Security Without Regulatory Muscle

As a security practitioner, you may have worked in an industry that was not affected by any regulatory authority. There was a time when security was not driven by governmental power. In many cases, this is why security did not exist in smaller organizations. The ideology that a company was “not an attractive target” to cybercrime was a cozy pillow upon which many C-Level executives rested their heads. Over the last twenty years, this has changed. In fact, not only has security been codified in law, but privacy has become an even stronger legal tool to stimulate security in most organizations.

In some of the early security and privacy regulations, there were exceptions based on the size of the company, as well as the earned revenue of the company. Most privacy regulations, however, do not offer those types of exemptions. Privacy exemptions are granted based more on the context of the data processing. For example, data processing for research, or national interests can be excluded from regulatory consideration, but only if other criteria are met, such as pseudonymization and data obfuscation.

Privacy in the Land of Healthcare

Privacy in the healthcare field has always been a primary concern. Before the days of electronic records, printed medical records were stored in locking file cabinets. When in active use, such as during a patient visit, medical records were kept confidential, even from the patient under care. This may seem implausible to many people living in the relatively new “freedom of information” era, but patients were generally not permitted to view their own medical records. It is no wonder there were serious concerns at the early stages of proposals to create electronic, freely sharable healthcare records.

The obvious advantage of electronic health records is the ease of accessibility for medical professionals to access the information when needed. Through the use of patient portals, a person is now able to view their own medical file, enabling better care for themselves. The clear disadvantage is anyone could gain access to records if they are not adequately protected. This emphasizes the need for qualified, trained healthcare security and privacy practitioners .

What Could Possibly Go Wrong?

You don’t need to look very far to see the problems with poor security in the healthcare field. Cases such as the Anthem Health breach of 2015 , and the Aetna envelope debacle of 2017 show why security is important, and inextricably tied to privacy in a healthcare setting. At least one healthcare publication issues regular healthcare industry breach reports . Peripherally, a recent report highlights the raised concerns when a healthcare company partners with a non-healthcare organization, sharing healthcare information without patient consent.

It is one thing to have one’s credit card stolen, as it is fairly easy to cancel a compromised credit card and issue a replacement. It is entirely different when a person’s medical history is stolen. Similar to the theft of biometric data, the private nature of medical records is not easily recovered once it becomes publicized. The old metaphor of not being able to put the toothpaste back in the tube is poignantly fitting here.

New Developments in Privacy

In 1996, the Health Insurance Portability and Accountability Act (HIPAA ) was enacted in the United States. This law has been revised over time, adding provisions for privacy, and breach notification requirements. Similar legislation, such as the Health Information Technology for Economic and Clinical Health (HITECH) Act influenced the final changes woven into HIPAA. HIPAA stressed privacy in a way that was previously overlooked.

Over time, other regulations emerged across the globe that highlight the importance of privacy outside of a healthcare setting.  However, in doing so, all of these new regulations impact healthcare directly. A healthcare security practitioner must be versed in many of these privacy regulations in order to best serve an organization.

Many Common Threads

A cursory examination of some of the privacy regulations across the globe reveal some very common sentiments. Regulations from China , South Africa , the European Union’s General Data Protection Regulation (GDPR ), and India all share the following principles:

• Consent to collect information (Strictness of this varies for each country)
• Data obfuscation requirements
• Parental consent required for processing data of children
• Data may be processed for specific and lawful purposes
• Data retention limits
• Data portability (Covered in HIPAA in the US, other countries specify data portability in their regulations)
• Right to know if an individual’s data has been processed
• Limited exemptions (at legal or government request)
• Right to withdraw consent
• Breach notification requirements
• Severe penalties for non-compliance

It should be noted that while HIPAA is specific to the healthcare field across the United States, there is no unified privacy law that covers all States. Each State has enacted their own versions of privacy legislation that extends privacy to all aspects of personal data.

Areas of comparison with some of the other directives in various regulations are shown in the following chart:

*Both China and India include language that contemplates the cessation of data sharing, but not the full erasure of a subject’s data.

Evolutionary Development

Regulatory developments have expanded over time, most notably in the area of defining Personally Identifiable Information (PII). India’s Data Protection Bill shows the most advanced concepts of PII.

To note a few:

• India recognizes Caste or tribe as a personally identifying characteristic.
• India also recognizes specific sexual orientations, such as transgender and intersex status. (The definitions for each are also enumerated in the text of the Bill.)

South Africa’s POPI Act includes the following in its PII definition list:

• Pregnancy
• Personal opinions, views or preferences of the person
• Views or opinions of another individual about the person

Although not examined specifically here, California’s Consumer Privacy Act (CCPA) contains perhaps the most unique statement in its definition of PII:

• Audio, electronic, visual, thermal, olfactory, or similar information

As a healthcare security and privacy practitioner, it is important to note these, not because they are novel, but to bring awareness to the idea that the data you are protecting is woven into the customs, and culture of the data subjects. As all medical professionals know, they cannot choose which patients show up to their office. Likewise, a healthcare security and privacy practitioner cannot ignore the varied data that must be protected. In the healthcare field, cultural sensitivity is very important, and a security practitioner needs to take that into consideration when recommending security protocols. This is where a trained healthcare security and privacy practitioner becomes an invaluable asset to a healthcare organization.

Which Training is the Best?

Whenever the subject of training is presented, one always wonders “which training is the best”? This is understandable, no one wants to invest time with a training program that doesn’t offers tangible benefits. Unfortunately, in the field of healthcare information security, there are not many training offerings . One can (and should) learn security as it pertains to many of the Bills and Acts that are relevant to a specific country or jurisdiction. However, the regulatory landscape is only part of the full equation of the knowledge required in a healthcare setting. A deeper understanding of the security and privacy in a healthcare environment from a practical level is required. The only training that presents a full program is the Healthcare Information Security and Privacy Practitioner (HCISPP) credential offered by (ISC)².

The HCISPP Common Body of Knowledge (CBK) includes all aspects of security and privacy in a healthcare setting. The information gained through the study of the CBK is not only useful in achieving the certification, but it offers actionable, practical knowledge for any security practitioner in the healthcare field. Attaining the HCISPP certification shows a dedication to the healthcare security profession, which translates to a more valuable member of a healthcare security team.

Download our white paper, Not All Life Savers Wear White Coats , to learn more about the regulatory landscape, security and privacy in the healthcare environment.