Aligning ePHI SaaS Security with NIST CSF: Strategies for Healthcare Providers

Updated on December 26, 2023
Medical doctor using mobile phone and consulting businessman patient having exam as Hospital professionalism concept with city exposure

With data threats against healthcare organizations on the rise, here are the steps you should take to bolster the security of data in the cloud

To ensure patients are healthy and safe, healthcare providers may encourage them to have regular checkups, eat a well-balanced diet, exercise regularly, and get adequate sleep. Healthcare providers understand the proper measures to protect patient well-being; however, they may not comprehend the requirements for securing mission-critical data, particularly electronic Protected Health Information (ePHI), in the cloud. This is a crucial concern because modern healthcare depends on the confidentiality, availability, and integrity of ePHI. From a holistic lens, it is important to look after the well-being of your organization to reduce the risk of data breaches, ransomware attacks, operational interruptions, regulatory penalties, and other impacts and expenses resulting from loss or exposure of ePHI. 

Now more than ever, healthcare organizations need to strengthen data security in the cloud as the rise of threats becomes increasingly prominent.

Rising Risks and Regulations

Cyber attacks against the healthcare industry are increasing at an alarming rate. According to the US Department of Health and Human Services, there were 480 electronic data breaches of healthcare organizations, with at least 500 victims in the first three quarters of 2023, up from 373 in the entirety of 2022. So far, in 2023, 87 million patients have been affected, versus 37 million in all of 2022— a 57% increase in one year. Security issues in Salesforce and ServiceNow have been documented for some time, permitting public access to sensitive data inside healthcare provider SaaS environments.

While frequency alone is enough to reevaluate your risk profile, it’s not the only factor at play. Healthcare breaches are a major financial liability, costing healthcare organizations an average of $10 million per attack. Government-mandated regulations such as HIPAA and GDPR have strict data security requirements with severe penalties for non-compliance. New York State leads the nation in cybersecurity regulations and is raising the bar for hospitals with stronger requirements that follow on the coattails of recent updates to the 23 NYCRR 500 cybersecurity regulation for financial services companies. 

SaaS Data Security Challenges

So, why is securing patient data so difficult? The answer is as complex as the human body, but the three main challenges are dynamic work environments, the diversity of technology, and the high value of ePHI. Sharing data is essential to providing healthcare. Between medical practitioners, providers, labs, patient portals, and more, the healthcare ecosystem–and a patient’s health –depends on collaboration through multiple data touchpoints. Healthcare providers require information immediately to perform their work effectively and may treat sensitive information insecurely, such as saving it in overexposed locations or sending it via unencrypted email. Many healthcare organizations maintain multiple facilities in different locations with varied information technology, making it more difficult to maintain a consistent cybersecurity posture across the enterprise. Cyber criminals can monetize patient information in multiple ways, including double ransomware and identity theft. 

Recovery and Response Readiness

The National Institute of Standards and Technology (NIST) provides general recommendations for healthcare cybersecurity, including conducting risk assessments, security awareness and training, having incident response procedures, and implementing security controls. Organizations need specific solutions that continuously safeguard ePHI in SaaS environments to ensure its confidentiality, integrity, and availability. The benefit of routine health checkups translates to SaaS data security as the need for regular monitoring and continuous improvement based on lessons learned over time, which is depicted as a cyclical process.  

Ensuring SaaS Data Health and Safety

1) Identify: Perform Regular ePHI Check-ups

Like regular check-ups with your doctor, routine risk analysis of your SaaS data helps identify gaps in your security posture before a successful attack exploits them. For healthcare providers, a data-centric approach to risk assessment and risk management is essential for securing ePHI. To manage the risk of ePHI in SaaS environments, you have to figure out which data is most vulnerable and requires the most attention and care. To maximize the value of a SaaS data security audit, consider working with an independent auditor. They will study your data and stress-test your existing SaaS operations to help you determine your data security, compliance, backup, and recovery needs.

2) Protect: Maintain ePHI Health and Hygiene

Although SaaS providers are responsible for the security of their platform, it is up to the customer to protect their data. The first line of defense against unauthorized access to ePHI is multi-factor authentication and restricting API access. Routinely backing up mission-critical SaaS data to a secure third-party system is essential to recover from incidents, including data loss and corruption. Backups are required by the HIPAA Security Rule, which naturally applies to SaaS platforms such as Salesforce Health Cloud.

So, what about the risk of access to ePHI via legitimate user accounts, like employees? In one healthcare organization, 90% of users could export reports containing sensitive SaaS data, and 100% of users could read/edit high-risk fields (member data). That means that those high-risk fields were not encrypted at rest. To address this type of challenge, your healthcare organization must be equipped to protect data against unauthorized access from within SaaS environments. 

Archiving inactive patient information helps limit risk by reducing the amount of data that is immediately accessible. It is important to use an archiving solution that satisfies data retention requirements while being readily accessible when needed.

When performing training, development, analytics, and other essential work supporting healthcare, it is necessary to use realistic data while maintaining privacy and security. To avoid exposing ePHI in such situations, particularly in development environments, it is necessary to anonymize the data.

3) Detect: Diagnose ePHI Problems and Misuse

An ongoing challenge is to prevent people from putting ePHI at risk. The solution is a combination of raising awareness and routine monitoring. Effective data breach and data loss prevention starts with employee education. It’s critical that all staff members understand evolving data security risks and are well-equipped to prevent an outside attack. Start by implementing regular, organization-wide training on the most common practices like phishing and credential stuffing. With this foundational awareness in place, your staff will know what to look for and how to stop potential threats before it’s too late. It is also important to trust but verify, monitoring for mistakes and malicious activities in SaaS environments.

4) Respond: Address Problems Promptly

When it comes to cybersecurity protection, take inspiration from the ultimate defender: the human body’s immune system. Similar to an infection, organizations that experience a serious cybersecurity incident learn from the experience, creating digital antibodies that improve their data security posture and incident response capabilities. An effective approach to building incident preparedness without actually suffering a major disaster is to conduct periodic exercises that test response processes. For instance, if you test your response to an incident involving unauthorized access to sensitive data, you would know to implement measures to control and encrypt data. If you find yourself dealing with the loss or unavailability of mission-critical information, there is an opportunity for you to improve your operational continuity capabilities and get back to normal operations faster. 

By performing regular response practice exercises, your organization can build its cyber threat immunity, which improves its capabilities when responding to real events. 

When an organization experiences a cyber incident and has implemented proactive data preservation tactics, opportunities to perform forensic analysis and rapid recovery measures are created. 

5) Recover: Cultivate Operational Continuity

Being prepared for the worst case scenario makes it easier to restore normal operations when something actually happens. To ensure that patient care continues during a cybersecurity incident impacting SaaS data, it is important to have a secure alternative access method to mission-critical data while the primary source is unavailable. For SaaS data, in particular, it is costly and cumbersome to maintain a fully redundant infrastructure for contingency purposes. Therefore, it is advisable to maintain routine backups on an independent system that can be accessed securely while problems are resolved. It is also crucial to have forensic capabilities to determine the account involved and the data impacted, as well as having the mechanisms to restore data quickly and precisely. 

6) Legal Obligations: To understand regulatory reporting, patient notification, and handling lawsuits,

healthcare providers are required by law to perform certain actions after experiencing a data breach. For instance, the HIPAA Breach Notification Rule includes notification of impacted individuals, informing Health & Human Services (HHS), and, under certain circumstances, publishing a press release for prominent media outlets, all within 60 days of discovering the breach. These notifications can be challenging in the best of times, but even more so when the required information is not easily accessible. Having a third-party backup accessible for such purposes can be a lifesaver. 

New regulations are taking an evidence-based approach, demanding documentation to ensure the efficacy of a cybersecurity program and also provide accountability and transparency for hospitals. To meet these regular reporting obligations in a timely and cost-effective manner, it is important for healthcare providers to implement technical solutions that streamline the process.

Healthcare providers also must expect lawsuits claiming negligence and that stronger security measures should have been in place. Being able to provide data protection measures, such as least privileged access and encryption of stored data, in place can help rebut such claims. Specialized solutions are needed to implement such protections in SaaS environments efficiently and effectively. Own Secure for Salesforce provides evidence of progress with an exportable PDF report that provides an overview of the current state in terms of SaaS data hygiene, protection, and risk.

Failure to meet legal obligations or respond to patient lawsuits can result in additional liability.

The Importance of a Data-centric Security Approach

Ultimately, a determined hacker only has to find one technical vulnerability or a single employee susceptible to social engineering to gain unauthorized access. Even large institutions with the necessary resources to invest continuously in cybersecurity have been victimized by major cyber attacks. 

Healthcare organizations that take a data-centric approach to securing mission-critical information in the cloud significantly reduce their risk. Top players in healthcare like CVS Health, McKesson, Cardinal Health, and Anthem have already taken steps to bolster their security profile and meet the rapidly increasing risks of data threats. 

For organizations looking to reinforce their data security in the cloud, it is important to consider providers that offer proactive data security tools, including third-party backups, rapid precise data recovery, data classification capabilities, encryption facilitation, security insights, risk assessments, monitoring and alerting, data retention, reports for auditors, and more. Ensuring your healthcare organization’s security is not a one-size-fits-all approach, so having solutions with strong recovery abilities that can easily streamline compliance and reporting with HIPAA, GDPR, and new cybersecurity regulations can help protect an organization as threats become more prominent and attackers become more sophisticated. 

Eoghan Casey
VP of Cybersecurity Strategy & Product Development at Own

Eoghan is VP of Cybersecurity Strategy & Product Development at Own, and is an internationally recognized expert in cyber risk mitigation and digital forensic investigation. At Own, he creates innovative solutions for SaaS data protection and security analytics, including AI-driven activity anomaly detection and ransomware readiness solutions. As Chief Scientist of the DoD Cyber Crime Center, he was responsible for innovation, strategic collaborations, and advancing standards and practices. He has contributed to development of advanced capabilities for extracting and analyzing digital evidence, including DC3 SQLite Dissect and DC3 Advanced Carver (Patent no. 16/014067). He is cofounder of the Cyber Domain Ontology (CDO), an international open source Linux Foundation community project to advance interoperability and intelligent analysis across the cyber domain. Eoghan has a PhD in Computer Science from University College Dublin, a Masters of Educational Communication & Technology from New York University, and a B.S. in Mechanical Engineering from University of California, Berkeley.