Inertia Is a Risk With Myriad Security Resources; Overlap May Help

By Nina Youngstrom

It’s somewhat of a contradiction: Hospitals often fall short on security risk assessments, but there’s an overabundance of resources on how to conduct them. It’s perhaps causing analysis paralysis, even though they are required to perform risk assessments under the HIPAA security regulation, a security expert says.

“In health care, the main thing you must do is adhere to HIPAA, but most of us who have been doing this for a while recognize it’s a bit long in the tooth,” says Barry Mathis, a principal in PYA. While people who work on preventing breaches and cyberattacks rely on other sources for guidance, there are now so many, including the Health Information Trust Alliance (HITRUST), which created a common security framework (CFS); the National Health Information Sharing and Analysis Center (NH-ISAC); the National Institute of Standards and Technology (NIST SP 800-30); the SANS Institute’s Top 20; American Institute of Certified Public Accountants’ System and Organization Controls (SOC) for cybersecurity; and The Healthcare Cybersecurity Communications Integration Center . It’s possible to get overwhelmed, Mathis says.

Brief Description of Some Major Security Frameworks

More than enough resources are out there to help hospitals with cybersecurity, says Barry Mathis, a principal in PYA. Here’s a summary of some. Contact Sully Baker at sbaker@pyapc.com and Mathis at bmathis@pyapc.com.

Title

Owner/Licensor

Framework

Purpose

Details

HIPAA

US Code of Federal Regulations §164.308, §164.310, §164.312

Compliance guideline with three safeguards: Physical, Technical, Administrative. Each safeguard includes multiple criteria, some being required, while others are only addressable (must have valid business reason not to implement control).

Designed for a large range of covered entities and business associates. Include the requirements, processes and procedures, and Protected Health Information (PHI) documentation requirements. Designed to require less resources and time to implement, while maintaining a satisfactory measure of safety.

HITRUST

HITRUST Alliance

A single all-encompassing audit based off of Regulatory (state, federal, domain specific) requirements; Organization (geographic factors, amount of covered lives); System (data stores, external connections, number of users/transactions).

Scales according to the type, size and complexity of organization and systems. There are 14 control categories, 45 control objectives and 149 control specifications. At least 64 control specifications must be in place to become certified. Includes HIPAA rule, with COBIT, NIST and several other IT security compliance guidelines.

A prescriptive audit including 14 control categories: Information Security Management, Access Control, Human Resources Security, Risk Management, Security Policy, Organization of Information Security, Compliance, Asset Management, Physical and Environmental Security, Communications and Operations Management, Information Systems Acq. Dev. & Maintenance, Information Security Incident Management, Business Continuity Management and Privacy Practices.

NIST

US Department of Commerce

Framework has three parts: Core (activities, outcomes, references and approaches to cyber security); Profile (two-tier approach to explaining the objectives and outcomes “as is,” with a target profile of objectives and outcomes “to be”; Tiers (Clarifies an organization’s view on cyber security risk and the sophistication of management)

Made publically available to the private sector in April 2018. Based off of a variety of other standards (COBIT, CCSS CSC, etc.) which assist in the understanding and management to reduce cyber security risks. Assesses businesses to utilize cost-effectiveness for maximizing IT security expenditures.

American Institute of Certified Public Accountants (AICPA) SOC CS

AICPA

Performed by a CPA. Two aspects of the exam: Description of the Cyber Security Risk Management (CSRM) program; Effectiveness of security controls to achieve objectives.

Has been referred to as the GAAP of cyber security. Based on other frameworks (NIST, ISO 27001). Output of the exam are provided with three key components: Description of the CSRM; Management’s Assertion; Practitioner’s Report.

1. Description of CSRM: Description designed to provide about how entity defines its information assets, how they manage threats and P&P’s implemented and operated to protect that info. A ‘description criteria’ is used to prepare and evaluate the CSRM program. 2. Management’s Assertion: This addresses a) description is in-line with the description criteria, b) the controls that achieved objectives were set forth in ‘control criteria,’ created by AICPA like the ‘description criteria.’ 3. Practitioner’s Report: An opinion-based report to determine a) the description is presented in line with the description criteria and b) controls within the entity’s CSRM were effective to achieve the objectives based on the control criteria.

SANS Top 20

SANS Institute

Over the years, SANS Tops 20 has evolved into the list of critical security controls recommended by the Council on Cyber Security (CCS).

Provides a list of key actions an organization should take to block or mitigate cyber security risks. Every release of lists provides an updated version that alters or adds the previous controls.

“There are almost too many sheriffs in town,” he says. “It’s confusing.” Inertia could set in because of the information deluge with so many “frameworks.” That would be self-defeating, however, Mathis says. “You can throw a rock and hit any of these and it would be better than doing nothing,” he says. “Get off the couch and do something.”

Hospitals want to know which resources they should use to help prevent a breach and, if a breach occurs, how they can show the government they did their best to prevent or manage it. They will have a better idea of which framework to use if they complete a security risk assessment, he says. It’s also useful to let go of the idea of risk assessments as a one-and-done obligation. “It’s no longer about the assessment or the audit. It’s about a program—managing it end to end, knowing you may pull different pieces” from various frameworks. That will serve organizations well if a breach is investigated by the HHS Office for Civil Rights. “They want to see how the sausage is made,” Mathis explains.

All the frameworks are very good, Mathis says. Which you use depends on what surfaces in the risk analysis. “You don’t want to ignore HHS or commercialized frameworks,” he says. “You can crosswalk them, depending on what kind of complexity your organization has.” For example, a critical access hospital may take HIPAA’s security standards and crosswalk them with the SANS Top 20. “That may be enough, but you won’t know until you complete your risk assessment.” Mathis thinks the SANS Top 20 covers a lot of ground. “It matches everything HIPAA has except breach notification,” he says.

Or your security risk assessment may meet all the standards for HIPAA, but you might want to make additional moves to comply with the NIST version of CFS and SANS. “When you put all three together, there are not a lot of steps. They’re all the same, but restated in different vernacular,” Mathis says.

For example, audit controls are addressed by SANS CSC 6, HITRUST 06.i, HIPAA and NIST SP 800-53 AU-1, he says. CSC 6 is the maintenance, monitoring, and analysis of audit logs. HITRUST 06.i pertains to Information Systems Audit Controls. HIPAA (45 C.F.R. Sec. 164.312(b)) requires organizations to implement hardware, software and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI. NIST SP 800-53 AU-1 suggests that an organization develop, document, and disseminate to workforce members an audit and accountability policy on the purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance, as well as procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls. “All of these frameworks are addressing audit controls,” Mathis says. “You could be compliant in this area for all four frameworks by completing minimal steps during one assessment.”

Contact Mathis at bmathis@pyapc.com.

This document is only available to subscribers. Please log in or purchase access.
Purchase Login


Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field

First name field cannot be blank!
Last name field cannot be blank!
We will send you an email that will give you access to this entire article.
Email field cannot be blank!
Enter a valid email!
Company field cannot be blank!
Enter a valid company!
Title field cannot be blank!

We're committed to your privacy. The Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA) uses the information you provide us to contact you about our relevant content, products, and services. For more information, check out our Privacy Policy.


About SCCE

The Society of Corporate Compliance and Ethics (SCCE) is a non-profit, member-based professional association. SCCE supports our members' work with education, news, and discussion forums. We are a community of leaders, defining and shaping the corporate compliance environment across a wide range of industries and geographic regions. In developing and maintaining effective ethics and compliance programs, our members strengthen and protect their companies.

952.933.4977

About HCCA

The Health Care Compliance Association (HCCA), is a 501(c)6 non-profit, member-based professional association. HCCA was established in 1996 and is headquartered in Minneapolis, MN. We provide training, certification, and other resources to over 10,000 members. Our members include compliance officers and staff from a wide range of organizations, including hospitals, research facilities, clinics and technology service providers.

952.988.0141

Facebook Twitter LinkedIn
Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US Government works. All rights reserved. All information provided through this site, including without limitation all information such as the “look and feel” of the site, data files, graphics, text, photographs, drawings, logos, images, sounds, music, video or audio files on this site, is owned and/or licensed by SCCE & HCCA or its suppliers and is subject to United States and international copyright, trademark and other intellectual property laws. Any third party logos and/or content provided herein is owned by such third parties and is used by permission herein. Your use of this site to is subject to our Terms Of Use and Privacy Statement.
Cookie settings