![Healthcare Organizations and Tighter Security Requirements](https://www.netspi.com/wp-content/uploads/2024/03/Blog-Feature-Images-03.webp)
Healthcare Organizations and Tighter Security Requirements
Because of increasing threats, high-profile data breaches, and increased awareness of the damage they cause, we anticipate a substantial tightening of regulations and contractual requirements that will significantly impact information security in healthcare.
Today, HIPAA, CCHIT, and state breach notification laws are the main standards that govern security within healthcare systems that deal with protected health information (PHI). But these are generally high-level requirements with low levels of enforcement. The American Recovery and Reinvestment Act (ARRA) of 2009 contains legislation mandating broader and deeper security for healthcare, and the consensus view is that more legislated regulations will follow. The Healthcare Information Trust Alliance (HITRUST) is an industry group that has developed a set of standards, the Common Security Framework (CSF). This set of standards generally follows industry best practices and is very comprehensive. Important members of this group (Humana, United Health Group, Blue Cross Blue Shield, and Columbia HCA, to name a few) are pushing to mandate these standards across the industry. It is possible that many of these standards will be adopted by the group members through a contractual stipulation that the software they purchase meet the HITRUST CSF standards. In addition to HIPAA and CSF, Payment Card Industry (PCI) standards also affect healthcare payers and providers when credit card information is involved in any way (processing, storing, or transmitting). For healthcare payers and providers, the PCI Data Security Standard (PCI DSS) applies. For healthcare software providers whose applications touch credit card data, the PCI Payment Application Data Security Standard (PA-DSS) applies. It is likely that the Obama administration will implement much stricter security standards in healthcare, in conjunction with its emphasis on greater use of electronic health records (EHR). It is also likely that these standards will follow industry best practices and be based on the most successful existing standards, such as PCI and HITRUST. Based on this likely increase in regulations and the increasing number of threats, healthcare organizations should develop a risk-based security strategy that includes industry best practices using HIPAA, CCHIT, PCI and HITRUST as a guide.
Explore more blog posts
![](https://www.netspi.com/wp-content/uploads/2024/07/CrowdStrike-Outage_FeatureImage.webp)
CrowdStrike Global IT Outage: Time to Reflect on the Process for Security Vendor Updates?
Read The NetSPI Agent’s take on the impact and exploitability of the regreSSHion OpenSSH vulnerability that could lead to unauthenticated RCE.
![](https://www.netspi.com/wp-content/uploads/2024/07/071624_TECH_AML_Feature.webp)
Exploiting a Generative AI Chatbot – Prompt Injection to Remote Code Execution (RCE)
Discover how NetSPI exploits an externally exposed Generative AI Chatbot to compromise the hosting server.
![](https://www.netspi.com/wp-content/uploads/2024/07/CISO-Guide-AI-ML-EBOOK_ResourceImage.webp)
How Threat Actors Attack AI – and How to Stop Them
Learn about common AI attack paths that threat actors use and how you can bolster your own AI security with AI/ML penetration testing.