Cybersecurity Practices at Large Health Care Organizations Large health care organizations perform a range of different functions. These organizations may be integrated with other health care delivery organizations, academic medical centers, insurers that provide health care coverage, clearinghouses, pharmaceuticals, or medical device manufacturers. In most cases, large organizations employ thousands of employees, maintain tens of thousands to hundreds of thousands of IT assets, and have intricate and complex digital ecosystems. Whereas smaller organizations operate using only a few critical systems, large organizations can have hundreds or thousands of interconnected systems with complex functionality. The missions of large organizations are diverse and varied. They include providing standard general practice care, providing specialty or subspecialty care for complicated medical cases, conducting innovative medical research, providing insurance coverage to large populations of patients, supporting the health care delivery ecosystem, and supplying and researching new therapeutic treatments (such as drugs or medical devices). Large organizations have missions that are broad in scope, and large volumes of assets may be necessary to fulfill such missions. Even so, they often struggle to obtain funding to maintain security programs and to control their assets (potentially resulting in shadow IT, rogue devices, and unmanaged/unpatched devices). Therefore, it is essential for large organizations to understand how sensitive data flow in and out of the organization, and to understand the boundaries and segments that determine where one entity’s responsibilities end and another’s start/ Large organizations operate in a legal and regulatory environment that is as complicated as their digital ecosystems. It includes but not limited to the following:
ONC Certified Electronic Health Information Technology interoperability standards
MACRA/Meaningful Use
Multiple obligations under the FDA
The Joint Commission accreditation processes
HIPAA/HITECH requirements
Minimum Acceptable Risk Standards for payers
State privacy and security rules
Federal Information Security Modernization Act requirements as incorporated into federal contracts and research grants through agencies such as the National Institutes of Health
Payment Card Industry Data Security Standard (PCI-DSS)
SAMHSA requirements
The Gramm-Leach-Bliley Act for financial processing
The Stark Law as it relates to providing services to affiliated organizations 7
