September-October 2020

HIPAA Challenges: Strategies for Filling the CISO Role
By Gerry Blass and Jason Tahaney
For The Record
Vol. 32 No. 5 P. 32

Under the HIPAA Security Rule, any covered entity (CE) is required to put in place certain physical, technical, and administrative safeguards. Within the requirements for Administrative Safeguards, a standard titled “Security Personnel” requires that “a [CE] must designate a security official who is responsible for developing and implementing its security policies and procedures.”

The Security Personnel standard requires every CE to identify one person who is operationally responsible for ensuring that the organization complies with the Security Rule. Though the rule specifies that one person should have oversight, other individuals can be assigned and contribute to security responsibilities.

But with limited resources in both staff and budget, how can health care providers and other CEs faithfully comply with designating a security official? In addition, what are the responsibilities of the role? And what are the risks in designating a person who already has another full-time job?

This article explores the day-to-day expectations of a designated security official, when it’s feasible to have a full-time employee dedicated to the role, the skills required, and how a CE can set up the position for success. In addition, it discusses how the COVID-19 global pandemic has affected this important role.

The Role and Responsibilities
The designated security official, commonly known as the information security officer or the chief information security officer (CISO), works in conjunction with executive leadership and the IT team to ensure that the overall cybersecurity posture of the organization can handle both day-to-day and long-term protection against threats to the organization.

The CISO oversees all internal cybersecurity responsibilities and is accountable for the following:

• managing cybersecurity incidents;
• consulting on cybersecurity to senior leadership and IT;
• reviewing and writing cybersecurity policies; and
• monitoring cybersecurity policies for effectiveness and timeliness.

Though the designated security official should have a strategic role at the executive level, that individual also directs a team that can carry out daily activities and is viewed as the go-to person if and when the CE experiences a cyberattack.

In addition to these internal cyber protocols, the CISO manages external cyber precautions, including the following:

• interacting with strategic vendors who supply cyber-related technical expertise and tools such as security operations centers;

• performing external assessments and audits of third-party vendors or business associates (BAs) to safeguard the sharing of electronic protected health information;

• designing and reviewing risk mitigation plans related to third-party vendors, BAs, and downstream BAs;

• representing the CE and sharing knowledge with other health care providers through Information Sharing and Analysis Organizations; and

• staying apprised of regional and national issues that can impact the organization.

Full-Time, Part-Time, or Outsourced
It’s not uncommon for health care providers to fulfill the designated security official requirement by assigning the role to a full-time employee who already has other responsibilities. Depending on the size and scope of the CE, this could all but ensure the person will not have the bandwidth or training to handle the volume of work needed.

At what point does it make sense to have a full-time person dedicated to the role? Arguably, the case can be made that regardless of size or scope, any CE should have a full-time cyber officer or CISO. Indeed, a quick study of recent cyber and ransomware attacks proves that the size or type of health care organization is irrelevant to would-be attackers. Hospitals, clinics, elderly care providers, dental and optometry practices, plastic surgeons, and medical testing facilities have all experienced cyberattacks since 2016.

However, having a full-time staffer may not be practical for every health care provider. With more employees comes more complexity, more risk, and more vulnerabilities. Therefore, it’s recommended that any organization of more than 500 employees have a full-time, dedicated CISO. Though a 100% outsourced model is uncommon, small practices and nonacute care facilities often partially outsource IT and cybersecurity to managed service providers that offer HIPAA services.

It is nearly impossible, and certainly improbable, for any CE to manage a universal cybersecurity program without enlisting outside resources and expertise to help with operations, monitoring, assessments, strategic planning, and more. The digitized world of health care is too complex and fast paced to assign in-house staff for every eventuality. Rather, a team effort using in-house and outsourced experts, working together on long-term solutions, is ideal.

If a health care organization chooses to outsource the designated security official role, it should ensure that the person is fully committed to the company, with no other customer responsibilities or priorities.

Qualifications
Regardless of full-time, part-time, or outsourced status, the designated security official should be qualified to do the following:

• manage multiple projects at once;

• have hands-on experience in cybersecurity in a health care setting;

• communicate effectively with both executive peers and operational staff;

• have a proven track record of collaborating with IT departments;

• understand and help ensure cybersecurity efforts are embedded in change management practices; and

• move quickly when the need arises to manage new and unknown cyber threats.

Success Factors
The designated security official requirement is a federal mandate for good reason. It is not enough to simply give an existing staffer the title to fulfill the obligation. Rather, health care organizations should create an environment and nurture a culture that protects the organization and its patients—and sets up the CISO for long-term success.

The following four strategies are recommended to ensure the designated security official can successfully fulfill the role and all obligations to protect the organization:

• Garner C-suite sponsorship. Without buy-in from the entire executive team, cybersecurity projects will not be completed. Educate senior leadership on the risks involved if the organization does not act or is found to be negligent.

• Separate the IT and security leadership roles. Though it can be tempting to combine the leadership of IT and security into a single role, this tactic is not advisable. There are not enough hours in the day for one person to handle both roles. In addition, an IT leader may not have the required background or expertise in cybersecurity. The roles should be separate to avoid any political or conflict of interest issues. Instead, have two leaders who work closely together on an enterprise strategy.

• Employ a knowledgeable cybersecurity team. Depending on the size of the organization, a minimum of one or two in-house staff should suffice. Supplement the in-house team with partners that can provide expertise in specialized areas.

• Create a culture of cybersecurity awareness. Cybersecurity touches the entire organization. Educate and train every employee on the leading practices that can minimize breaches. Empower the CISO or designated security official to enforce rules and regulations for all staff, including clinicians and operations.

Life During a Global Crisis
The worldwide health crisis associated with COVID-19 did not dramatically impact the focus of CISOs. What it did impact was the speed at which CISOs needed to act. Cybersecurity is difficult enough to manage under normal conditions. COVID-19 reminds us that managing cybersecurity at breakneck speed is hard. Adding a global pandemic to the already long list of threats, combined with a lack of cybersecurity resources, can expose any health care organization.

From a cybersecurity perspective, COVID-19 should be a learning exercise in terms of the resources and technology needed to properly protect an organization from cyber threats. During the pandemic, health care organizations and their CISOs should document all efforts to combat cybersecurity threats. Conduct a thorough assessment by asking the following questions:

• Do you have the resources needed to perform due diligence quickly?

• Is the organization prepared for fast-paced change management?

• Are you equipped to fully vet all of the changes required, practically instantaneously, to support the disaster response plan?

• Can you quickly prioritize essential projects and stop all nonessential work?

• Are your telecommuting protocols in place, and are they acceptable for long-term, mass scale?

• Do you have staff education and training in place? Can your staff recognize authentic communication vs phishing attempts, especially those using the crisis to lure an “open” or a click?

If nothing else, the past decade has proven that health care cybersecurity is an essential strategic role to protect providers and their patients. Though the HIPAA rules have not been updated in some time, the forethought of a designated security official was paramount. Establishing a role dedicated solely to developing and implementing security policies and procedures is critical to fighting new threats and existing vulnerabilities that exist at virtually every health care facility.

— Gerry Blass, president and CEO at ComplyAssistant, has more than 35 years of experience in HIT. Prior to ComplyAssistant, Blass was the CISO at a major health care system in New Jersey.

— Jason Tahaney is director of technology at Community Options, a national nonprofit organization providing community-based residential and employment support services to people with developmental disabilities. Community Options seeks to promote the inclusion of people with disabilities in the community through person-centered and natural supports, and collaboration with community partners.