Artificial intelligence (AI), which includes the fields of machine learning, natural language processing, and robotics, can be applied to almost any field in medicine, and its potential contributions to medical education and delivery of health care seem limitless. Nonetheless, using this powerful technology requires healthcare executives to rethink their approach to security and compliance.
As with any new technology, healthcare IT organizations need to prepare to handle new risks, more sophisticated cybersecurity threats, and a more stringent regulatory environment. This white paper is intended to provide an overview of the best tactics to safeguard ePHI data, successfully manage risk, and meet compliance requirements so healthcare organizations can properly assess technology vendors and safely use cloud based AI software and applications.
New Standard of Security Practices for AI Vendors
Adding any new technology, like AI, elevates the potential for security breaches. Covered entities need technical vendors that offer multi-layer security frameworks with physical and technical safeguards enforced by stringent administrative policies. To successfully manage risk, and meet compliance requirements now and in the future, hospitals should look for technology partners that have the appropriate compliance and security certifications – especially SOC 2 certification.
Checklist: Certifications, accreditations and frameworks your vendors should have:
- Health Insurance Portability and Accountability Act (HIPAA) Risk Assessment and Attestation.
- Cloud Security Alliance Self-Assessment Level 1
- International Organization for Standardization (ISO) 22301:2012 (Business continuity management systems)
- International Organization for Standardization (ISO) / International Electrotechnical Commission (IEC) 27001:2013 (Information security management systems)
- International Organization for Standardization (ISO) / International Electrotechnical Commission (IEC) 27017:2015 (Code of practice for information security controls based on ISO/IEC 27002 for cloud services)
- International Organization for Standardization (ISO) / International Electrotechnical Commission (IEC) 27018:2019 (Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
- International Organization for Standardization (ISO) 27799:2016 (Information security management in health using ISO/IEC 27002)
- AICPA Service Organization Control (SOC) 2 Type II Report (covers Security, Privacy, Availability, Confidentiality and Processing Integrity)
- Amazon Web Services Well-Architected Framework or an equivalent
Secure Your Data and Connectivity
Healthcare organizations are required to ensure patient and organizational data complies with ever-changing standards and regulations. When selecting an AI software provider, hospitals should select a solution that automatically identifies and protects sensitive information, and prevents its disclosure. Below are some additional best practices healthcare organizations should consider in their software vendor assessment:
- Connection to patient data must be secure. It is recommended to use a vendor that has a built-in de‑identification patient data process, in accordance with HIPAA Privacy Rule
- The application or software solution should have a direct connection to the cloud and provide IPSec VPN support
- Encrypt any ePHI to meet NIST parameters encrypting data at rest and in transit.
- Automatic logoff should be implemented on every workstation with access to ePHI after a certain period of inactivity
Protect Your Database
Healthcare organizations should already have databases that are secure in order to be compliant. However, when deploying new technology hospitals should monitor their servers, whether they’re physical or virtual. If a server gets breached, not only can data be removed, but viruses can also be injected to affect the data an AI program uses to make decisions.
Require Authentication and Role-based Limitations
Healthcare organizations need to select AI software or applications that allow for role-based limitations. Insider breaches are twice as expensive and damaging as external breaches. These risks aren’t limited to employees – it could include any person given access to networks and accounts. Organizations often overlook around 75% of such threats.
AI Software and/or applications should require dual-factor authentication for users and hospitals should only grant access on a need to know basis according to the POLP (Principle of least privilege). If employees don’t need administrative access, they shouldn’t have it. If the application doesn’t allow for different levels of permissions, select another vendor.
The healthcare industry has struggled publicly with cybersecurity in 2018, with 8.7 million records breached in just the first nine months. Massive breaches and phishing attacks have illuminated the need for organizations to take both basic and advanced security precautions. As AI solutions gain popularity and data become more plentiful, take the recommended steps to protect ePHI.
Monitor and Test For Cyber Threats
An AI technology provider should regularly conduct modeling and penetration testing to pinpoint and mitigate current threats. These tests identify systems that can be leveraged to exploit vulnerabilities and potential entry points into networks, applications, and devices. Healthcare organizations should select a vendor that regularly conducts these exercises to effectively address and correct existing weaknesses. AI software vendors should also perform monitoring through multi-tiered security audits that include security checks, security reviews, application, and infrastructure security vulnerability assessment scans and third-party patching.
Establish Physical Safeguards
Physical safeguards are just important cybersecurity best practices. Below are a list of best practices that healthcare organizations should follow:
- Control data center access by tracking the speciﬁc individuals who have physical access to data storage, not just engineers, but also repair people and even custodians. Establish a procedure that describes how a screen should be guarded against parties at a distance.
- Delineate proper workstation use and limit which ones can access health data. Implement a mobile device management solution (MDM) in order to remove data before a device is circulated to another user or to remotely wipe a lost/stolen device.
Enforce Administrative Safeguards
The safest and most diligent practices to protect ePHI is to ensure that the same policies, risk management, safeguards, and ongoing compliance governance standards are followed no matter where ePHI resides. This means that Covered Entities and Business Associates need to fully embrace complete responsibility for ePHI. Below are best practices to implement:
- Conduct comprehensive risk assessments for all health data. Risk assessments should be performed at regular intervals and include new ways to reduce the risks to an appropriate level.
- Educate and train at least twice a year all employees and business associates regarding topics related to all ePHI access protocols, HIPAA requirements, Cybersecurity and on how to recognize potential phishing attacks. Recommended pieces of training include HIPAA, HITECH, Omnibus, Texas HB 300, and Confidentiality Of Medical Information Act (CMIA)
- Build contingencies. Always be prepared to respond and recover from disruptive incidents if and when they arise. Periodically test contingency plans with relation to all key software.
- Monitor access given to third-parties. Be certain that parties that haven’t been granted access, such as subcontractors can’t view ePHI. Make sure to sign Business Associate Agreements with all partners (BAA).
- Train Incident Response Team to recognize, respond and document security incidents according to the required policies and procedures. Security incidents can often be stopped internally before data is breached.
- Establish a written procedure outlining the protocol to access ePHI in the event of an emergency, including policies around who needs access and possible ways to gain access. This should be part of your disaster recovery plan.
AI technology poses the opportunity to improve the efficiency of healthcare delivery and the quality of patient care. However, with the evolution of a more data-driven, mobile, and collaborative environment comes new vulnerabilities, security issues, and increased regulation. To thrive in this privacy-focused industry, Healthcare organizations need to have a unified business and technology strategy to achieve the right balance among modern IT digital transformation, data, and security to minimize risk and enable a strong compliance posture. When evaluating AI software vendors, they must meet or exceed regulatory compliance needs, incorporate a process that reduces compliance risk, and serve as trusted stewards of sensitive health data. With careful planning, a thorough assessment, and the right selection of processes and services, healthcare organizations can reap the benefits of AI while simplifying their privacy, security, and compliance journey.
- It’s best practice to hire AI cloud technology vendors have the highest standard of security certifications and accreditations
- As technology advances, so do cyber threats. Healthcare organizations should ensure their security and compliance practices are updated to meet the needs of implementing artificial intelligence
- All employees and business associates should be trained on all topics related to all ePHI access protocols, HIPAA requirements, cybersecurity and mainly on how to recognize potential phishing attacks. Administrative safeguards are just as important as technical and physical controls
- AMA Journal of Ethics,, Rigby, Michael (February 2019), Ethical Dimensions of Using Artificial Intelligence in Healthcare, https://journalofethics.ama-assn.org/sites/journalofethics.ama-assn.org/files/2019-01/joe-1902_0.pdf
- Amazon Data Centers https://aws.amazon.com/compliance/data-center/data-centers/
- Amazon Web Services, (July 2019), AWS Well-Architected Framework, https://d1.awsstatic.com/whitepapers/architecture/AWS_Well-Architected_Framework.pdf
- Amazon Web Service (July 2018), Cost Optimization Pillar, https://d1.awsstatic.com/whitepapers/architecture/AWS-Cost-Optimization-Pillar.pdf
- Amazon Web Service (July 2018), Operational Excellence Pillar, https://d1.awsstatic.com/whitepapers/architecture/AWS-Operational-Excellence-Pillar.pdf
- Amazon Web Service (July 2018), Performance Excellence Pillar, https://d1.awsstatic.com/whitepapers/architecture/AWS-Performance-Efficiency-Pillar.pdf
- Amazon Web Service (July 2018), Security Pillar, https://d1.awsstatic.com/whitepapers/architecture/AWS-Security-Pillar.pdf
- Chin, Crystal, HIPAA Tip #6: Choosing HIPAA Compliant Vendors Wisely https://medstack.co/blog/hipaa-tip-6-choosing-hipaa-compliant-vendors-wisely/ (January 2018)
- Greevy, Hoala, Keeping protected health information private in the era of AI https://www.healthcarebusinesstech.com/aiuseprotectphi/(April 2019)
- Kuczynski, Carolyn, A Vendor’s Prescription For HIPAA Security and Compliance (June 2019) https://www.cnsg.com/a-vendors-prescription-for-hipaa-security-and-compliance/
- Stanford Medicine 2018 Health Trends Report (December 2018) The Democratization of Health Care, https://med.stanford.edu/content/dam/sm/school/documents/Health-Trends-Report/Stanford-Medicine-Health-Trends-Report-2018.pdf