Policy_Paper_M7A1 POL311

docx

School

Excelsior University *

*We aren’t endorsed by this school

Course

311

Subject

Political Science

Date

Oct 30, 2023

Type

docx

Pages

Uploaded by BrigadierClover1569

Healthcare Regualtion Policy Paper M7A1 POL311 The Problem

Running Head: HEALTHCARE REGULATION 2 Healthcare is a critical field that revolves around the collection of personal data, everyone seeks medical care and places their trust in their medical provider. The cybersecurity threat landscape is continually changing, and personal information is increasingly becoming a target for many hacking groups or nation state threats. The medical industry has a primary focus on providing patient care, while security is often seen as an ancillary function within a medical organization. Additionally, medical manufacturers and providers are installing devices that are connected and offer more integrated services. This results in increased security threats (Peraklsis, 2014). With increased exposure and deployment of these technologies medical providers are no longer immune to cyber-attacks (Lili, Wang, Hua, Jeffrey, Rong, Chunming, & Sun, 2012). Dr Peraklsis stated: Within the health care industry, 72% of recent malicious traffic, viruses, and similar attacks have been directed against hospitals, clinics, large group practices, and individual providers, with the remaining 28% being spread among provider organizations, health plans, pharmaceutical companies, and other entities; in other words, health care delivery is being aggressively and specifically targeted. Patients entrust medical providers with a great deal of their personal information. Compromised patient data can not only lead to fraudulent activity but can also be used for a wide range of cyber-crimes. Another growing concern for medical providers is ensuring that medical devices are adequately protected, ransomware or phishing could cause data to become inaccessible or provide backdoors to access data. These methods have become increasingly lucrative for many hackers over the last few years as we have seen in the news. We are clearly in an era where all healthcare members must be aware of cyber threats and ensure that they remain vigilant in safeguarding the data that they are entrusted with.

Running Head: HEALTHCARE REGULATION 3 Currently financial data is a focus of many government agencies, offering increased protection and reporting requirements. Why do we not value the same decisive controls be implemented to ensure the private and sensitive healthcare data is protected at the same level or better than we protect our financial data? With the vast increase in health data to include connected pacemakers, robotics being used for surgery, genetic information, treatment history and any other relevant medical information that is maintained for individuals being treated there must be a plan. We can no longer continue to allow medical information to sit on the sidelines and wait for attackers to exploit an individual’s medical information. Issue Background According to Dr Eric Peraklsis a recent study has revealed that 94% of health care institutions have been the victims of cyber-attacks. The most common attacks involve data loss, monetary theft, attacks against medical devices and infrastructure attacks. As most individual know many attacks are motivated the personal gain. Cyber criminals will resell stolen data to attain status or financial gain. Other common reasons for cyber-attacks is to gain access to intellectual property or damage a company’s reputation (Peraklsis, 2014). Many medical organizations make attempts to implement controls to segment customer/patient data but these fall short of many similar controls that are required of other organization such as those in the financial industry. Additionally, companies that may have medical data but are not medical providers are not held to the same standard under HIPPA as medical providers (Kruse, Clemens, Jacobson & Monticone, 2017). Currently most organizations deal primarily with HIPPA regulations for protection of patient data. The portion of HIPPA that is most relevant to organizations is the application of the

Your preview ends here

Eager to read complete document? Join bartleby learn and gain access to the full version

Access to all documents
Unlimited textbook solutions
24/7 expert homework help

Running Head: HEALTHCARE REGULATION 4 Security Rule test. The Security Rule requires organizations to maintain reasonable and appropriate administrative, technical, and physical safeguards ensuring that PHI (Public Health Information) is protected. Additionally, they must ensure the confidentiality, integrity, and availability of all patient data created, received, maintained or transported to parties; identify and protect against threats to the security or integrity of the information; protect against inappropriate use or disclosures and ensure compliance by their all employees ( Peraklsis, 2014 ) . “Confidentiality” is a term that means it is not available or disclosed to an unauthorized individual. The Security Rule from HIPPA supports the Privacy Rule's prohibitions against improper uses and disclosures of PHI. The Security rule also supports maintaining integrity and availability of PHI. Under this rule, “integrity” means that PHI is not modified in an unauthorized manner or by an unauthorized individual. “Availability” means that data is accessible and usable on demand by an authorized individual. Organizations that are covered by HIPPA range from the smallest provider to the largest, multi-state health care provider. Therefore, the Security Rule is considered flexible and scalable to allow medical providers and companies to analyze their own needs and implement the necessary controls as appropriate. The issues that arises is what a particular covered entity deems appropriate is based on the organizations own risk assessment ( Healthit.gov, 2019 ) . Many states have been pursuing more stringent regulations regarding how PII and financial data is handled. One such example includes New York’s CYR 500, which was an industry first in cybersecurity regulation pertaining to financial data (Department of Financial Service, 2019). Another regulatory achievement was the release of the EU’s GDPR, this reform has made sweeping changes to the way that companies handle personal data ( Eugdpr.org, 2019). With NYDFS CYR 500 there are many controls that financial organizations must implement if

Running Head: HEALTHCARE REGULATION 5 they meet the minimum organization sizes. Some of the additional protections that organizations must enforce are as follows: they must employ defensive infrastructure to protect against threats; use a system to detect cybersecurity events and alert on events, respond to all detected cybersecurity events, work to recover from each cybersecurity event, require reporting of all incidents that cause breach of data, additional consumer protection on disclosure, policy design, Program development, Third party security, training requirements, limit access, data encryption, and annual certification (Department of Financial Services, 2019). As we can see, many sectors have been required to implement a more specific set of controls. These controls mimic those provided by GDPR, with additional protections for how consumers are able to ensure that they control the data they provide to organizations ( Eugdpr.org, 2019). Most individuals would agree that their medical information is significantly more private than financial data. So why has no one made the effort to ensure that the same protections afforded to financial data is not enforced for health data? Ensuring that all organizations that handle updating regulations to current international protection standards will cause a radical shift in the medical industry. Current Environment As we discussed, currently the primary focus of the medical industry is providing patient care. Security though it is a critical function, this is often seen as an ancillary within a medical organization. When we think of all the emotion, and haste of the medical environment, most individuals do not consider asking how their data is protected, they merely want their treatment and to move on with their life. The HIPPA regulatory framework discussed previously is no

Running Head: HEALTHCARE REGULATION 6 longer sufficient to ensure that adequate controls are in place. We still face the same issues across medical providers that have plagued this industry for years. One critical issue with security is that it typically makes operations with an organization inconvenient. This provides a unique challenge, even requiring more complex passwords for medical staff could cause delays that can cost an individual their life. There has to be a balance between the security implemented and the impact on operations (Wetsman, 2019). The second most significant challenge for medical organizations is the culture. Many medical providers are operated by boards of doctors that have a primary interest in providing care for their patients. Many of these doctors are tenured and have many years of experience. This makes the recent shift in security culture a challenge. Requiring a doctor to participate in security awareness training instead of treating a patient seems backwards for any medical provider. Even many patients would not understand why a doctor must sit through training instead of treating a patient at the most critical times. But this is due to strenuous demands we place on medical providers (Wetsman, 2019). Technology in the medical industry is rapidly advancing. According to Proclinical.com in 2019, the top 10 new medical technologies include: Smart Inhalers, Robotic Surgery, Wireless brain sensors, 3-D Medical printing, Artificial organs, health wearables, Virtual Reality, Precision Medicine, Tele Medical Care and CRISPR Clustered Regularly Interspaced Short Palindromic Repeats (DNA modification). Of these top 10 items in the medical industry, 9 require the use of technology, computers and integration of personal data to digital systems. The threat landscape is changing at a rapid pace and the regulatory landscape has failed to keep pace with these advancements. Call for action

Your preview ends here

Eager to read complete document? Join bartleby learn and gain access to the full version

Access to all documents
Unlimited textbook solutions
24/7 expert homework help

Running Head: HEALTHCARE REGULATION 7 Healthcare is a critical field that has an impact on every citizen. Protecting patient data is far from simple and requires many components that must be addressed. As a result, it is time that we develop a set of recommended security baseline controls that must be implemented across all medical support facilities and companies. This policy should allow flexibility to reflect the needs of individual organizations and strict enough to ensure that security requirements surrounding medical data are controlled at the same expected level that many states and global regulations have defined for PII, financial data and payment card data. Using NYDFS cybersecurity framework and components GDPR as a baseline for the healthcare regulatory policy would be a strong move in the correct direction. With NYDFS CRR 500 as guidance, we can apply to all these controls to healthcare providers. Medical organizations must employ defensive infrastructure to protect against threats (Department of Financial Services, 2019). The successful creation of a policy that meets the deficient areas of the current HIPPA compliance mandates should include the following:  Security Risk Assessment and Policies to ensure that providers have identified possible security risk within their unique environment.  Qualified individuals for overseeing, implementing and performing security functions to ensure that all security staff have the proper education, training and experience to execute and implement proper security infrastructure.  Penetration Testing and Vulnerability Assessments to actively seek and correct identified vulnerabilities and risk within the providers infrastructure.

Running Head: HEALTHCARE REGULATION 8  Monitoring and retention of security relevant systems to ensure that investigations can be performed to identify systems affected after an incident.  Access Privileges to ensure that individuals with the need to have access to information are the only ones that do have access.  Application Security to ensure that all custom developed software is reviewed and follows proper SDLC lifecycles and secure configuration practices.  Third party providers security policy to ensure that third providers enforce proper security controls and perform due diligence  Multifactor authentication for remote access to ensure that connections to systems containing patient data are secure from simple authentication.  Encryption of Healthcare data at rest and in transit  Incident Response planning to ensure that plans have been made for handling and responding to incidents that occur. This framework should be adaptable to organizations based on their size, complexity and type of healthcare data maintained (Department of Financial Services, 2019). Coupling this with the consumer protection offered under GDPR for how their private data is handled, maintained and how it can be distributed is a bold step to ensuring that digital medical information maintains confidentiality and integrity (Eugdpr.org, 2019). As many different sectors give carful though to the importance of cybersecurity over the last few years, we must make this effort in one critical sector that has fallen behind.

Running Head: HEALTHCARE REGULATION 9 This Healthcare Security and Accountability Policy is intended to ensure that patient data security is accomplished at a reasonable level for all medical providers. According to HIPPAJournal.com, In 2018 there were numerous breeches from providers such as UnityPoint Health with over 1.2 million records and CA Department of developmental health services with over a half million records. At the rate that cyber-crime continues to grow, the US must mandate minimum security requirements. It is critical we put decisive controls in place to ensure the private and sensitive healthcare data is protected at the same level or better than we protect our financial data. We cannot continue to allow medical information to sit on the sidelines and wait for attackers to exploit an individual’s medical information.

Your preview ends here

Eager to read complete document? Join bartleby learn and gain access to the full version

Access to all documents
Unlimited textbook solutions
24/7 expert homework help

Running Head: HEALTHCARE REGULATION 10 References Department of Financial Services. (2019). FAQs: Cybersecurity Filing . [online] Available at: https://www.dfs.ny.gov/industry_guidance/cyber_faqs [Accessed 22 Mar. 2019]. Eugdpr.org. (2019). GDPR FAQs – EUGDPR . [online] Available at: https://eugdpr.org/the- regulation/gdpr-faqs/ [Accessed 22 Mar. 2019]. Healthit.gov. (2019). Health Information Privacy Law and Policy | HealthIT.gov . [online] Available at: https://www.healthit.gov/topic/health-information-privacy-law-and-policy [Accessed 24 Mar. 2019]. Kruse, C., Frederick, B., Jacobson, T., & Monticone, D. (2017). Cybersecurity in healthcare: A systematic review of modern threats and trends. Technology And Health Care , 25 (1), 1-10. doi: 10.3233/thc-161263 Perakslis, E. (2014). Cybersecurity in Health Care. New England Journal Of Medicine , 371 (5), 395-397. doi: 10.1056/nejmp1404358 Sun, L., Wang, H., Soar, J., & Rong, C. (2012). Purpose Based Access Control for Privacy Protection in E-Healthcare Services. Journal Of Software , 7 (11). doi: 10.4304/jsw.7.11.2443-2449 Wetsman, N. (2019). Health care’s huge cybersecurity problem. Retrieved from https://www.theverge.com/2019/4/4/18293817/cybersecurity-hospitals-health-care-scan- simulation