The most important strategic security program decision that the organization can make is the framework that the organization adopts for its cyber-security and compliance program. This is the crux of a recent blog by Michael Frederick, VP of Operations, HITRUST.
Every Board member and Senior Executive should know and understand the answers to the five (5) questions in this blog.
How do we know it meets the reasonable standard?
Black’s Law Dictionary defines it as “an ordinary person who exercises care while avoiding extremes of boldness and carefulness.” In these cases, the standard is the type and level of care an ordinary, prudent, healthcare professional with the same training and experience, would provide under similar circumstances in the same community.
Once connected to the internet, an organization becomes part of a global community. Once an organization chooses applications that run on a particular platform or database, it becomes part of the community that operates the same platform and database. In the simplest terms, a Linux host operates the same way for a bank, an airline, and a healthcare provider. The information of value may be different but the threats and safeguards are the same.
The next element is ordinary and prudent. First, you can do what you deem to be appropriate. In this case, you will need to be prepared to demonstrate how you arrived at the conclusion that your actions and/or inactions were prudent. Second, and usually the most cost-effective approach, you can adopt and take actions similar to others in your circumstances.
How do we ensure it considers all anticipated threats?
The HIPAA Security Rule requires entities to evaluate risks and vulnerabilities in their environments and to implement reasonable and appropriate security measures to protect against reasonably anticipated threats or hazards to the security or integrity of ePHI.
- An organization may decide to determine this on their own by staffing a department that identifies, analyzes, and prioritizes threats.
- An organization might take the approach of adopting a framework that incorporates a level of threat analysis and adapt itself, over time, to prevailing and emerging threats.
For organizations that are resource constrained when it comes to security, do not have the required in-house expertise, or are simply looking to maximize their current security investments, this is usually the most cost-effective way to go. This also allows organizations to ensure that threats are updated periodically as part of the framework.
How do we know third parties meet the same level of security we use?
No organization does business in a vacuum. Every organization has business partners and third parties that they share information with. Once an organization has the answer to the first two questions and has defined their program accordingly, they have a responsibility to ensure that the information they share is protected in a like manner.
Approach is to rely upon an attestation or third-party assessment. This is a bit more cost effective since you do not need to staff for audits. This will also allow for more consistent and common comfort from one party to another, especially if the same third-party assurance standard is obtained.
What level of assurance do we require?
Assurance level deals with how well you can rely on the results. There are varying levels of assurance that can be obtained.
- An assessment or questionnaire validated by a third party and certified as meeting a certain standard by an independent third party providing validation.
- An assessment or questionnaire with some validation by an independent resource.
- A self-assessment or self-reported questionnaire and never vetted for correctness.
When determining the level of assurance required, an organization should consider several factors including, but not limited to:
- Type of information exchanged
- Volume of information exchanged
- Nature of the business relationship
How much do we spend maintaining our program and ensuring compliance?
The final question that should be asked is, based on the answers to the previous 4 questions, what is this costing us? Things to consider when answering this are:
- Do we maintain teams of experts to ensure we are identifying and addressing anticipated threats? If so, with how many people and at what cost?
- Do we create and maintain our own standards? If so, how many resources and at what cost?
- Do we validate our business partner and third-party security posture? If so, how? To what level of assurance? Is this good enough? What resources are spent in this regard?
One of the realities about security is that there is a shortage of qualified resources in the market today. This means that these resources command a premium on the job market and having a team of them is expensive in terms of locating, hiring and retaining them. This makes it more expensive to try to do many of these functions internally. There are solutions in the market aimed at alleviating some of this pressure and cost.
Since the release of the HIPAA Security Rule, healthcare organizations struggle to comply. HIPAA is subjective, making it difficult to apply and open to interpretation. Since HIPAA is a federal mandate, organizations have found satisfactory solutions through other standards such as ISO, NIST, CORE, and COBIT. But with the continued expanding scope of requirements applicable to healthcare—HIPAA Omnibus / Breach Notification, Meaningful Use, State requirements such as Texas, Massachusetts, or Nevada, and many others—reliance on a single standard is becoming too difficult.
Now the validation and proof come in the form of a HITRUST CSF Certification. HITRUST is an industry-driven program creating a prescriptive, standardized, repeatable compliance framework all organizations in healthcare can trust.
The bottom-line for senior executives is to select a framework that is robust, scalable, and mature. The HITRUST CSF is all that, and prescriptive in its requirements. This is important so the enterprise cyber-security program can be actively measured and monitored on a continual basis.