HIPAA Survival Guide Newsletter October, 2020

Stuck on Stupid: Managing Multiple Compliance Regimes
Most compliance vendors whose software allows customers to conduct risk assessments (RA) use the National Institute of Science and Technology (NIST) methodology encompassed in Special Publication 80-30 Rev1 (Model). The NIST Model mandates the matching of Threats with Vulnerabilities to identify risks that may require remediation or status verification. Expresso is no exception.
Why has this Model seen such widespread adoption? Because the Model provides a universal grammar for conducting RAs. It is compliance regime agnostic. In fact, the Model is so coherent and elegant that it can be used to identify risks (or gaps) for any regulatory compliance regime. For example, we have used it for both the GDPR and the HIPAA Privacy Rule (i.e. in addition to the HIPAA Security Rule). Further, we are in the process of using it for the California Consumer Protection Act (CCPA) that we expect will be released soon.
Expresso treats compliance regimes as “objects” (i.e. for those of you familiar with object-oriented programming). All that is required is to properly format and import an Expresso “Load Module” and the new regime is instantly available. Of course, the hard work lies in formatting the “Load Module;” which generally is going to require legal talent. A lawyer must understand the threats and vulnerabilities of a regime (i.e. through dissecting the regime and internalizing it). A vulnerability, in our usage of the Model, is defined as the absence of a “control.” If there is no control, then a threat can exploit the vulnerability to the detriment of the PII or PHI that you are attempting to protect. On the other hand, you may have a control that does not sufficiently plug the vulnerability which leads to the same result.
Your organization continues to live in stuck on stupid land if your existing compliance software requires you to purchase additional software (i.e. from a different vendor) to support another compliance regime. This is an expensive proposition, not only because of the direct cost but because it requires your staff to climb yet another learning curve and manage multiple applications and approaches to meeting what amounts to the basic requirements of regime compliance. Further, when your Compliance Officer (CO) moves on to that next lucrative gig, the organization’s replacement CO will have to figure out where all the dead bodies are buried. The take/over/transfer process becomes a nightmare.
There is nothing in Expresso that we have hardcoded for a regime. Using the NIST model allows us to be regime agnostic. This is in part what we mean by Enterprise Compliance for the Masses. Once you’ve learned how Expresso works for one regime, you know how it works for all of them. Furthermore, using Expresso’s Compliance Repository you can maintain a single version of the truth for all regimes; dramatically reducing the hidden and direct costs when you have staff churn in key positions. Other than being a “shameless plug” for Expresso, these are the kinds of features you should be looking for in Enterprise Compliance Software (ECS).
Another area where organizations are stuck on stupid is with respect to Business Partner Vetting (BPV). Expresso’s BPV portal has re-engineered the entire process, saving our customers thousands of dollars. BPV works for any industry and soon will be sold “stand-alone” for that very purpose. Many industries outside of healthcare must vet their business partners for cybersecurity compliance or risk having their names splashed in the headlines because a partner had a significant breach with your organization’s data. You will lose millions of dollars in reputation damages with little hope of recovering those costs from your partners. You will also have to incur the other costs associated with a breach (e.g. customer notification costs).