Cybersecurity Practices at Large Health Care Organizations

Large health care organizations perform a range of different functions. These organizations may be integrated with other health care delivery organizations, academic medical centers, insurers that provide health care coverage, clearinghouses, pharmaceuticals, or medical device manufacturers. In most cases, large organizations employ thousands of employees, maintain tens of thousands to hundreds of thousands of IT assets, and have intricate and complex digital ecosystems. Whereas smaller organizations operate using only a few critical systems, large organizations can have hundreds or thousands of interconnected systems with complex functionality.

The missions of large organizations are diverse and varied. They include providing standard general practice care, providing specialty or subspecialty care for complicated medical cases, conducting innovative medical research, providing insurance coverage to large populations of patients, supporting the health care delivery ecosystem, and supplying and researching new therapeutic treatments (such as drugs or medical devices).

Large organizations have missions that are broad in scope, and large volumes of assets may be necessary to fulfill such missions. Even so, they often struggle to obtain funding to maintain security programs and to control their assets (potentially resulting in shadow IT, rogue devices, and unmanaged/unpatched devices). Therefore, it is essential for large organizations to understand how sensitive data flow in and out of the organization, and to understand the boundaries and segments that determine where one entity’s responsibilities end and another’s start.

Large organizations operate in a legal and regulatory environment that is as complicated as their digital ecosystems. It includes but not limited to the following:

• ONC Certified Electronic Health Information Technology interoperability standards
• MACRA/Meaningful Use
• Multiple obligations under the FDA
• The Joint Commission accreditation processes
• HIPAA/HITECH requirements
• Minimum Acceptable Risk Standards for payers
• State privacy and security rules
• Federal Information Security Modernization Act requirements as incorporated into federal contracts and research grants through agencies such as the National Institutes of Health
• Payment Card Industry Data Security Standard (PCI-DSS)
• SAMHSA requirements
• The Gramm-Leach-Bliley Act for financial processing
• The Stark Law as it relates to providing services to affiliated organizations
• FERPA for institutions that participate in higher education
• GINA
• The new GDPR in the European Union

IT Assets Used by Large Organizations

Large organizations support their operations with complicated ecosystems of IT assets. All assets may have cybersecurity vulnerabilities and are susceptible to cyber threats. There are three important factors in securing assets: (1) understanding their relationship within the organization’s IT ecosystem; (2) understanding how the workforce leverages and uses the assets; and (3) understanding the data generated, stored, and processed within those assets.

Not all assets are equally important; some are mission critical and must always be fully operational, while others are less critical, and might even be offline for days or weeks without harming the organization’s mission. Some assets have large repositories of sensitive data that represent significant risk, but are not necessarily critical to the enterprise’s business. In all cases, the organization uses IT assets for business reasons and should protect those assets with proper cyber hygiene controls.

Examples of assets found in large organizations include but are not limited to the following:

• Devices used by the workforce, such as mobile phones, tablets, voice recorders, and laptop computers for dictation (all with internet connectivity).
• Personal devices, often referred to as BYOD.
• Large deployments of IoT assets, including smart televisions and networked medical devices, printers, copiers, security cameras, refrigeration sensors, blood bank monitoring systems, building management sensors, and more.
• Data that includes sensitive health information stored and processed on devices, servers, applications, and the cloud. These data could include names, medical record numbers, birth dates, SSNs, diagnostic conditions, prescriptions, and mental health, substance abuse, or sexually transmitted infection information. These sensitive data are referred to as PHI.
• Assets related to the IT infrastructure, such as firewalls, network switches and routers, Wi-Fi networks (corporate and guest), servers supporting IT management systems, and file storage systems (cloud-based or onsite).
• Applications or information systems that support business processes. These can include ERPs, pathology lab systems, blood bank systems, medical imaging systems, pharmacy systems (retail and specialized), revenue cycle systems, supply chain or materials management systems, specialized oncology therapy systems, radiation oncology treatment systems, data warehouses (clinical, financial, research), vendor management systems, and more.