For healthcare organizations, regulatory compliance is serious business. Non-compliance not only carries serious ethical implications and threatens the loss of public trust, but even from a purely financial perspective, regulations still loom large. HIPAA especially. With a maximum penalty of $1.5 million per year for each individual violation, the costs of compliance are rising. In fact, 2018 saw the U.S. Department of Health and Human Services' Office for Civil Rights (OCR) levy 22% more fines against HDOs than ever before, with several organizations taking hits of $2+ million.
The bottom line is that healthcare regulations are tough and likely to only get tougher. Whether it's HIPAA, the closely related HITECH, the FDA, the Joint Commission, or the Centers for Medicare and Medicaid Services, medical regulations can be difficult to get your head around and even more difficult to comply with. Adding to the complexity is the fact that further legislation is moving through the US House of Representatives that, if adopted, would formalize recommendations (such as increasing the security and resilience of medical devices) made by the Health Care Industry Cybersecurity Task Force. Of course, when you factor in the non-US-specific regulations, such as the EU's GDPR, there's even more to consider.
So what does this mean for you? Usually, a headache. But despite some inevitable pains, smart healthcare administrators are finding new ways to navigate this treacherous terrain with increasing ease and efficiency. It's one of those smart new ways that I want to address in this post. Before I do though, let's talk about where pitfalls are most often found and where pains are most commonly encountered.
Regulation, Infuriation, Consternation
With so many regulations to consider across large sites employing hundreds or thousands of staff, Accreditation and Compliance teams are typically stretched thinly and pulled in many different directions. Jumping between different sites, different departments, and different regulatory purviews, these professionals usually have their hands full putting out fires and rarely if ever have bandwidth to devote to studying the latest legislative developments and compliance tactics.
The result is a lack of forward planning that perpetuates this vicious cycle of chaotic firefighting.
Consultants can advise on the impact of new regulations, or audit existing arrangements and help implement forward-facing compliance strategies, but they’re expensive and they can’t effectuate your compliance – they can only plan it. At the end of the day, a good compliance consulting firm will tell you what to do, but you’ll still need to do it; and without any type of automation technology, the doing is often the most onerous part.
Alternatively, there are technology solutions designed to help with medical device regulatory compliance. Unfortunately these solutions often come in two basic models:
- Too specific
- Too general
The too-specific solutions are focused on very narrow slices of your regulatory responsibilities – requiring you to enlist a veritable army of different solutions just to cover your flank. This is not only expensive, but introduces added managerial complexity precisely where it was supposed to make things easier.
The too-general solutions struggle to map and accommodate the unique regulatory requirements of an individual hospital and produce documentation trails that are unlikely to fully deliver the granularity required in the event of an audit.
Both the too-specific and too-general solutions are difficult to integrate in normal workflows and introduce another administrative burden: managing the system rather than ensuring improved compliance metrics.
Of course, compliance is made even more arduous by the need to meet demonstration standards. To make regulations enforceable, there needs to be penalties for non-compliance. The problem is it's difficult to tell with certainty if compliance was met, and you’ll understand if regulators are reluctant to simply take your word for it.
Instead, there’s an auditing process. And just like if you were audited by the IRS, the speed and ease of the process depends in large part on your bookkeeping and reporting. If you keep clear and comprehensive records, you can simply hand them over and wipe your hands of it. If you were lax in your record keeping, you’re going to be in for a world of pain retroactively reconstructing a granular account of your compliance.
These are just some of the factors contributing to pains and pitfalls associated with healthcare compliance. While the idea of holding HDOs responsible for the information security of the patients they process is both simple and reasonable, the real world application of that idea can become exceedingly complex and quickly send an unprepared administrator down a compliance rabbit hole.
All of which is why we're seeing a lot of attention and creativity applied to the problem of streamlining medical device regulatory compliance — not just in terms of satisfying the strictures of the law, but in demonstrating as much too.
A Smarter Way
There is a growing body of evidence to suggest that hospitals have unused excess compliance enablement capacity in their existing business technologies. Indeed, what makes modern systems and devices smart is their ability to automatically collect and record information from the real world. This functionality lies at the core of most advanced business technologies and can be enlisted to pull double duty, assisting with the enforcement and documentation of duly compliant protocols, procedures, and practices.
Cybersecurity solutions can be particularly useful in assisting compliance efforts since they not only provide an extra set of eyes on the healthcare operation, but can automatically log compliance-relevant network interactions and generate an audit trail of actions taken in pursuit of compliance.
Specific Regulations Cyber Technologies Can Address
The more you dive into the specifics of healthcare regulations, the more ways you'll find to smartly apply existing technologies to the task of compliance — especially as they pertain to medical devices. This article should not be taken as an exhaustive review of all such potential applications. Instead, we'll focus on some of the most straight forward examples of where an endpoint-based network monitoring and management cybersecurity solution can satisfy HIPAA requirements.
Smart cybersecurity solutions are uniquely positioned to satisfy Rule (a) (1) of HIPAA § 164.306, as AI-assisted network traffic monitoring can confirm that electronic protected health information (ePHI) stored on medical devices has not been tampered with as it moves across the network (ensuring integrity), while built-in threat prevention techniques ensure the availability of that information to authorized parties only (ensuring confidentiality).
Rule (a) (1) (i) of HIPAA § 164.308 outrightly requires the implementation of "policies and procedures to prevent, detect, contain, and correct security violations." Obviously that functionality falls squarely within the wheelhouse of a cybersecurity solution – especially insofar as devoted healthcare cybersecurity solutions are concerned.
Your obligations pertaining to Rule (a) (1) (ii) (A) of the same HIPAA Section can be similarly discharged with any cybersecurity solution capable of comprehensively assessing and mitigating the risks and vulnerabilities that device and network configurations pose to the confidentiality, integrity, and availability of ePHI.
A good solution will shine a bright light on network interactions, revealing their context and their security implications. In this way, the solution will gain an understanding of the traffic flowing between devices, services, and network nodes. Drawing on these observations and on historical data, the solution should assign device-specific and business-wide risk scores so administrators know where best to focus their remediation efforts.
Rule (a) (1) (ii) (B) can also be extensively covered by a cyber solution that indexes all connected devices, determines their current software versions, and searches for updates. A complying solution will also cross-reference your device roster against the ICS-CERT and MDISS MDRAP vulnerability databases, mapping exposure and noting available patches. Where patches are not available, a good solution will be able to devise other security measures to reduce risks and vulnerabilities. To fully manage risk, the solution should also scan clinical assets and systems for default or easily-guessed passwords, before instructing the relevant administrator on the appropriate remediation.
The tricky part of Rule (a) (1) (ii) (B) comes in the fact that the law obligates you to take “reasonable and appropriate” 1 action. Those terms are deliberately vague and ill-defined; and what constitutes reasonable and appropriate in foresight may well miss that mark in hindsight. This is part of the reason why it’s so important that HDOs, in one way or another, enlist healthcare-specific cyber expertise. Such expertise will need to be leaned on heavily to reliably hit the moving target of “reasonable and appropriate” measures in a highly complex and dynamic clinical network.
Of course, even a cybersecurity solution with perfect attack response capabilities is of little use if that solution can’t detect and report on the presence of malicious software. Indeed, one of the key differentiators of best-in-class solutions is superior detection and reporting – key to satisfying Another Rule in HIPAA § 164.308, namely (a) (5) (ii) (B) (Addressable). Continuous cyber audits, along with robust anomaly detection and containment capabilities, tailored intervention recommendations, and future-facing prevention mechanisms are also critical to ensuring that good cyber hygiene and guarding procedures are followed to protect against malicious software.
A hallmark of a smart, scalable cybersecurity solution, network micro-segmentation intelligence and configuration management (ACLs, SGTs, etc.) ensures that, once detected, threats are duly contained – responding to and mitigating both suspected and known security incidents (closing all practicable proliferation paths) with a minimum in collateral disruption. This satisfies requirements pertinent to HIPAA § 164.308 Rule (a) (6) (ii). Most cybersecurity solutions also contain automatic documentation that should capture security incidents and their outcomes to the satisfaction of this law.
Rule (b) of HIPAA § 164.312 requires HDOs to implement procedural mechanism to capture and examine digital interactions with ePHI. This requirement essentially reflects the bare minimum viable product for any cybersecurity solution serving the healthcare industry. Rules (c) (2) and (e) (2) (i) (both Addressable) of the aforementioned Section obligates covered entities to assure that ePHI is not tampered with and affirm that, were it to occur, improper data alterations would be detected.
Here again, a smart cybersecurity solution can be enlisted to do the heavy lifting. AI assisted network traffic monitoring and deep packet inspection can be leveraged to affirm that ePHI has not been tampered with, altered or otherwise modified, including the detection of spoofing. Such a system, with automated anomaly and event logging in place, will not only ensure compliance insofar as these Rules are concerned, but will also make it a cinch to demonstrate as much should any supervisory agency ever call you to account.
The entirety of HIPAA's 45 CFR Subpart D, covering data breaches and the commensurate notification requirements, is also relevant. As defined by the regulation, a breach refers to the “acquisition, access, use, or disclosure of protected health information in a manner... which compromises the security or privacy of the protected health information.”
For organizations with more than 500 employees, notification of a breach needs to be made within 60 days to any individuals impacted, state media, and the Department of Health and Human Services. Smart cybersecurity solutions can help mitigate the risk of a fine and improve the entire breach notification process by rapidly detecting the intrusion and automatically disseminating notifications to the relevant parties. Organizations without robust cybersecurity protection might find issues days, or even weeks, later, eating into, or perhaps exceeding, the 60-day reporting period.
The same notification process can also trigger the extraction of data and the creation of reports needed. Without automation, this can be a complicated exercise — requiring, for example, that HDOs produce logs of user authorization levels and access histories. Depending on your tooling, creating error logs before, during, and after events can be a painstaking undertaking or totally effortless. With an advanced cybersecurity solution in place though this functionality can be built into the system and be made easily available for review by regulators during an audit or investigation.
In a similar vein, regulators will look for evidence of an OCR-grade risk assessment having been dutifully conducted – something that once again you’ll be at a disadvantage to produce without a context-aware endpoint-based healthcare cybersecurity solution.
The Path to Medical Device Regulatory Compliance
Regulatory compliance is a key business driver for all hospitals. Clinical engineering and central compliance teams must work together to ensure there are no gaps in the compliance framework and to address any threats or issues as they arise. But with so many medical devices in use and competing calls on the teams’ time, that’s easier said than done.
At the same time, the increase in digitization and automated data capture systems has opened new ways for smart administrators to coax new value from technologies they’re already using. Cybersecurity solutions can be similarly enlisted to seamlessly enhance overall operational intelligence. For compliance purposes in particular, cyber solutions can be called on to identify gaps, plan and execute remediation, validate efforts, and demonstrate adherence. Indeed, this added value is significant enough that it should be included in vendor selection and procurement process.
Of course, it’s important to realize that adhering to regulations won’t, in itself, give the hospital all the protection it needs. Most of HIPAA was written between 1996-2013 (with most of the relevant security stipulations dating back to 2003). Cyber threats are now very different, a fact that further underlines the importance of using a modern cybersecurity solution as a broad-spectrum tool for streamlining medical device regulatory compliance.
- It must be noted that this same principle of “reasonable and appropriate” applies to all HIPAA Rules labeled “Addressable”.