Because of the nature and sensitivity of patient data, healthcare is known as one of the most targeted industries for cyberattacks. Healthcare organizations reported the highest number of ransomware attacks among the 16 industries classified as critical U.S. infrastructure last year, according to the 2023 FBI report on Internet crime.
These security vulnerabilities across the industry are becoming more pronounced as healthcare organizations increasingly collaborate with the Department of Defense (DoD). Because DoD healthcare contractors may access protected, sensitive government data and electronic personal health information (ePHI), they require a higher level of cybersecurity maturity. In many cases, that also means a new compliance requirement — the Cybersecurity Maturity Model Certification (CMMC) program.
So, what exactly is CMMC, and why does it matter for your healthcare organization? This blog breaks down CMMC fundamentals and delves into its implications for healthcare data security.
What is CMMC, and Why Is It Important?
The Cybersecurity Maturity Model Certification (CMMC) 2.0 is a Department of Defense (DoD) initiative created to safeguard sensitive information within the Defense Industrial Base (DIB). While it focuses primarily on contractors and subcontractors that access sensitive government data called controlled unclassified information (CUI), some requirements also apply to organizations that handle less-sensitive federal contract information (FCI).
The program’s beginnings date back to 2009, when a nation-state actor launched a cyber breach that resulted in the theft of sensitive government information about the F35 fighter jet. This prompted the DoD to initiate requirements for basic cybersecurity controls for any agency that stores, processes, or transmits FCI or CUI.
By the end of 2017, the DoD required all DIB contractors to abide by the DFARS 7012 rule, aligning cybersecurity compliance requirements with NIST 800-171. Unfortunately, it became apparent relatively quickly there were widespread compliance issues and lingering cybersecurity vulnerabilities among DoD contractors. That kick-started the CMMC program in 2019. The DoD released a CMMC v1.0 in 2021.
The updated and forthcoming CMMC v2.0 mandates that any organization that stores, processes, or transmits CUI in connection with a DoD contract must achieve one of three CMMC Levels, with most organizations needing a Level two. A CMMC 3rd Party Assessment Organization (C3PAO) must verify Levels two and three.
While CMMC 2.0 primarily focuses on the defense industry, it also applies to healthcare organizations that handle CUI, such as those providing healthcare services or conducting research for the military.
What are the CMMC compliance levels?
CMMC has three levels:
- Level 1 requires basic cyber hygiene practices to protect FCI.
- Level 2 requires implementing all 110 security controls from NIST SP 800-171 to safeguard CUI.
- Level 3 requires additional controls and practices to mitigate advanced persistent threats (APTs) against CUI.
How is CMMC Different from Other Cybersecurity Frameworks?
While frameworks like the 405(d) Health Industry Cybersecurity Practices define security and privacy standards for healthcare, CMMC takes a more specific and detailed approach to cybersecurity controls.
Enforcement of CMMC is different, too. CMMC is a contractual requirement. Non-compliance can lead to loss of DoD contracts and potential fines. In contrast, other frameworks may have varying enforcement measures, from regulatory oversight to significant fines and penalties.
CMMC also demands a more granular and verifiable implementation of cybersecurity practices compared to the flexibility of other frameworks, which often prioritize outcomes and risk management over specific controls.
Why is CMMC Important for Healthcare Organizations?
The increasing frequency of cyberattacks against healthcare underscores the need for robust cybersecurity measures. CMMC directly addresses this, even for organizations that may not consider themselves part of the traditional defense industry (for example, third-party vendors or those who offer patient care for military families and veterans).
CMMC compliance is more than just avoiding potential penalties, and it’s not focused only on ePHI like HIPAA. It’s more encompassing and has measures to ensure your organization safeguards both patient and government data.
CMMC Implementation Timeline
CMMC (32 CFR ) went through a public comment period that started in December 2023 and closed in February 2024. The DoD had to adjudicate more than 2,000 public comments before sending the rule back to the Office for Information and Regulatory Affairs (OIRA) for final review.
The DoD aims to have congressional approval by October or November 2024. When that happens, the rule will go into effect immediately and have multiple implementation phases.
- The first phase involves Level 1 attestations for organizations dealing with FCI.
- These organizations must comply with 17 of NIST 800-171’s 110 requirements and can self-attest.
- For everyone else, especially those with the DFARS 7012 clause, it’s Level 2 compliance. In instances of more complex and sensitive contracts, it’s Level 3. Both require assessments and certification from approved C3PAOs, although in some limited cases, self-attestation for Level 2 may be permitted.
For hospitals, CMMC applicability hinges on the nature of DoD contracts. If a hospital handles CUI, such as providing healthcare services to veterans or military families, they’ll likely fall under Level 2 compliance. This further underscores the importance of proactive preparation for CMMC compliance before implementation.
Once these rules are in place, any healthcare organization with a prime contract must comply with CMMC certification at the appropriate level based on data sensitivity.
CMMC also impacts external service providers and subcontractors, including cloud service providers (CSPs) and managed service providers (MSPs). If your organization uses these providers, you must ensure they meet specific CMMC standards. CSPs should be FedRAMP Moderate or equivalent. MSPs and managed security services providers (MSSPs) must undergo CMMC certification at the same level as your organization. This emphasizes the importance of CMMC compliance extending throughout your entire supply chain.
CMMC in Action: The Christus Health Journey
What does CMMC prep look like in a real-world healthcare environment?
Christus Health has more than 63 hospitals and 600 additional care locations across the U.S. and Latin America. The company’s need for CMMC compliance arises from its subsidiary, U.S. Family Health Plan (USFHP), which provides healthcare services to the military through the Tricare program. This connection to the DoD necessitates Christus Health’s adherence to CMMC compliance.
When Dave Duclos, system director, and deputy CISO, joined Christus Health eight years ago, he recognized a need for improvement in the organization’s cybersecurity maturity. Duclos and other organizational stakeholders assessed existing frameworks and created a matrix linking Christus Health’s core policies to those frameworks. This approach facilitated buy-in across the organization and set a foundation for its CMMC journey.
Christus Health’s partnership with Clearwater and Redspin was pivotal in its CMMC progress. Clearwater’s expertise contributed to overall cybersecurity maturity. Its division, Redspin, provided specific CMMC compliance guidance and assisted in improving documentation, refining processes, and gaining a deeper understanding of DoD requirements.
Additionally, Christus Health actively engaged in networking and collaboration within the CMMC ecosystem and healthcare sector. This collaborative approach, focused on documentation and continuous improvement, enabled the organization to make significant CMMC strides.
Does My Healthcare Organization Need CMMC?
Your healthcare organization likely needs CMMC certification if you have DoD contracts, especially if those contracts involve handling CUI or reference NIST 801-171 or DFARS 7012.
7 Strategies and Best Practices to Prepare for CMMC Compliance
Although not enforced yet, your organization should prioritize CMMC compliance to avoid rushed implementation and potential disruptions. Some CMMC requirements may already appear in new DoD requests for proposals (RFPs) and requests for information (RFIs). Moreover, proactive compliance may provide a competitive advantage in securing DoD contracts.
Here are seven steps you can take right now to prepare for CMMC, even before the enforcement deadline:
- Assess and scope: Begin by determining if CMMC certification is necessary. Evaluate existing DoD contracts, identify data types (CUI or FCI), and scope your environment to determine where this data resides. If your organization has research teams, don’t forget to check there. These can often get overlooked.
- Leverage existing frameworks: Use experience with other compliance standards and frameworks, such as HIPAA, PCI, and the NIST Cybersecurity Framework, as a foundation for CMMC compliance. They can streamline your processes and ensure a more comprehensive approach.
- Collaborate: Foster partnerships between departments, such as legal, operations, finance, compliance, and privacy teams. This ensures a holistic approach to CMMC implementation and embeds security into all parts of your organization.
- Build external partnerships: Engage with subject matter experts and trusted partners like Clearwater and Redspin. With specialized knowledge and experience, they can help you navigate CMMC complexities, conduct assessments, and improve documentation and processes.
- Conduct a self-assessment: Utilize resources such as the Redspin CMMC implementation checklist or org templates to evaluate your current cybersecurity posture against the CMMC requirements. This will help identify gaps and prioritize areas for improvement.
- Prioritize documentation: Focus on developing and maintaining thorough documentation to demonstrate compliance with CMMC requirements. Implement continuous improvement processes to adapt to evolving threats and CMMC changes.
- Foster external relationships: Actively participate in industry events and forums to exchange knowledge, best practices, and lessons learned with peers and experts.
Maintaining CMMC Certification and Beyond
Achieving CMMC certification is a milestone, but it’s not the end of your journey. Once you obtain certification, you’ll still have ongoing requirements.
- If you’re a Level 1, you will have to self-attest annually.
- Level 2 and Level 3 will need a certified third-party assessment and recertification every three years.
Here are five steps to help your organization maintain compliance and mature your practices:
- Focus on internal program management and training.
- Designate personnel to oversee your CMMC program and provide them with comprehensive training such as the CMMC Certified Professional (CCP) This equips them with the knowledge and skills to effectively manage the program, interpret DoD requirements, and keep your organization on track for future assessments.
- Proactively prepare for future updates.
- Stay informed about revisions to NIST 800-171 and other relevant standards. Begin incorporating these changes into your cybersecurity program early to ensure a smooth transition and avoid last-minute compliance challenges.
- Stay abreast of evolving CMMC requirements. Leverage resources such as:
- Redspin’s LinkedIn page
- Cyber AB website
- DoD CUI site
- CMMC Connect sessions
- Attend CMMC conferences and events
- Regularly review and update security policies, procedures, and documentation.
- Continuously monitor and assess your cybersecurity posture to proactively identify and address vulnerabilities.
Contact Clearwater today to learn how in collaboration with Redspin, we can help your organization navigate the complexities of CMMC compliance. Together, we’ll support you in engaging your board and executives in meaningful cybersecurity discussions, aligning your strategies with CMMC requirements, and implementing effective solutions to safeguard your data and ensure that your mission-critical operations remain secure and compliant.
