AAMI: Cybersecurity standards help manage IT risks

cybersecurity2
AAMI's 80001 standards are designed to improve safety, effectiveness, and data and systems security.

As healthcare organizations face a growing number of cybersecurity risks—both in quantity and severity—executives need to rely on established standards to mitigate potential safety concerns and protect against data loss.

A series of voluntary consensus standards developed by the Association for the Advancement of Medical Instrumentation (AAMI)—known as the 80001 standards—provide hospitals with a framework for protecting their institution against potentially devastating cybersecurity attacks, according to a report by AAMI, which highlighted several institutions that used the standards to identify and secure gaps in their system.

As health systems integrate more technology into the everyday workflow, they also open themselves up to breaches that could compromise patient health information (PHI) or lead to patient harm. Beyond cybersecurity concerns, ineffective or inefficient implementation of healthcare technology leads to clinician frustration and medical errors.

Case Study

Across-the-Board Impact of an OB-GYN Hospitalist Program

A Denver facility saw across-the-board improvements in patient satisfaction, maternal quality metrics, decreased subsidy and increased service volume, thanks to the rollout of the first OB-GYN hospitalist program in the state.

RELATED: Despite financial obstacles, healthcare leaders need to go all-in on cybersecurity

AAMI argues that the 80001 standards can help close those gaps, and points to systems like Scripps Health that have used the standards to plug holes in their risk management plan.

“We modified about half a dozen policies we already had in place to include 80001," Scot Copeland, clinical systems specialist at Scripps Health, said in the report. "We put them into a framework that would address the three key properties of safety, effectiveness, and data and system security. Basically, we folded medical device security and functions into existing IT security processes.”

Recently, the National Institute of Standards and Technology (NIST) updated its framework to include cybersecurity metrics along with considerations for supply chain risk management, adding to baseline recommendations released in 2014. Security experts have also advocated for health systems to conduct a self-assessment on top of the periodic risk analysis required under HIPAA.

Suggested Articles

A healthcare non-profit wants to build a “moonshot factory” to bring data science and precision health to remote villages in the developing world.

Emory Healthcare in Atlanta is bringing the first 5G-enabled healthcare lab up online this week.

Federal regulators have listened to physicians' complaints about health IT burdens and they have some solutions.