Healthcare organizations are charged with protecting the confidentiality, integrity, and availability of the medical records they create and maintain. These requirements come in the form of the HIPAA Privacy and Security Rules, State Laws, and cyber insurance policies. That said, many organizations don't have the internal capabilities to know how to comply with all of these requirements and don't have the budget to hire an expert in this field.
This is where a vCISO, or virtual Chief Information Security Officer may be able to help. Not everyone has heard the term vCISO and many may not know if this service makes sense for them. Here are the:
1) Your "HIPAA Security Officer" does not have information security experience
Most healthcare organizations know they need to comply with HIPAA and the requirement to designate both a Privacy Officer and a Security Officer. From my experience, most small-to-medium sized healthcare organizations fall into one of two buckets:
- The first bucket is organizations that designate one of their administrative staff as their "HIPAA Officer". This person will go to some HIPAA training, make sure their Notice of Privacy Practices (NPP) is up-to-date and signed, and likely download a "HIPAA Toolkit" with policy templates that they will put the organization's name on and proceed to file away on a shelf.
Often the focus is on the HIPAA Privacy Rule. In most cases this person only has cursory knowledge of information security and the requirements of the HIPAA Security Rule which leads to a lack of appropriate security controls because "you don't know what you don't know."
- The second bucket is organizations that say "Hey, security is an IT problem. Let's make our IT Manager the HIPAA Security Officer." This may or may not work depending on the IT Manager's background. You cannot assume that, just because someone knows how to configure a firewall, that they also know how to evaluate and manage information security risk. Information Security requires a level of business and risk understanding that is well outside the scope of a typical IT manager.
Areas such as Identity and Access Management Procedures, Workforce Security Policies, and Sanction Policies extend to Human Resources, Operations, and even Facility Management. A skilled Information Security Professional can extend beyond the "Information Technology" scope and understand how to address security beyond the "Technology."
Regardless of which bucket the organizations falls into, it is generally not reasonable for them to hire a full-time information security person to oversee their security and compliance. This is where it may make sense to contract with someone that can provide the required level of expertise while only committing the appropriate amount of time and cost.
2) You just had a Security Risk Assessment. Now what?
The completion of a Security Risk Assessment as prescribed by the HIPAA Security Rule is only the beginning of an organization’s compliance journey. HIPAA requires that organizations implement a Risk Management Plan to address identified risks. This is where an understanding of information security "risk" concepts is important and plays a role in determining "reasonable and appropriate" security controls. HIPAA is actually a risk management framework and is not a prescriptive checklist of things to implement or technology to purchase.
Organizations can optimize their security spending by relying on an expert who isn't just going to purchase the next shiny thing, but rather implement processes and technology that are effective at addressing security risks.
3) You have compliance requirements, but you're not sure how to get there
All healthcare organizations need to comply with the HIPAA Privacy and Security Rules. Most also need to comply with the PCI-DSS for credit card transactions. Others may need to comply with HITRUST, SOC2, ISO 27001, or State Privacy and Security regulations such as the California Consumer Privacy Act (CCPA) or New York's NY SHIELD Act. Many organizations are also purchasing cyber insurance policies that require extensive security controls. Wading through these complex regulations and compliance requirements can be difficult and time-consuming.
Having a trusted advisor help guide you through obtaining and maintaining compliance can help the organization prep for audits and responding to security incidents and breaches. That's the pro-active approach, which leads us to…
4) You had a breach or failed an audit
Many organizations find themselves in this boat. Perhaps they didn't take the proactive steps outlined earlier and now find themselves in a situation where a regulator or lawyer is asking some difficult questions.
It's not ideal, but it's never too late to bring in someone who has been through this before and can work with regulators to come up with a reasonable action plan to get the organization to proper compliance.
5) The Board of Directors is paying attention to cybersecurity and compliance
More and more Boards of Directors are reading about the effects that breaches and audit failures are having on healthcare organizations. This includes reports about hospitals that have had to temporarily close due to Ransomware, those that have had to pay heavy fines and monetary penalties, and the reputational impacts of negative press. Boards are starting to understand the financial and operational risks they have related to cybersecurity.
A good vCISO can help the board quantify this risk similar to the way financial, legal, and operational risks and quantified and determine reasonable steps to reduce the risk to an acceptable level. These are things most IT Managers and "HIPAA Officers" are not equipped to do.
A virtual CISO can help healthcare organizations develop and execute a security and compliance roadmap that can guide them toward achieving and maintaining compliance with a myriad of regulatory, industry, and cyber insurance requirements. By contracting with a virtual CISO, this can be accomplished without the investment in a high-paid employee.
By using a virtual CISO, organizations can often have additional cost savings by having an expert determine what security controls are reasonable for the organization and avoid extravagant purchases on security products that may not be effective for the organization.
If these top 5 sound like what you're experiencing with your organization, don't hesitate to reach out today. Our security experts look forward to helping you.