Written by Michael Frederick, VP of Operations, HITRUST
As board members or senior executives, you are responsible for making governing decisions for all aspects of a business. Often times, a great deal of the areas may fall outside your realm of expertise. In the age where information drives business, one of these areas may be information security. This field is very complex and changes rapidly as adversaries stay one step ahead of technical control measures and threats evolve at an ever-increasing velocity. Couple this with a shortage of competent security professionals and you have an area that can leave a business exposed and its information at risk of breach and exploit.
The Board and Senior Management have a fiduciary responsibility to shareholders and customers to ensure they are appropriately managing these risks. The purpose of this article is to help educate Board and Senior Management members on questions they can ask of their security teams to better understand and ensure the risks are being managed in an appropriate manner. In this article, we will discuss five (5) questions that every Board member and Senior Executive should feel comfortable with the answers to. By doing so, you can gain better insight into whether your risk management program is functioning in an acceptable manner.
1. How do we know it meets the reasonable standard?
To answer this question, we must first understand the definition of reasonable. Reasonable is a legal standard of care that can be applied in regulatory and civil actions that may arise should a breach occur. It is often referred to as the “reasonable person” standard.
Black’s Law Dictionary defines it as “an ordinary person who exercises care while avoiding extremes of boldness and carefulness.”1 Often, in health care, we understand this in terms of malpractice claims. In these cases, the standard is the type and level of care an ordinary, prudent, healthcare professional with the same training and experience, would provide under similar circumstances in the same community. Let’s look at each of the elements of these definitions and how they would be met.
The first element to consider is community. What is a community? Within the healthcare industry, this is defined in several ways. One way is based on geographical location or jurisdiction. This makes sense as there are types of treatments that are available in Europe that have not been approved in the U.S. There are clinical trials that are approved for qualified populations that have not been approved for the general population. When it comes to technology; however, the same concepts do not apply. Once connected to the internet, an organization becomes part of a global community. Once an organization chooses applications that run on a particular platform or database, it becomes part of the community that operates
the same platform and database. In the simplest terms, a Linux host operates the same way for a bank, an airline, and a healthcare provider. The information of value may be different but the threats and safeguards are the same.
The next element is ordinary and prudent. How do you demonstrate what you are doing is ordinary or prudent? You have two options. First, you can do what you deem to be appropriate. In this case, you will need to be prepared to demonstrate how you arrived at the conclusion that your actions and/or inactions were prudent. This tends to be costly when faced with regulatory or civil actions because it requires organizations to build a case, most often leveraging expensive legal resources. Second, and usually the most cost-effective approach, you can adopt and take actions similar to others in your circumstances. This would be a de-facto prudence standard.
If we combined these two elements and apply them to a risk management program, an organization should be doing what a majority of other organizations are doing within their community. Keep in mind that community is based on technologies deployed and not industry or vertical within a given industry. It is the information of value that changes from industry to industry and vertical to vertical. The safeguards to protect against a threat do not vary. Where they are applied will based on where the information of value resides within a given enterprise.
2. How do we ensure it considers all anticipated threats?
The HIPAA Security Rule requires entities to evaluate risks and vulnerabilities in their environments and to implement reasonable and appropriate security measures to protect against reasonably anticipated threats or hazards to the security or integrity of ePHI. Once again there are a couple of approaches an organization might take to meet this requirement.
First, an organization may decide to determine this on their own by staffing a department that identifies, analyzes, and prioritizes threats. This requires a team of highly qualified resources with access to an extensive set of intelligence tools. In addition, much like the approach to determining reasonableness, this may require an organization to make a case and justify each action and/or inaction. The result is a costlier approach for the same reasons as it was when justifying a program’s reasonableness – it requires a case be built in order to defend it.
On the other hand, an organization might take the approach of adopting a framework that incorporates a level of threat analysis and adapt itself, over time, to prevailing and emerging threats. The benefit of this approach is that it does not require a team of experts with access to an extensive set of intelligence tools. For organizations that are resource constrained when it comes to security, do not have the required in-house expertise, or are simply looking to maximize their current security investments, this is usually the most cost-effective way to go. This also allows organizations to ensure that threats are updated periodically as part of the framework.
3. How do we know our business partners and third parties meet the same standard we hold ourselves to?
No organization does business in a vacuum. Every organization has business partners and third parties that they share information with. Once an organization has the answer to the first two questions and has defined their program accordingly, they have a responsibility to ensure that the information they share is protected in a like manner. Keep in mind, your customers have entrusted their information to you. In their mind, the liability for a breach lies with you as the custodian of their information. Therefore, you will want to obtain certain assurances from your business partners and third parties as to how they protect the information that is shared with them.
Much as with the previous questions, there are numerous approaches. An organization can design its own set of standards and put mechanisms in place to ensure that business partners and third parties meet these standards. This will entail creating and maintaining some form of proprietary assessment questionnaire. This may also entail staffing an organization that can go out to business partners and third parties to audit them for compliance.
Another approach is to rely upon an attestation or third-party assessment. This is a bit more cost effective since you do not need to staff for audits. This will also allow for more consistent and common comfort from one party to another, especially if the same third-party assurance standard is obtained. The downside to this approach is that all third-party assessment reports are not equal. Organizations must pay close attention to what was assessed, what controls were included, and then map them back to their own security requirements. The only way around this is to ensure the assessment was specifically done against your standards or, in the best case, against a framework that your organization has already adopted or recognizes as a standard that meets your expectations and requirements of business partners and third parties.
4. What level of assurance do we require?
Assurance level deals with how well you can rely on the results. There are varying levels of assurance that can be obtained. At the lowest level is a self-assessment or self-reported questionnaire. This is essentially a self-graded exam in which the answers are never vetted for correctness. At a higher level is an assessment or questionnaire that has some validation by an independent resource. The highest level would be an assessment or questionnaire that has been validated by a third party and then certified as meeting a certain standard by a certifying body independent of the third party that performed the validation.
When determining the level of assurance required, an organization should consider several factors including, but not limited to:
- Type of information exchanged
- Volume of information exchanged
- Nature of the business relationship
5. How much do we spend maintaining our program and ensuring compliance?
The final question that should be asked is, based on the answers to the previous 4 questions, what is this costing us? Things to consider when answering this are:
- Do we maintain teams of experts to ensure we are identifying and addressing anticipated threats? If so, with how many people and at what cost?
- Do we create and maintain our own standards? If so, how many resources and at what cost?
- Do we validate our business partner and third-party security posture? If so, how? To what level of assurance? Is this good enough? What resources are spent in this regard?
One of the realities about security is that there is a shortage of qualified resources in the market today. This means that these resources command a premium on the job market and having a team of them is expensive in terms of locating, hiring and retaining them. This makes it more expensive to try to do many of these functions internally. There are solutions in the market aimed at alleviating some of this pressure and cost.
One that comes to mind is the HITRUST CSF. It is the most widely adopted framework in healthcare and other industries dealing with healthcare data that meets the reasonable standard. It is based on widely accepted guidance and practices that are built on threat analysis. In addition, it maintains its own intelligence mechanism that provides direct input to the framework. This means it does a reasonable job of ensuring it addresses anticipated threats. Further, the HITRUST CSF is mapped to every leading control framework, statutory regulation and federal regulation that most organizations need to ensure compliance with. Lastly, it is updated on a periodic basis to reflect changes in, or updates to, guidance, practices, control frameworks, standards and regulations that are included within the framework.
To support the HITRUST CSF, the HITRUST CSF Assurance program offers varying levels of assurance from a self-assessment all the way to a third-party Validated assessment with certification from a certifying body that is independent from the third party performing the validation, so it can meet your varying assurance-level needs. Many organizations use it to manage their business partners and third parties and to help ensure that they are meeting the same standards they define for themselves.
Lastly, the HITRUST CSF and HITRUST CSF Assurance Program tend to be the most cost-effective way of addressing these questions. Organizations do not have to maintain expertise to develop and map standards to threats and regulatory requirements. Organizations do not have to maintain expertise to review and audit business partners and third parties since they can rely on the completeness and consistency of the HITRUST CSF Report. Organizations do not have to incur the cost associated with updating their own standards to ensure they reflect the most recent threat landscape.
Most organizations want to do the right thing and protect information as if it were their own. All organizations are limited in the resources they can devote to that protection. However, when leveraging a framework and approach, such as that offered by HITRUST, it allows an organization to focus its resources in a more productive manner – on activities designed to reduce and manage risk, not measure it.
1 Law Dictionary: What is REASONABLE PERSON? definition of REASONABLE PERSON (Black’s Law Dictionary)