HIPAA Survival Guide April 2019 Newsletter

 

The "magic" in these controls is that they apply to almost every conceivable compliance regime you can think of. For example HIPAA, GDPR, PCI DSS, etc. They are cybersecurity 101 controls and when fully and rigorously implemented you will have dramatically improved cybersecurity compliance across your organization. Given the tools that are now available, these controls are nowhere near as burdensome or expensive as they were even a few short years ago. For example, two-factor authentication, as discussed below, is a "no-brainer" because almost universally everyone has a smartphone these days.

 

 

This Control encompasses the entirety of an entity's Risk Management program ("Program"), including Risk Assessments and implementing additional Security Controls ("Controls") that reduce Risks to levels that are "reasonable and appropriate." Risk Management is a meta-control. It theoretically could swallow all other Controls, but it is broken out separately to highlight the importance of having a Risk Management Program.

 

 

There can be no effective Risk Management Program, including but not limited to Breach Notification if security incidents are not tracked. Although most incidents do not rise to the level of a Breach, organizations are incapable of knowing which ones do and don't unless all Incidents are tracked. A centralized group within the organization must be responsible for tracking incidents (i.e. reporting, processing, documenting, escalating).

 

 

The Controls listed here encompass a broad array of people and process issues. We have chosen to aggregate certain Controls into meta-controls because it facilitates how stakeholders think about, and implement, their respective Programs. We prefer clarity of thought over a laundry list of implementation details. (i.e. accountability, law & regulations, training & awareness, documentation, process results, workforce clearance & termination).

 

 

Authentication is meta-control. Smartphones have led to widespread use of two-factor authentication by most large organizations. However, it must be noted that Authentication is a much broader topic than simply the information related to the identification of humans. Systems that access your systems must also be authenticated to ensure the same thing: "that the System is who it purports to be." (User, System, Roles & Responsibilities, Approval, Termination, Two Factor, Data Integrity).

 

Breach notification is the 800-Pound-Gorilla that drives enforcement of HIPAA/GDPR. Large Breaches attract attention. A significant Breach will get you audited. If the rest of your Program is not in order, then you are going to be hit with the largest fines. Further, stakeholders need to be prepared to take advantage of whatever safe harbors may be available under a specific regime (e.g. pursuant to encryption or deidentification).

 

Disaster Recovery is yet another meta-control. It encompasses much more than data backups. The disaster perhaps has nothing to do with your data and everything to do with your environment, and how to get it operational again. One of the principal pieces of documentation required is a current inventory of your most critical applications and how to get them restored quickly after an emergency (Data Backup Plan, Emergency Access, Emergency Mode Operations Plan, Application Criticality List).

You can't manage what you don't measure; an effective audit program is the only way to measure how well your Risk Management Program is functioning. Measuring against a baseline of a compliance regime's requirements is the only level of granularity that matters during an audit. You have to compare requirement-by-requirement and give your organization a score, as per that requirement, in order to perform an effective self-assessment.

This is another meta-control. Why does encryption top the list? Because if you encrypt using widely accepted protocols (e.g. NIST) you can often take advantage of regime safe-harbors. Even if regime safe-harbors are not available, encryption is the best technical method currently available to prevent Breaches. The latter being the one thing that poses the most liability to any organization, besides humans (Encryption, Malicious Software, Network, Email, Browser, Applications, Databases, Patch Management, etc.).

 

Locks, cameras, surveillance equipment, etc. are so ubiquitous and inexpensive that we do not pay sufficient attention to these safeguards. Changing the locks to the server room when a disgruntled key employee leaves the organization should be a "no-brainer" yet too few organizations actually do it. Your facility's perimeter, analogous to your network's perimeter, is far too easy to penetrate to leave sub-defenses unattended (e.g. locks and cards). The nuts-and-bolts work of cybersecurity is not always sexy but it's always important.

 

 

 

 

 

These are meta-controls that you apply across your organization in order to transform the organization's compliance DNA from viewing Risk Management as a necessary evil into something that enhances your value proposition to your customers. For example, implementing an Agile Compliance methodology would be an organization-wide control. Analogously, using the Compliance Stack™ metaphor to think holistically about compliance across regimes would be another.

Controls are applied to Security Objects. It is imperative that you have a current up-to-date list of your Security Objects in order to manage an effective program. However, in the grand scheme of things, it is much more important to start applying Controls to high-risk Security Objects, sooner rather than later. Both objectives are important. It's a question of priorities (e.g. devices, applications, processes, workforce).