensitive health information, ISO 27001, which establishes information security management system requirements, and ISO 27799, which is a set of best practices specifically created for dealing with health data.
ISO 27799 includes a list of threats which need to be addressed by compliant security management systems:
- Masquerade by insiders
- Masquerade by service providers
- Masquerade by outsiders
- Unauthorized use of a health information application
- Introduction of damaging or disruptive software
- Misuse of system resources
- Communications infiltration
- Communications interception
- Connection failure
- Embedding of malicious code
- Accidental misrouting
- Technical failure of the host, storage facility or network infrastructure
- Environmental support failure
- System or network software failure
- Application software failure
- Operator error
- Maintenance error
- User error
- Staff shortage
- Theft by insiders
- Theft by outsiders
- Willful damage by insiders
- Willful damage by outsiders
HITRUST Common Security Framework
The HITRUST CSF is an overarching framework that maps on to several security standards to provide a one-stop solution for addressing the requirements that ISO, HIPAA, NIST, and PCI lay out as guidelines.
The goal of HITRUST CSF is to have covered entities fulfill the requirements contained in the 19 domains and 135 specific controls, or actions, that the CSF outlines. By satisfying these requirements, covered entities can easily respond to audit requests for any of the security standards that the CSF maps to, saving time and resources on both the purchaser and vendor sides.