PDF version of this report
You must have Adobe Acrobat reader to view, save, or print PDF files. The
reader is available for free
Ensuring Privacy and Security for
Medical Information Systems
Copyright 2021, Faulkner Information Services. All
Publication Date: 2104
Report Type: IMPLEMENTATION
Organizations that handle medical information face privacy and security
demands beyond those of most other parties. The intense media and
political attention paid to medical records privacy over the past several
years has only increased the pressure on providers. There is not a single
or simple solution to protecting medical information, so it is up to each
organization to understand the myriad issues involved and to craft an
- Executive Summary
- Possible Pitfalls
- Step-by-step Implementation
- Web Links
- Related Reports
[return to top of this
Complying with the Health Insurance Portability and Accountability Act
(HIPAA) will form the foundation of a healthcare organization’s strategy
for ensuring the privacy and security of the medical information it
|Related Faulkner Reports|
| Healthcare Information
|Electronic Medical Records: Trends|
Compliance needs to be regularly checked, especially as new technologies
and practices are put into place. To do so, organizations can routinely
perform the following steps: conduct a security audit, implement new
technologies or procedures based on the audit’s findings, train employees
(including refresher training and training on new technologies and
procedures), and monitor compliance with policies.
But meeting HIPAA requirements is just the first step. Organizations will
also need to consider administrative practices (e.g., confidentiality
policies, designating team members, promoting compliance) and technical
practices (e.g., audit trails, business continuity planning) in order to
fully ensure privacy and security. Employing an independent third-party
firm can aid in these efforts. To select an effective third-party, it is
helpful to review the company’s specific, detailed plan for ensuring
privacy and security, in particular its strategy for fixing or mitigating
[return to top of this
A Major Threat, a Developing Response
Healthcare organizations are lucrative, making them frequent targets for
hackers. There have been numerous attacks, with each one compromising the
data of hundreds of thousands, or even even millions, of patients, and the
number of breaches continues to grow.1
Because many medical devices use general purpose software and
communications protocols, they are also vulnerable to viruses and
non-targeted threats. These threaten to disrupt a
healthcare organization’s operations and even put the well-being of
patients at risk.2
The industry has responded to these threats. One change, made in just the
past few years, is that medical device manufactures are increasingly
factoring in security during the design process.3 But other
attempts to respond to the threat against medical devices have been slower
to come to fruition. For example, the United States Food and Drug
Administration (FDA) has not yet created the discussed CYMSAB, a board of
experts who would oversee the distribution of information about exposures in
The First Step: HIPAA Compliance
Ensuring ongoing compliance with the Health Insurance Portability and
Accountability Act (HIPAA) will not only satisfy a key regulatory
requirement, but it will also set the foundation for a healthcare
organization’s overall medical information privacy and security program.
The fines for not meeting HIPAA requirements can reach $1,500,000 for
multiple violations of the same standard in a calendar year, and fines or
imprisonment for up to ten years for knowingly misusing individually
identifiable health information.
To become HIPAA-compliant, healthcare organizations must address each of
four different areas: administrative procedures, physical safeguards,
technical safeguards, and technical security mechanisms.
- Administrative Procedures – These include policies,
procedures, practices, and protocols designed to ensure data integrity,
confidentiality, and availability.
- Physical Safeguards – These are the procedures used
to protect physical systems and related buildings and equipment from
natural disasters or intrusions.
- Technical Safeguards – These are the processes and
procedures that are designed to protect, control, and monitor
- Technical Security Mechanisms – These measures
protect data from unauthorized access across a network. Within these
areas, the United States Department of Health and Human Services (HHS)
suggests that standards be adopted to protect patient data and other
In short, HIPAA regulations are designed to reflect five basic
- Consumer Control – The ability of consumers to
control the release of their medical information.
- Boundaries – The idea that with few exceptions, an
individual’s healthcare information should be used for healthcare
- Accountability – Criminal and non-criminal sanctions
for the inappropriate use or disclosure of patient information.
- Public Responsibility – A recognition of the need to
balance individual privacy with public health responsibilities, such as
the need to divulge confidential data in the interests of combating an
infectious disease outbreak.
- Security – The responsibility of organizations
entrusted with personal health information to protect data against
inadvertent or malicious misuse or disclosure.
Among the technologies available to meet the privacy and security
requirements of HIPAA regulations are the following:
- Digital Signatures – An electronic signature based on
a mathematical algorithm used for signing and authenticating a document.
- Certificate Authority – A trusted third party that
verifies authenticity for those utilizing technologies such as public
key infrastructure and digital signatures.
- Firewalls – Hardware or software used to screen
information and data as it moves through a network.
- Biometrics – An identification system that relies on
individual physical characteristics.
- Encryption Algorithms – Mathematical formulas used to
encrypt data and communications.
- Anti-Malware Applications – As medical devices have
integrated conventional computer technology and platforms, they have
become susceptible to malware. For example, in 2019 researchers
demonstrated how malware could make fake tumors appear on patient
images.5 These threats have created the need for anti-malware
applications to be put into use.
For these technologies to be effective, they should be – and indeed HIPAA
requires that they be – implemented in combination to protect against all
possible security intrusions. Using a single technology or process will
likely result in security gaps, thereby diminishing an organization’s
overall protection. (Some of HIPAA’s privacy and security requirements may
change on occasion. To keep up to date, refer to the Office of the National
Coordinator’s Health Information Technology’s site.)
HIPAA has been in place for many years, and compliance with it is the
standard baseline for medical information security and privacy. But new
technology is creating new challenges, and organizations cannot expect
that their long-standing HIPAA program, no matter how comprehensive or
effective, will help them get over all the hurdles on the road
Another trend that could complicate efforts to keep patient information
private and secure is the growing use of Big Data, which is the automated
analysis of the massively large data volumes enabled by the Internet. The
concept of Big Data is being applied in many industries for many different
reasons. For example, one device reportedly can predict seizures with
improved accuracy, using an analysis of patient neural tests over a long
period.6 The device permits some patient customization, another
characteristic that distinguishes it from older technology.
Computer-based medical devices have been in use for years, collecting
various types of data. But these large, diverse data sets aren’t being fully
used, as they are largely unconnected. Big Data technologies can analyze
multiple collections of data and identify patterns and correlations that
traditional, “siloed” analytic tools couldn’t spot.
Today, medically relevant data can be pulled from many sources, from
genomics databases to wearable pulse monitors.7 There is simply
much more data that can be analyzed. This data can be used both to support
care decisions about individual patients and to make broader policy
decisions regarding public health.8 Furthermore, the
Cybersecurity Information Sharing Act of 2015 gives organizations incentives
to provide the federal government with data about their security incidents
and activities, although criticisms that sharing in practice remains limited
linger years later.9 Sharing, when performed, breaks down the
siloed nature of medical data by taking it beyond an organization’s walls.
Healthcare providers can benefit from such sharing by learning about new
threats, particularly those specifically threatening the medical industry.
In the years since the act went into law, the affected federal agencies
– the Office of the Director of National Intelligence along with the
departments of Commerce, Defense, Energy, Homeland Security, Justice, and
Treasury – say they have made progress in sharing information.10 But
in a report made to Congress in December 2019, some Defense Department
sharing practices were judged to be inadequate, in part because they
didn’t remove information that could be used to identify people.
[return to top of this
For those healthcare organizations that lack the resources or expertise
to plan and implement an effective, HIPAA-compliant security strategy,
outsourcing is an option. Healthcare companies that currently outsource
some or all of their data processing should not expect automatic
compliance from business partners, however. Expecting vendors to provide
HIPAA compliance under their maintenance contracts is a potentially
When considering an outsourcer to provide the security applications and
technologies required to meet HIPAA guidelines and achieve other privacy
and security goals, it is useful to evaluate the outsourcer’s remediation
and mitigation strategies. Other pertinent inquiries include the
- Who owns the data once it moves outside the technological confines of
- Is there a strategy to recover data and applications in the event of a
disaster? In other words, does the company have an effective
business continuity plan?
- How does the outsourcing company ensure that the people who come in
contact with sensitive medical data are not stealing or otherwise
compromising that information?
- What is a customer’s recourse in the event that it is not happy with
the services provided?
Organizations might also decide to prefer medical devices conforming to the
the Healthcare and Public Health Sector Coordinating Council’s joint
security plan, which provides voluntary specifications for medical device
[return to top of this
IT security and privacy are complicated, and the threats change often.
Keeping pace with the dangers is especially challenging in medicine, which
maintains highly sensitive patient data and is subject to specialized
regulations. In short, healthcare organizations face all of the risks of any
user of computerized technology along with many specific threats.
One specific risk comes from the greater use of electronic health
records (EHRs). EHRs store a patient’s entire medical history in a
standardized computer format that can be viewed and updated by any medical
provider. The potential cost, efficiency, and safety benefits of EHRs are
enormous, but the technology also raises privacy and security concerns
that are not a factor with the paper records they aim to replace. EHRs can
be hacked (as has happened many times), or they can simply be
inadvertently leaked or otherwise compromised. The ease with which
electronic records can be shared makes them vulnerable to lapses in
One source of pressure from the federal government is that in 2016 the
FDA issued security guidelines for makers of medical equipment.12
The FDA’s recommendations call for manufacturers to use the NIST’s
cybersecurity framework, to follow popular cybersecurity reporting
authorities for warnings, to create a plan for communication and disclosure
of incidents, and to develop risk assessment and mitigation strategies.
Organizations would be wise not to rely too heavily on manufacturers to
ensure security, however.
The government is also aiming to offer some assistance. In 2018, the
FDA and Department of Homeland Security agreed to work together more
closely to share data and develop response strategies for threats to
medical devices.13 An aspect of this collaboration will be a
vulnerability evaluation process that determines how patients could be
affected by security exposures in healthcare equipment.
Other challenges involve people and policies. Often, the weakest link in a
security system is the people who operate it (or operate within it). It
is human nature: Many people take the most direct – or least difficult –
route to completing a task. For that reason, security systems should be easy
to use, and users should be trained, monitored, and periodically retrained
in the use of secure applications. Importantly, since most security
systems depend, in large measure, on voluntary compliance, clear and
comprehensive security policies must be established. Policies should
encourage a security-conscious corporate culture.
Finally, not all security threats are external. In fact, employees
are responsible for many – if not most – security violations. A
well-conceived and well-executed security plan will consider this fact.
[return to top of this
HIPAA leaves the order in which healthcare organizations implement the
technologies and applications necessary to secure their electronic
information up to the organization. The regulation suggests that “each
affected entity assess its own security needs and risks and devise,
implement, and maintain appropriate security to address its business
It is also crucial to be sensitive to state laws regarding privacy. For
example, the California Confidentiality of Medical Information Act is
stricter than HIPAA, so affected agencies must account for differences such
as a broader definition of personally identifiable information.14
(Other states with healthcare privacy data laws that go beyond HIPAA, in at
least some respects, include Illinois and New York.15)
Those needs can usually be addressed in four stages: audit,
implementation, training, and ongoing monitoring. Even now that
organizations have compliance strategies in place, these steps can be
repeated to ensure ongoing compliance, particularly as new technologies
and work practices are adopted:
- Stage 1. Audit – The audit stage is a time for
examining the existing technologies and business practices to determine
what is necessary to maintain HIPAA compliance. A security audit and a
technology audit should be completed by an objective third party who
will analyze existing systems and processes and then make
recommendations on how to improve those technologies and business
practices to (1) secure electronically transferred patient information
and (2) meet HIPAA regulations. Normally, a security audit is
performed before any new security system, application, or procedure is
implemented to determine what an organization’s strengths and weaknesses
might be. The results of the audit provide direction relative to
subsequent security investments.
- Stage 2. Implementation – Implementation teams
should be formed to follow every step of the implementation process
from securing the correct applications and technologies to ensuring
that adequate infrastructure exists. Implementation teams may also be
involved in reviewing existing policies and planning for stages 3 and 4.
- Stage 3. Training – Training would seem to be a
relatively simple step. But improperly trained people are one of the
most common reasons that security systems fail. Training and retraining
programs should be put into place to ensure that users understand the
value of the system and how to put the system to work to safeguard
- Stage 4. Ongoing Monitoring – HIPAA requires that
all technologies and applications be monitored to prevent them from
becoming outdated or obsolete. For that reason, security systems
and procedures should be continuously evaluated to ensure that they
continue to meet the needs of the healthcare organization. Furthermore,
monitoring usage of security systems and processes helps to ensure that
staff are using the system properly and points to areas where users may
need retraining or to areas that might need improvement to make them
easier to use.
For guidance on performing these processes, organizations can use
existing frameworks for security in healthcare environments. For example,
the US Centers for Medicare and Medicaid Services (CMS) offers a framework
for “Information Security and Privacy.”16 The CMS framework
provides “policies, standards, procedures, and guidelines” related to
security and privacy. The US FDA also frequently publishes guidance about
medical device privacy and security, as well as hosting workshops, but
many of its efforts are aimed at manufacturers rather than the
organizations that use the technology.17 And, through the
Privacy Act, the FDA provides online information and enables citizens to
make requests for information.18
1 “Largest Healthcare Data Breaches in 2020.” HIPAA Journal. January 1, 2021.
2 “FDA Informs Patients, Providers and Manufacturers About
Potential Cybersecurity Vulnerabilities for Connected Medical Devices and
Health Care Networks that Use Certain Communication Software.”
States Food and Drug Administration. October 1, 2019.
3 Taylor Armerding. “The Journey to Better Medical Device
Security: Still Slow, Still Bumpy.” Security Boulevard. January
5 Travis Taylor. “Malware-Infected Medical Equipment Shows
Fake Tumors.” CyberScout. April 11, 2019.
6 Jessica Kent. “Deep Learning, Big Data Fuel Medical Device
for Predicting Seizures.” Health IT Analytics. February 1, 2018.
7 Eric Louie and Jessica Baker. “Harnessing Big Data.” Healthbox.
Brad S. Karp and Paul Weiss. “Federal Guidance
on the Cybersecurity Information Sharing Act of 2015.”
Harvard Law School Forum on Corporate Governance
and Financial Regulation.
March 3, 2016.
Mariam Baksh. “CISA Reveals Timeline for
Improving Anemic Information Sharing Program.” NextGov. October
10 Frank Konkel. “The Government’s Only Laggard Complying
with the Cybersecurity Information Sharing Act of 2015 Is the Defense
Department.” NextGov. January 2, 2020.
11 Jessica Davis. “HSCC Releases Joint Medical Device
Security Lifecycle Guidance.” HealthITSecurity. January 29,
12 “FDA Outlines Cybersecurity Recommendations for Medical
Device Manufacturers.” United
States Food and Drug Administration. January
13 Jessica Davis. “FDA, DHS to Increase Collaboration on
Medical Device Security and Framework.” Healthcare IT News.
October 17, 2018.
14 Maxine Henry. “California Confidentiality of Medical
Information Act vs. HIPAA.” Reciprocity. November 20, 2019.
15 Robert Godard. “Which Matters More: HIPAA or State Law?”
Partners. March 14, 2019.
16 “Information Security and Privacy Overview.”
Medicare and Medicaid Services. February 27, 2018.
17 “Cybersecurity.” United
States Food and Drug Administration. (“Content Current as of 10/22/2020.”)
18 “Privacy Act.” United
States Food and Drug Administration. (“Content Current as of 03/02/2021.”)
[return to top of this
Department of Homeland Security: https://www.dhs.gov/
The Healthcare and Public Health Sector Coordinating Council: https://healthsectorcouncil.org/
Office of the National Coordinator’s Health Information Technology: https://www.healthit.gov/
About the Author
[return to top of this
Geoff Keston is the author of more than 250 articles
that help organizations find opportunities in business trends and
technology. He also works directly with clients to develop communications
strategies that improve processes and customer relationships. Mr. Keston
has worked as a project manager for a major technology consulting and
services company and is a Microsoft Certified Systems Engineer and a
Certified Novell Administrator.
[return to top of this