May 2017

HIT Happenings: How to Conquer Compliance Challenges
By Jenifer Rees and Andrew Hosch
For The Record
Vol. 29 No. 5 P. 5

Those in the health care industry regularly face challenges such as budgeting, patient privacy, and compliance. IT and security budget priority is difficult to quantify for return on investment—so how do health care professionals ensure patient privacy and security on a limited budget or when services are outsourced?

Extend the Compliance Boundary
Outsourcing security efforts is a common practice. Vendors are still required to follow HIPAA regulations as health care business associates. However, concern rises from how thoroughly outsourced vendors monitor private records. The institution, such as a hospital, is not only at risk in the event of a security breach of their location, but also has vulnerabilities with their vendors.

Health care organizations typically become aware of potential vulnerabilities after another institution publically announces a breach. This generally leads organizations to wonder whether a similar breach could happen to them, and raises questions of preparedness. While executives might assume their IT team is prepared, there are times when the chief information security officer doesn't have the budget or the business exposure to their institution's executive board to properly quantify the potential risk.

Organizational Gaps
While your organization may have incident response plans, they can be easy to deprioritize. A fitting place to begin is by encouraging your team to perform incident simulations and self-audits.

Incident response exercises help organizations assess who should be involved if a security breach occurs and how to contain systems involved in a breach. Such exercises will likely identify gaps within the incident response plan and demonstrate whether organizations have the tools needed to isolate the simulated issue and the ability to pinpoint what data were breached. Further, critically reflecting on your team's simulated scenarios afterward has a direct impact on the quality of future incident response exercises and general preparedness.

The Value of a CSF Assessment
The Health Information Trust Alliance (HITRUST), along with other leaders within the technology and information security industry, has established the Common Security Framework (CSF). The CSF allows organizations to determine and attest to their level of compliance with HITRUST through a variety of possible third-party validated assessments.

Determining the type of CSF assessment an organization needs depends on whether the organization is seeking HITRUST CSF certification, CSF self-assessment, or CSF validated assessment.

Avoid Compliance Fatigue
For large health care organizations, compliance fatigue can occur when working to ensure business associates and vendors are actually implementing security controls, as they should, in order to protect patient data under HIPAA. As part of vendor risk management, health care organizations may institute questionnaires back and forth, along with facilitating third-party assessment reviews and audits; while this is all part of the vendor risk management process, it can also contribute to compliance fatigue.

HITRUST can help the organization ensure their business associates are protecting patient data covered by HIPAA by providing a third-party certification of a standard framework of controls—namely, CSF, which contains the required controls and offers implementation guidance through illustrative procedures and a specific audit evidence-gathering process.

Due Diligence
A 2016 study by IBM suggests the average cost of a data breach is $4 million. HITRUST gives health care organizations and their patients peace of mind, while providing health care security professionals a framework of controls built on other standard frameworks (ISO 27001, NIST 800-53, COBIT, HIPAA, and HITECH) that safeguards personal health care information.

— Jenifer Rees is senior quality engineering consultant for Seattle-based Base2 Solutions, and a Certified CSF Practitioner (CCSFP) CSSLP, (ISC)².

— Andrew Hosch is vice president of technology for Base2 Solutions, and a Certified CSF Practitioner (CCSFP) Certified Nessus Auditor, CWATP, CISSP, (ISC)².