AAMI: Cybersecurity standards help manage IT risks

cybersecurity2
AAMI's 80001 standards are designed to improve safety, effectiveness, and data and systems security.

As healthcare organizations face a growing number of cybersecurity risks—both in quantity and severity—executives need to rely on established standards to mitigate potential safety concerns and protect against data loss.

A series of voluntary consensus standards developed by the Association for the Advancement of Medical Instrumentation (AAMI)—known as the 80001 standards—provide hospitals with a framework for protecting their institution against potentially devastating cybersecurity attacks, according to a report by AAMI, which highlighted several institutions that used the standards to identify and secure gaps in their system.

As health systems integrate more technology into the everyday workflow, they also open themselves up to breaches that could compromise patient health information (PHI) or lead to patient harm. Beyond cybersecurity concerns, ineffective or inefficient implementation of healthcare technology leads to clinician frustration and medical errors.

RELATED: Despite financial obstacles, healthcare leaders need to go all-in on cybersecurity

AAMI argues that the 80001 standards can help close those gaps, and points to systems like Scripps Health that have used the standards to plug holes in their risk management plan.

“We modified about half a dozen policies we already had in place to include 80001," Scot Copeland, clinical systems specialist at Scripps Health, said in the report. "We put them into a framework that would address the three key properties of safety, effectiveness, and data and system security. Basically, we folded medical device security and functions into existing IT security processes.”

Recently, the National Institute of Standards and Technology (NIST) updated its framework to include cybersecurity metrics along with considerations for supply chain risk management, adding to baseline recommendations released in 2014. Security experts have also advocated for health systems to conduct a self-assessment on top of the periodic risk analysis required under HIPAA.