- The CTO vs. CMO AI power struggle - who should really be in charge?
- I found an Android phone that can convince iPhone users to make the switch - and it's not a flagship
- Finally, Bluetooth trackers for Android users that function better than AirTags (and they're on sale)
- The 8TB T5 Evo SSD is back in stock and over $150 off at Samsung
- The 40+ best early Amazon Spring Sale TV deals 2025: Save over $2,000
CMS ARS: A Blueprint for US Healthcare Data Security and Compliance
Protecting sensitive patient information is more critical than ever. With technologies evolving at a breakneck pace and the number of cyber threats targeting healthcare entities in the United States skyrocketing, healthcare organizations must have robust policies and guardrails in place to ensure patients’ confidential information doesn’t fall into the wrong hands.
One of the essential frameworks for ensuring data security and privacy is the Centers for Medicare & Medicaid Services Acceptable Risk Safeguards (CMS ARS).
Released in January 2022, the CMS ARS provides a standardized approach to help healthcare businesses assess and mitigate risks to their data, systems, and operations. The safeguards were designed to ensure that Medicare, Medicaid, and other healthcare-related entities comply with security requirements, protect patients’ privacy, and maintain compliance with federal standards.
Balancing Risks Without Overburdening Healthcare Firms
The CMS ARS is part of a larger effort to ensure compliance with privacy and security regulations, such as the Health Insurance Portability and Accountability Act (HIPAA). The overarching goal of CMS ARS is to lay out a balanced framework for identifying, evaluating, and mitigating security risks without overburdening healthcare entities.
The CMS ARS is built upon the guidelines set forth in NIST SP 800-53 and defines a baseline of minimum information security and privacy assurance specifically tailored for CMS’s operational environment to ensure that CMS systems meet federal standards and adhere to healthcare-specific regulations concerning protected health information (PHI).
The safeguards focus on identifying potential risks to information security and privacy and ensuring that adequate mechanisms are implemented to bring those risks down to an acceptable level. This helps healthcare firms focus on risk management processes that are proportionate to the threats they face.
Healthcare in the Crosshairs
The implementation of CMS ARS is key for keeping private healthcare data confidential, unaltered, and available. Considering the highly confidential nature of the information handled by Medicare, Medicaid, and other healthcare systems, there is an ongoing threat from cyberattacks and data breaches.
In fact, in 2023, a staggering 725 data breaches were reported to the Department of Health and Human Services’s Office for Civil Rights (OCR), and across those breaches, over 133 million records were exposed or disclosed without permission. In the same year, over 11% of healthcare providers in the US reported a ransomware encounter.
By following the CMS ARS, healthcare businesses can proactively manage risks by setting out guidelines to evaluate potential vulnerabilities and implement security measures that align with regulatory requirements. In this way, CMS ARS acts as an overarching framework for securing data and seeing that healthcare providers can carry on offering services without disruptions caused by cyber incidents.
A $22M Wake-up Call
One need only think of the Change Healthcare data breach to realize the devastating impact a cyberattack can have on the healthcare industry—disrupting patient care, delaying reimbursements, and exposing sensitive data such as personal and payment information.
With the ALPHV/BlackCat ransomware group claiming to have exfiltrated 6TB of data and another group, RansomHub, attempting further extortion, this incident is a perfect example of the growing sophistication and persistence of malicious actors. Change Healthcare reportedly had to pony up a $22 million ransom, and this incident is a major wake-up call for any business involved in the healthcare sector to strengthen its security postures and follow the protocols laid out in standards such as the CMS ARS.
Had Change Healthcare heeded this advice, this incident might have been prevented, and the company could have prevented the far-reaching legal, economic, operational, and reputational consequences that it will undoubtedly still feel for some time.
Practical, Implementable Safeguards
The Centers for Medicare & Medicaid Services Acceptable Risk Safeguards are designed to be practical and implementable for healthcare organizations of various sizes and complexities. Some of the key components of CMS ARS include:
Risk Assessment: Firms must assess risks across multiple domains, including administrative, physical, and technical areas. Assessments need to consider the likelihood of threats and their potential effect on the confidentiality, integrity, and availability of information.
Security Controls: CMS ARS includes a thorough list of security controls to help mitigate identified risks and can include measures such as encryption, access controls, and audit trails. All healthcare entities need to implement these controls.
Compliance with Federal Regulations: Another critical component of CMS ARS is the alignment with federal laws, as these safeguards make sure that healthcare organizations meet their legal obligations regarding patient data privacy and security.
Ongoing Monitoring and Review: CMS ARS requires healthcare organizations to monitor and review their risk management practices continuously. This ensures that the safeguards remain effective and responsive to evolving threats.
Incident Response and Recovery Plans: In the event of the worst-case scenario, the CMS ARS outlines a risk mitigation strategy to help businesses respond effectively and recover quickly.
Boosting Data Security in Healthcare
As healthcare companies bring more and more new and emerging technologies into their operations, the importance of CMS ARS will only grow. The risk landscape in healthcare is fluid and dynamic, with new threats emerging every day. The CMS ARS framework equips businesses to handle current and future security challenges.
For instance, CMS ARS helps firms gain a level of operational maturity when it comes to data security and risk management. The guidelines were designed to make risk management efforts effective and in line with various regulations. This is particularly crucial in the healthcare sector, where trust and confidentiality are at the heart of maintaining patient relationships.
Dealing With Cybersecurity Challenges
The Centers for Medicare & Medicaid Services Acceptable Risk Safeguards are essential for protecting PHI and preventing disruptions to healthcare services. By following these guidelines, healthcare entities can mitigate risks, comply with federal regulations, and protect their patients’ privacy—all of which builds trust in a system that has received too much negative publicity recently.
Ongoing implementation and monitoring of CMS ARS are vital in a threat landscape that never stands still, helping companies deal with growing cybersecurity challenges while maintaining a secure environment for patient care.
Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor and do not necessarily reflect those of Tripwire.
