What Do Healthcare Providers Need to Know About CMMC Compliance?

What Do Healthcare Providers Need to Know About CMMC ComplianceImage | AdobeStock.com

The last several years have seen healthcare organizations become prime cyberattack targets. That’s unsurprising, given the vast amount of sensitive patient data they hold and the exigency of their operations. The industry’s rapid adoption of digital technologies like electronic health records (EHRs) and IoT devices also expand the attack surface, providing more entry points for cybercriminals.

HIPAA generally covers the framework for protecting against these evolving threats, but the latest CMMC regulations will add another layer of compliance requirements for certain applications.

What Is the CMMC?

The Cybersecurity Maturity Model Certification is a specialized program developed by the Department of Defense (DoD) for its contractors and subcontractors. It establishes assessment mechanisms to verify compliance with cybersecurity requirements for protecting sensitive data, including Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).

The CMMC framework includes various cybersecurity best practices, including the National Institute of Standards and Technology (NIST) SP 800-171 and 800-172 standards.

Prior to the introduction of the CMMC, defense contractors certified the security of their own digital information systems. While they remain responsible for implementing cybersecurity controls, CMMC regulations require additional assessments and supplementary safeguards to ensure compliance.

What Are the 3 Levels of CMMC?

The latest CMMC framework mandates three cybersecurity maturity levels for organizations based on the classification and confidentiality of the information involved.

  • Level 1: This level requires contractors dealing with FCI to conduct yearly self-assessments on 15 cybersecurity controls as outlined by Federal Acquisition Regulation (FAR) standards.
  • Level 2: This level deals with contractors working with CUI data, requiring them to undergo assessments on 110 controls based on NIST regulations once every three years. Around 95% of these evaluations are conducted by qualified third parties, known as CMMC Third Party Assessor Organizations (C3PAOs).
  • Level 3: This level enforces proactive methods to meet expert cyber hygiene requirements for contractors with access to CUI and working on high-priority programs.

How Does CMMC Compliance Apply to Healthcare Providers?

With the emergence of CMMC 2.0, healthcare providers in the defense industry must meet compliance requirements to maintain a working relationship. The same is true for defense contractors in the healthcare industry.

By becoming CMMC compliant, these organizations demonstrate their commitment to safeguarding confidential information and mitigating exposure to the evolving cyber risk landscape.

Protected Health Information (PHI) May Fall Under CUI

HIPAA guidelines already protect PHI, but under a DoD contract, this data also falls within the scope of CUI and is, therefore, subject to CMMC compliance. These additional regulations further mitigate the risk and impact of unauthorized disclosures about patient information, medical research and related clinical trials.

Why isn’t HIPAA compliance good enough? Both frameworks focus on maintaining the integrity and confidentiality of protected information, but CMMC standards are necessary due to the privileged nature of the CUI involved. Any information involving U.S. defense personnel’s health or biomedical research for national security purposes must be protected under federal regulations.

CMMC Compliance for Enhanced Healthcare Cybersecurity

Whether or not they work with the DoD, healthcare providers should strive for at least Level 2 CMMC compliance. Allowing triennial C3PAO assessments on their security infrastructure adds an enhanced layer of defense against the increasing rates of sophisticated cyberattacks. In 2023, the industry recorded the most expensive cybersecurity incidents, costing an average of $10.92 million per breach.

Adopting CMMC would enhance data management and free up resources to scale the adoption of automation technologies to improve healthcare delivery. For instance, remote patients might feel more open to telemedicine if they knew advanced DoD-mandated practices and evaluations protect their data.

Compliance also fosters a culture of continual improvement in cybersecurity practices because CMMC guidelines require organizations to assess their security posture regularly.

4 Tips for Meeting CMMC Requirements

Although Level 3 final rules are yet to be established, healthcare agencies with DoD contracts must begin working toward CMMC compliance early, as the process can be lengthy. These tips can help medical organizations prepare to meet the requirements.

1. Perform a Top-Down Security Audit

Achieving Level 1 CMMC compliance involves adherence to 17 best practices, most of which healthcare providers already implement as part of their own data management protocols. Conducting a systematic review of the framework will reveal what areas to focus on to accelerate accreditation.

Level 2 compliance involves a broader set of controls and mandatory assessments. Self-evaluations are essential to meeting these requirements. This should include a review of the current cybersecurity profile, including access control measures and incident response capabilities.

2. Find a C3PAO

According to recent reports, there are only 171 CMMC-accredited assessors in the country that can perform third-party assessments. That’s not nearly enough to fully accommodate the increasing demands of assessing the healthcare provider’s compliance with the CMMC framework industrywide. As such, institutions may need to begin planning the C3PAO selection process early to get ahead of potential delays.

3. Plan for the CMMC Compliance Costs

Accomplishing CMMC compliance can be an expensive process. The DoD estimates it would cost a small entity around $101,752 to support a Level 2 CMMC assessment and affirmation. That means healthcare organizations must begin planning for the financial implications of both initial costs and recurring expenses when planning their budgets:

4. Prepare for Ongoing Reviews

Maintaining compliance is an ongoing endeavor, marked by re-certification and monitoring requirements, ranging from annual self-assessments to triannual C3PAO audits. Medical institutions must prepare for these changes and work them into their operations.

Achieve CMMC Compliance in Healthcare

As the healthcare industry endures sustained cyberattacks, CMMC 2.0 compliance is fast becoming a strategic security imperative, even for contracts without DoD involvement. By embracing the standards and implementing ongoing assessments, organizations can enhance sensitive data security and foster a culture of continuous improvement.

 

By Zac Amos, rehack.com