Written by Uday Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP), Member (FBI) InfraGard
The recent $650,000 fine on a business associate – a first on a business associate, was the result of a theft of an unencrypted smartphone that exposed information on 412 patients. A two-year CAP included with the resolution agreement requires the organization to conduct a comprehensive risk analysis and establish a credible risk management program. To lower the risk to business, organizations impacted by the HIPAA regulation, including both covered entities and business associates, must ensure that compliance is baked into the enterprise DNA.
In this article, we focus on two key challenges for organizations. First, what does HIPAA compliance mean? What must it address? And second, how can an entity address HIPAA compliance and the risk associated with cyber attacks on a continual basis?
HIPAA compliance requires a systematic and disciplined approach that starts with an in-depth understanding of the mandates. It requires a life-cycle approach that results in the HIPAA gene that is actively integrated within the enterprise DNA. The key words here are life-cycle approach and active management – these are essential to establish a credible HIPAA compliance program.
HIPAA compliance is not a one-time security risk assessment exercise, nor an occasional review of the organization’s policies; neither is it assigning the role of the Security Officer to an IT or MIS Director who has no time to devote to this responsibility.
What does it mean to comply with HIPAA? HIPAA compliance at a minimum requires addressing the following regulatory mandates:
- HIPAA Privacy Rule
- HIPAA Security Rule
- HITECH Breach Notification Rule
For many covered entities, HIPAA compliance also requires meeting the requirements for HITECH’s Meaningful Use of an Electronic Health Record. More information on how an organization should address compliance and risk can be found here.
Now let us next focus on the risk from cyber-attacks. HIPAA compliance is a sub-set of, not a super-set of, your enterprise cyber security program. Subsequently, one must determine which security framework an organization should adopt to help establish a credible and vibrant cybersecurity and HIPAA compliance program.
The security framework upon which you base your HIPAA compliance program will have a direct impact on factors such as lowering risk, increasing efficiency, and ensuring continual compliance. The security framework an organization adopts should be scalable and sufficiently comprehensive to enable addressing multiple federal, state and other mandates.
Options for such frameworks include the ISO 27001 standard, the NIST security control framework and the HITRUST CSF. Potential criteria for framework selection can be found here, but healthcare organizations will find the HITRUST CSF as a credible option for the following reasons:
- Tailored for the healthcare environment
- Based (founded) on ISO 27001
- Comprehensive – addresses several additional mandates which organizations may also need to comply with (perform once, address several mandates)
- Referenced as a resource by OCR for conducting a HIPAA risk analysis
Finally, organizations should implement their selected framework with HIPAA compliance in mind. In other words, the organization’s information protection program should always be “audit-ready”. What this means is ensuring that your organization:
- Develops and updates policies and procedures
- Conducts a comprehensive risk analysis exercise that is inclusive of a technical vulnerability assessment
- Appropriately manages your business associates and their agreement
- Deploys and actively monitors security controls
- Delivers security training to members of your workforce that reinforces enterprise security priorities regularly
- Establishes a foundation for a risk management program (risk management is a required HIPAA Security implementation specification)
- Evaluates the selection of a security framework that addresses HIPAA mandates, as well as additional compliance requirements with which your organization must comply
The implementation of an appropriate information protection program as described here will help you establish the foundation for a mature HIPAA compliance program that truly is an integral part of your organization’s DNA.
Ali Pabrai is a cyber security & compliance expert, and the chief executive of ecfirst.