Ensuring Privacy and Security for Medical Information Systems

PDF version of this report
You must have Adobe Acrobat reader to view, save, or print PDF files. The
reader is available for free

Ensuring Privacy and Security for
Medical Information Systems

by Geoff Keston

Docid: 00011324

Publication Date: 2104



Organizations that handle medical information face privacy and security
demands beyond those of most other parties. The intense media and
political attention paid to medical records privacy over the past several
years has only increased the pressure on providers. There is not a single
or simple solution to protecting medical information, so it is up to each
organization to understand the myriad issues involved and to craft an
appropriate strategy.

Report Contents:

Executive Summary

[return to top of this

Complying with the Health Insurance Portability and Accountability Act
(HIPAA) will form the foundation of a healthcare organization’s strategy
for ensuring the privacy and security of the medical information it

Healthcare Information
Management Tutorial
Electronic Medical Records: Trends

Compliance needs to be regularly checked, especially as new technologies
and practices are put into place. To do so, organizations can routinely
perform the following steps: conduct a security audit, implement new
technologies or procedures based on the audit’s findings, train employees
(including refresher training and training on new technologies and
procedures), and monitor compliance with policies.

But meeting HIPAA requirements is just the first step. Organizations will
also need to consider administrative practices (e.g., confidentiality
policies, designating team members, promoting compliance) and technical
practices (e.g., audit trails, business continuity planning) in order to
fully ensure privacy and security. Employing an independent third-party
firm can aid in these efforts. To select an effective third-party, it is
helpful to review the company’s specific, detailed plan for ensuring
privacy and security, in particular its strategy for fixing or mitigating


[return to top of this

A Major Threat, a Developing Response

Healthcare organizations are lucrative, making them frequent targets for
hackers. There have been numerous attacks, with each one compromising the
data of hundreds of thousands, or even even millions, of patients, and the
number of breaches continues to grow.1

Because many medical devices use general purpose software and
communications protocols, they are also vulnerable to viruses and
non-targeted threats. These threaten to disrupt a
healthcare organization’s operations and even put the well-being of
patients at risk.2

The industry has responded to these threats. One change, made in just the
past few years, is that medical device manufactures are increasingly
factoring in security during the design process.3 But other
attempts to respond to the threat against medical devices have been slower
to come to fruition. For example, the United States Food and Drug
Administration (FDA) has not yet created the discussed CYMSAB, a board of
experts who would oversee the distribution of information about exposures in
medical equipment.4

The First Step: HIPAA Compliance

Ensuring ongoing compliance with the Health Insurance Portability and
Accountability Act (HIPAA) will not only satisfy a key regulatory
requirement, but it will also set the foundation for a healthcare
organization’s overall medical information privacy and security program.
The fines for not meeting HIPAA requirements can reach $1,500,000 for
multiple violations of the same standard in a calendar year, and fines or
imprisonment for up to ten years for knowingly misusing individually
identifiable health information.

To become HIPAA-compliant, healthcare organizations must address each of
four different areas: administrative procedures, physical safeguards,
technical safeguards, and technical security mechanisms.

  • Administrative Procedures – These include policies,
    procedures, practices, and protocols designed to ensure data integrity,
    confidentiality, and availability.
  • Physical Safeguards – These are the procedures used
    to protect physical systems and related buildings and equipment from
    natural disasters or intrusions. 
  • Technical Safeguards – These are the processes and
    procedures that are designed to protect, control, and monitor
    information access. 
  • Technical Security Mechanisms – These measures
    protect data from unauthorized access across a network. Within these
    areas, the United States Department of Health and Human Services (HHS)
    suggests that standards be adopted to protect patient data and other
    confidential information.

In short, HIPAA regulations are designed to reflect five basic

  • Consumer Control – The ability of consumers to
    control the release of their medical information.
  • Boundaries – The idea that with few exceptions, an
    individual’s healthcare information should be used for healthcare
    purposes only.
  • Accountability – Criminal and non-criminal sanctions
    for the inappropriate use or disclosure of patient information.
  • Public Responsibility – A recognition of the need to
    balance individual privacy with public health responsibilities, such as
    the need to divulge confidential data in the interests of combating an
    infectious disease outbreak.
  • Security – The responsibility of organizations
    entrusted with personal health information to protect data against
    inadvertent or malicious misuse or disclosure.

Among the technologies available to meet the privacy and security
requirements of HIPAA regulations are the following: 

  • Digital Signatures – An electronic signature based on
    a mathematical algorithm used for signing and authenticating a document.
  • Certificate Authority – A trusted third party that
    verifies authenticity for those utilizing technologies such as public
    key infrastructure and digital signatures.
  • Firewalls – Hardware or software used to screen
    information and data as it moves through a network. 
  • Biometrics – An identification system that relies on
    individual physical characteristics. 
  • Encryption Algorithms – Mathematical formulas used to
    encrypt data and communications.
  • Anti-Malware Applications – As medical devices have
    integrated conventional computer technology and platforms, they have
    become susceptible to malware. For example, in 2019 researchers
    demonstrated how malware could make fake tumors appear on patient
    images.5 These threats have created the need for anti-malware
    applications to be put into use.

For these technologies to be effective, they should be – and indeed HIPAA
requires that they be – implemented in combination to protect against all
possible security intrusions. Using a single technology or process will
likely result in security gaps, thereby diminishing an organization’s
overall protection. (Some of HIPAA’s privacy and security requirements may
change on occasion. To keep up to date, refer to the Office of the National
Coordinator’s Health Information Technology’s site.)

Beyond HIPAA

HIPAA has been in place for many years, and compliance with it is the
standard baseline for medical information security and privacy. But new
technology is creating new challenges, and organizations cannot expect
that their long-standing HIPAA program, no matter how comprehensive or
effective, will help them get over all the hurdles on the road

Another trend that could complicate efforts to keep patient information
private and secure is the growing use of Big Data, which is the automated
analysis of the massively large data volumes enabled by the Internet. The
concept of Big Data is being applied in many industries for many different
reasons. For example, one device reportedly can predict seizures with
improved accuracy, using an analysis of patient neural tests over a long
period.6 The device permits some patient customization, another
characteristic that distinguishes it from older technology.

Computer-based medical devices have been in use for years, collecting
various types of data. But these large, diverse data sets aren’t being fully
used, as they are largely unconnected. Big Data technologies can analyze
multiple collections of data and identify patterns and correlations that
traditional, “siloed” analytic tools couldn’t spot.

Today, medically relevant data can be pulled from many sources, from
genomics databases to wearable pulse monitors.7 There is simply
much more data that can be analyzed. This data can be used both to support
care decisions about individual patients and to make broader policy
decisions regarding public health.8 Furthermore, the
Cybersecurity Information Sharing Act of 2015 gives organizations incentives
to provide the federal government with data about their security incidents
and activities, although criticisms that sharing in practice remains limited
linger years later.9 Sharing, when performed, breaks down the
siloed nature of medical data by taking it beyond an organization’s walls.
Healthcare providers can benefit from such sharing by learning about new
threats, particularly those specifically threatening the medical industry.

In the years since the act went into law, the affected federal agencies
– the Office of the Director of National Intelligence along with the
departments of Commerce, Defense, Energy, Homeland Security, Justice, and
Treasury – say they have made progress in sharing information.10 But
in a report made to Congress in December 2019, some Defense Department
sharing practices were judged to be inadequate, in part because they
didn’t remove information that could be used to identify people.


[return to top of this

For those healthcare organizations that lack the resources or expertise
to plan and implement an effective, HIPAA-compliant security strategy,
outsourcing is an option. Healthcare companies that currently outsource
some or all of their data processing should not expect automatic
compliance from business partners, however. Expecting vendors to provide
HIPAA compliance under their maintenance contracts is a potentially
dangerous assumption.

When considering an outsourcer to provide the security applications and
technologies required to meet HIPAA guidelines and achieve other privacy
and security goals, it is useful to evaluate the outsourcer’s remediation
and mitigation strategies. Other pertinent inquiries include the

  • Who owns the data once it moves outside the technological confines of
    the organization? 
  • Is there a strategy to recover data and applications in the event of a
    disaster? In other words, does the company have an effective
    business continuity plan?
  • How does the outsourcing company ensure that the people who come in
    contact with sensitive medical data are not stealing or otherwise
    compromising that information? 
  • What is a customer’s recourse in the event that it is not happy with
    the services provided?

Organizations might also decide to prefer medical devices conforming to the
the Healthcare and Public Health Sector Coordinating Council’s joint
security plan, which provides voluntary specifications for medical device

Possible Pitfalls

[return to top of this

IT security and privacy are complicated, and the threats change often.
Keeping pace with the dangers is especially challenging in medicine, which
maintains highly sensitive patient data and is subject to specialized
regulations. In short, healthcare organizations face all of the risks of any
user of computerized technology along with many specific threats.

One specific risk comes from the greater use of electronic health
records (EHRs). EHRs store a patient’s entire medical history in a
standardized computer format that can be viewed and updated by any medical
provider. The potential cost, efficiency, and safety benefits of EHRs are
enormous, but the technology also raises privacy and security concerns
that are not a factor with the paper records they aim to replace. EHRs can
be hacked (as has happened many times), or they can simply be
inadvertently leaked or otherwise compromised. The ease with which
electronic records can be shared makes them vulnerable to lapses in

One source of pressure from the federal government is that in 2016 the
FDA issued security guidelines for makers of medical equipment.12
The FDA’s recommendations call for manufacturers to use the NIST’s
cybersecurity framework, to follow popular cybersecurity reporting
authorities for warnings, to create a plan for communication and disclosure
of incidents, and to develop risk assessment and mitigation strategies.
Organizations would be wise not to rely too heavily on manufacturers to
ensure security, however.

The government is also aiming to offer some assistance. In 2018, the
FDA and Department of Homeland Security agreed to work together more
closely to share data and develop response strategies for threats to
medical devices.13 An aspect of this collaboration will be a
vulnerability evaluation process that determines how patients could be
affected by security exposures in healthcare equipment.

Other challenges involve people and policies. Often, the weakest link in a
security system is the people who operate it (or operate within it). It
is human nature: Many people take the most direct – or least difficult –
route to completing a task. For that reason, security systems should be easy
to use, and users should be trained, monitored, and periodically retrained
in the use of secure applications. Importantly, since most security
systems depend, in large measure, on voluntary compliance, clear and
comprehensive security policies must be established. Policies should
encourage a security-conscious corporate culture.

Finally, not all security threats are external. In fact, employees
are responsible for many – if not most – security violations. A
well-conceived and well-executed security plan will consider this fact.

Step-by-Step Implementation

[return to top of this

HIPAA leaves the order in which healthcare organizations implement the
technologies and applications necessary to secure their electronic
information up to the organization. The regulation suggests that “each
affected entity assess its own security needs and risks and devise,
implement, and maintain appropriate security to address its business

It is also crucial to be sensitive to state laws regarding privacy. For
example, the California Confidentiality of Medical Information Act is
stricter than HIPAA, so affected agencies must account for differences such
as a broader definition of personally identifiable information.14
(Other states with healthcare privacy data laws that go beyond HIPAA, in at
least some respects, include Illinois and New York.15)

Those needs can usually be addressed in four stages: audit,
implementation, training, and ongoing monitoring. Even now that
organizations have compliance strategies in place, these steps can be
repeated to ensure ongoing compliance, particularly as new technologies
and work practices are adopted:

  • Stage 1. Audit – The audit stage is a time for
    examining the existing technologies and business practices to determine
    what is necessary to maintain HIPAA compliance. A security audit and a
    technology audit should be completed by an objective third party who
    will analyze existing systems and processes and then make
    recommendations on how to improve those technologies and business
    practices to (1) secure electronically transferred patient information
    and (2) meet HIPAA regulations. Normally, a security audit is
    performed before any new security system, application, or procedure is
    implemented to determine what an organization’s strengths and weaknesses
    might be. The results of the audit provide direction relative to
    subsequent security investments.
  • Stage 2. Implementation – Implementation teams
    should be formed to follow every step of the implementation process
    from securing the correct applications and technologies to ensuring
    that adequate infrastructure exists. Implementation teams may also be
    involved in reviewing existing policies and planning for stages 3 and 4.
  • Stage 3. Training – Training would seem to be a
    relatively simple step. But improperly trained people are one of the
    most common reasons that security systems fail. Training and retraining
    programs should be put into place to ensure that users understand the
    value of the system and how to put the system to work to safeguard
    medical information. 
  • Stage 4. Ongoing Monitoring – HIPAA requires that
    all technologies and applications be monitored to prevent them from
    becoming outdated or obsolete. For that reason, security systems
    and procedures should be continuously evaluated to ensure that they
    continue to meet the needs of the healthcare organization. Furthermore,
    monitoring usage of security systems and processes helps to ensure that
    staff are using the system properly and points to areas where users may
    need retraining or to areas that might need improvement to make them
    easier to use.

For guidance on performing these processes, organizations can use
existing frameworks for security in healthcare environments. For example,
the US Centers for Medicare and Medicaid Services (CMS) offers a framework
for “Information Security and Privacy.”16 The CMS framework
provides “policies, standards, procedures, and guidelines” related to
security and privacy. The US FDA also frequently publishes guidance about
medical device privacy and security, as well as hosting workshops, but
many of its efforts are aimed at manufacturers rather than the
organizations that use the technology.17 And, through the
Privacy Act, the FDA provides online information and enables citizens to
make requests for information.18


1 “Largest Healthcare Data Breaches in 2020.” HIPAA Journal. January 1, 2021.

2 “FDA Informs Patients, Providers and Manufacturers About
Potential Cybersecurity Vulnerabilities for Connected Medical Devices and
Health Care Networks that Use Certain Communication Software.”
States Food and Drug Administration
. October 1, 2019.

3 Taylor Armerding. “The Journey to Better Medical Device
Security: Still Slow, Still Bumpy.” Security Boulevard. January
7, 2020.

4 Ibid.

5 Travis Taylor. “Malware-Infected Medical Equipment Shows
Fake Tumors.” CyberScout. April 11, 2019.

6 Jessica Kent. “Deep Learning, Big Data Fuel Medical Device
for Predicting Seizures.” Health IT Analytics. February 1, 2018.

7 Eric Louie and Jessica Baker. “Harnessing Big Data.” Healthbox.

8 Ibid.

9 See:

Brad S. Karp and Paul Weiss. “Federal Guidance
on the Cybersecurity Information Sharing Act of 2015.”
Harvard Law School Forum on Corporate Governance
and Financial Regulation.

March 3, 2016.

Mariam Baksh. “CISA Reveals Timeline for
Improving Anemic Information Sharing Program.” NextGov. October
5, 2020.

10 Frank Konkel. “The Government’s Only Laggard Complying
with the Cybersecurity Information Sharing Act of 2015 Is the Defense
Department.” NextGov. January 2, 2020.

11 Jessica Davis. “HSCC Releases Joint Medical Device
Security Lifecycle Guidance.” HealthITSecurity. January 29,

12 “FDA Outlines Cybersecurity Recommendations for Medical
Device Manufacturers.” United
States Food and Drug Administration
. January
15, 2016.

13 Jessica Davis. “FDA, DHS to Increase Collaboration on
Medical Device Security and Framework.” Healthcare IT News.
October 17, 2018.

14 Maxine Henry. “California Confidentiality of Medical
Information Act vs. HIPAA.” Reciprocity. November 20, 2019.

15 Robert Godard. “Which Matters More: HIPAA or State Law?”
March 14, 2019.

16 “Information Security and Privacy Overview.”
Centers for
Medicare and Medicaid Services
. February 27, 2018.

17 “Cybersecurity.” United
States Food and Drug Administration
. (“Content Current as of 10/22/2020.”)

18 “Privacy Act.” United
States Food and Drug Administration
. (“Content Current as of 03/02/2021.”)

[return to top of this

Department of Homeland Security: https://www.dhs.gov/
FDA: https://www.fda.gov/
The Healthcare and Public Health Sector Coordinating Council: https://healthsectorcouncil.org/
Office of the National Coordinator’s Health Information Technology: https://www.healthit.gov/

About the Author

[return to top of this

Geoff Keston is the author of more than 250 articles
that help organizations find opportunities in business trends and
technology. He also works directly with clients to develop communications
strategies that improve processes and customer relationships. Mr. Keston
has worked as a project manager for a major technology consulting and
services company and is a Microsoft Certified Systems Engineer and a
Certified Novell Administrator.

[return to top of this