HIPAA Survival Guide Newsletter July 2017: Issue 91
Your HIPAA Compliance Companion
|
|
SPECIAL ANNOUNCEMENT!
July 14, 2017
FREE
Seminar/Webcast in Largo, Florida
Phishing, Ransomware, and the Internet of Things ("IOT")
|
|
Description:
This
Complimentary LIVE HIPAA Cybersecurity Seminar on Phishing, Ransomware, and the Internet of Things ("IOT") for healthcare compliance professionals, and other healthcare stakeholders will be presented by Carlos Leyva, Esq., CEO of 3Lions Publishing, Inc. (the publisher of the
HIPAA Survival Guide) and Managing Shareholder of the
Digital Business Law Group.
We will summarize the lessons learned by the healthcare industry from WannaCry and perform a postmortem on it's impact. WannaCry is a game changer and therefore requires immediate industry attention. This webinar also covers the threat to the healthcare industry posed by the
Internet of Things ("IoT").
Healthcare professionals are among the busiest in the world and often lack the bandwidth to self-educate.
There are two options for this Seminar - one is for you to attend in person or you can
watch the Webcast "Live Streaming" of the Seminar.
Registration is required. Space is limited so be sure to RSVP right away!
Where: Hampton Inn, 100 East Bay Dr. Largo, FL.
When: July 14, 2017 2:30pm EST
If you have any questions, call us at 800-516-7903
|
HIPAA Survival Guide
Regular Monthly Webinar
|
|
Description
:
This webinar will discuss why subsequent to WannaCry there is no meaningful distinction (assuming there ever was one) between HIPAA Security and CyberSecurity
.
Date and Time, including Time Zone
July 27, 2017 2:00 EST
|
July 2017 Newsletter: HIPAA Security is Cybersecurity (sort of)!
|
|
Introduction
This article argues that there has never been any meaningful distinction between CyberSecurity and
HIPAA Security from a technical perspective; however
from a legal perspective each regulatory regime must be treated as a unique and distinctive set of regulations. The WannaCry attack made the technical argument painfully obvious and became a "clarion call." The obliterated technical distinction has forced the healthcare industry to wake up to the fact that CyberSecurity, as represented by the
HIPAA Security Rule, is no longer "simply a compliance issue" related to big brother's oversight of the industry, but rather a critical part of doing business in the 21st century!
For many years and until fairly recently, HIPAA was viewed solely as a regulatory regime that was pertinent to the healthcare industry and almost no one else. However, upon close inspection, the
HIPAA Security Rule clearly demonstrates that the security controls it mandates (i.e. referred to as "implementation specifications" in the Rule) are in fact
Cybersecurity 101, a "floor" that the healthcare industry (and needless to say other industries as well) should treat as "foundational," necessary perhaps for compliance but not sufficient to actually get the job done.
In
recent guidance
(See p.2 of the guidance) HHS has expressly stated that the HIPAA Security Rule should be considered nothing more than a floor.
What is CyberSecurity?
That question is so broad that it can only be answered succinctly in the abstract. However for our purpose such a definition should work just fine. One such definition follows: "Cybersecurity is the body of technologies, processes and practices designed to protect networks, computers, programs and data from attack, damage or unauthorized access. In a computing context, security includes both cybersecurity and physical security."
Although the previous definition certainly works, we prefer our own: "CyberSecurity is a set of processes by which an organization identifies and implements security controls to prevent corruption (impedance to the integrity, availability and confidentiality of security objects e.g. devices, networks, applications, databases, workforce, etc.) and thereby safeguards its computing resources."
Assuming that for the sake of argument you accept our "security controls" based definition of CyberSecurity then the Center for Internet Security's ("CIS") "top 20 security controls
" offers us a good view as to what a CyberSecurity "floor" might look like and thereby provides us a baseline reference point to compare how the HIPAA Security Rule stacks up against it. This
spreadsheet compares the CIS top 20 and the Security Rule's implementation specifications to demonstrate the technical overlap between the two.
|
|
The answer to this question contains two related but ultimately separate and distinct parts: (1) a set of security controls not all that dissimilar from the CIS top 20; and (2) a coherent regulatory regime that is a set of regulations unique unto itself. To ignore the latter is to make a legal mistake that could lead to significant liability. That is why in our view, reliance on "mapping mechanisms" such as HITRUST and ISO 27001 alone is potentially legally dangerous.
No HHS auditor or court of law focusing on a HIPAA legal question is going to ask you whether or not you are in compliance with a section of HITRUST or ISO 27001. Although covered entities and business associates may use the latter as some sort of affirmative defense with respect to HIPAA compliance, the questions that HHS or a court are going to ask will reference specific sections of the HIPAA Rules. For example, the question won't ask whether you conducted a Risk Assessment but rather, if you complied with
Section 164-308(1)(ii)(a) "Risk Analysis (Required)."
At best your sole reliance on HITRUST or ISO 27001 (or any similar mapping mechanism) is likely going to make you defense harder, and therefore more expensive. At worst, relying on these mapping mechanisms could provide your organization a false sense of compliance that could lead to a finding of
willful neglect.
What is the difference?
HIPAA Security, as discussed above, is both a technical "thing" and a legal "thing." Each "thing" represents requirements that must be met, but the latter carries the "weight of law" and therefore must be given the appropriate legal consideration that the law mandates. Although neither "thing" can be ignored, it has been our experience that failing to adequately give HIPAA the legal consideration of ensuring that each requirement is answered with visible, demonstrable evidence of compliance is where most healthcare stakeholders fall short.
The reason for this is quite nuanced and therefore often quite difficult for healthcare stakeholders to understand, and it's the principal reason why they may not be getting the entire "big picture" from the HIPAA consultants and attorneys they reach out to for help. To be blunt, the issue comes down to the following: (1) many HIPAA consultant fail to appreciate the depth of legal acumen required to understand the HIPAA Rules as law; and (2) many attorneys, especially when it comes to the HIPAA Security Rule, lack the technical "chops" to advise their clients pursuant to these matters.
HIPAA stakeholders are quite often left without awareness of this gaping hole. They are lulled into a false sense of compliance and therefore remain exposed, often after having spent significant sums of money attempting to comply!
Other Regulatory Regimes
Other regulatory regimes (e.g.
PCIDSS) must be treated in the same manner as discussed above (i.e. both the technical "thing" and the regulatory, legal "thing" must be addressed). With respect to
PCIDSS this is true despite the fact that it is not law, but rather a
private regulatory regime controlled by contract, that healthcare stakeholders who use a
merchant processor to process credit card transactions must adhere to.
Almost all private sector healthcare providers process credit card transactions and therefore must comply with PCIDSS. Among other things, PCIDSS
requires periodic network scans by credentialed professionals to ensure compliance.
The analogy to other regulatory regimes does not end with PCIDSS. For example,
SSAE 16 compliance deals with many of the same issues technically but must be attacked from its own regulatory regime perspective.
|
Expresso™ "FREE Test Drive"
|
Expresso™
is an easy to use Risk Assessment software that allows you to detect risks, threats, security objects, and vulnerabilities to PHI and identify impacts and assign controls at a glance! Expresso™ is available as part of our HIPAA Survival Guide Subscription Plan or alone, as a monthly subscription.
Just click on the
Act Now Button below and fill out the information and our Customer Service Staff will set up your
Free 15 Day Expresso™ Test Drive and arrange a "Go To Meeting" session to review how you can do your HIPAA Risk Assessment in 3 hours or less.
Our "Quick Start Guide" and educational videos get you off and running to complete your first Baseline Risk Assessment. Expresso™ comes pre-populated with all the Risks, Threats, Vulnerabilities and Impacts necessary to a complete your Risk Assessment.
You Can:
1) Perform a Baseline Risk Assessment in a matter of hours;
2) Bulk import Security Objects: people, places, assets, processes and apply Security Controls;
3) Track the results of the Controls applied; and
4) Retain instances of past Risk Assessments for reporting purposes.
HIPAA Requirements for the
including Policies and Procedures
Included in the HIPAA Survival Guide Subscription Plan
|
|
Protect Your Practice and Your Business
|
|
Click Here for HIPAA Survival Guide Subscription Plan Testimonials
Take advantage of our new
Heartbeat™ and Pulse™ offerings with The HIPAA Survival Guide Subscription Plan With Expresso™
|
|
|
|
|
|