An Analysis of Cybersecurity Requirements in Healthcare

Cybersecurity and securing Protected Health Information (PHI) in the healthcare industry is an increasingly complex challenge. The complexity is caused, not only by an increased use of healthcare technology and increasingly... [ view full abstract ]

Cybersecurity and securing Protected Health Information (PHI) in the healthcare industry is an increasingly complex challenge. The complexity is caused, not only by an increased use of healthcare technology and increasingly networked systems and medical devices, but also by the myriad of federal, state, local, and professional organizations producing requirements and recommendations for healthcare organizations trying to safeguard PHI. Conflicting and complex requirements can lead to confusion and vulnerabilities for healthcare organizations. There have been many data breaches reported in recent years including the Anthem breach affecting up to 80 million people and the UCLA Health System breach affecting 4.5 million people in 2015.
Recent research has been conducted in the area of conflicting medical regulations. However, these studies are somewhat limited in scope. Maxwell, et. al. [1] identified conflicting software compliance requirements in their research study of the HIPAA Privacy Rule the Gramm–Leach–Bliley Act (GLBA), and the GLBA Financial Privacy Rule. The American society for Healthcare Engineering (ASHE) has identified conflicting requirements in regulations for physical hospital facilities as a major topic in their annual report since 2012 [2].
Data breaches coupled with conflicting and complex requirements generated the idea that various regulation, laws, and standards in healthcare should be analyzed with respect to cybersecurity to determine where there is complementation, conflict, and gaps in coverage. The results provide a basis for further research and analysis that could facilitate the development of recommendations for solutions to address these problems in the future. A Venn diagram visualizes the coverage of regulation, law, and standards with respect to their focus on interoperability and security. Overlapping areas in the diagram represent potential areas of conflict. Gaps between circles represent potential gaps that may lead to vulnerabilities.


References

[1] J. Maxwell, A. Antón, P. Swire, M. Riaz, and C. McCraw, “A legal cross-references taxonomy for reasoning about compliance requirements,” Requir. Eng., vol. 17, no. 2, pp. 99–115, 2012.
[2] “American society for Healthcare Engineering | Resource Library,” American Society for Healthcare Engineering, 2015. [Online]. Available: http://www.ashe.org/resources/#.VjOm7LerSM9. [Accessed: 21-Oct-2015].