S3 E17: Aligning Cybersecurity Controls with Healthcare Compliance Obligations

Audio version

Aligning Cybersecurity Controls with Healthcare Compliance Obligations

Transcript

Jordan Eisner (00:00)
Welcome to another episode of compliance pointers. I’m joined today by Alec Harrell, a first timer on the show on the podcast. Alec, good to have you.

Alec Harrell (00:12)
Yeah, thanks for having me. Excited to be here. Let’s hope.

Jordan Eisner (00:14)
First of many.

Yeah, so for our viewers and listeners, Alec has been a security consultant compliance point for over three years now. And he would like me to say that he focuses on providing clients strategic guidance through the CSO engagements and compliance assessments with regulations and security frameworks like HIPAA, HITRUST, NIST, including CSF and 800-53.

Before joining CompliancePoint, he spent some time in the healthcare compliance space and you say you have some experience with secure cloud architecture.

Alec Harrell (00:53)
Yeah, that’s a little bit of a passion of mine, right? AWS specifically.

Jordan Eisner (00:59)
Right. Yeah. You always sound pretty tech savvy to me.

Alec Harrell (01:02)
I try. I try.

Jordan Eisner (01:05)
And not that our listeners or watchers would want to know. Or care too much to know this, but Alec and I actually went to the same high school for a time. And then when I separate ways, you move to Texas, but here we are reunited. Yep.

Alec Harrell (01:23)
Good to be here with you.

Jordan Eisner (01:24)
You’re not the so believe it or not compliance points, not a very big company, but you’re from my understanding. I wasn’t even the first Cavalier to work here. And I’m the second. I think you’re the third. was the first there was a guy. I didn’t know him. His name is Mike Madsen who apparently worked here early days. Cagle knows.

Alec Harrell (01:35)
Really? Okay, shout out Mike, I don’t think I know him.

Jordan Eisner (01:54)
Well, he’s, he’s in good company. Yes.

Alec Harrell (01:56)
Yes.

Jordan Eisner (01:59)
Today, we’re going to talk about how organizations can align their security controls to the healthcare compliance needs and other challenges specific to really that industry, the healthcare industry, and I think the scrutiny around cybersecurity in the healthcare industry. is a great guest for this because of his experience in the space and his expertise around not only healthcare regulations, but also cybersecurity best practices.

Let’s dive right in. Why is there an extra layer of complexity when it comes to cybersecurity and healthcare?

Alec Harrell (02:30)
Yeah, great question. Really, it’s because we’re dealing with this specific data type, right? Electronic protected health information as it’s defined by HIPAA. And so anytime you’re dealing with a specific data type like that, you’re just naturally going to focus on protecting that type of data, and you may lose sight of risk, organizational risk that doesn’t have anything to do with that specific data type. So that’s a big problem, right?

The second problem I would say is legacy systems, right? Outdated.

Medical devices, which I know Carol did one on compliance pointers here, right? She did one about that specifically. But a lot of times those devices don’t have the same procurement process. They’re not introduced in the environment in the same way that a SQL Server or a laptop or something traditional would be right. And that can present problems, but generally those devices are designed to provide business functions like if you think of hospitals and IV pumps, right?

They’re interconnected. They have a network connectivity. We don’t always think about doing vulnerability scans on them or things like that. So similar to manufacturing, there’s a lot of legacy systems out there. And then I would say untrained workforce. If you think about all the different sub industries of health care, you think about public health, you think about your doctor, private health, nurses, doctors, you think about insurance companies and revenue cycle management.

If you ask any of them what’s the most important function, I don’t think data privacy or security comes up. Right? So they talk about the Hippocratic oath and providing care and things like that, so I would say those are pretty big challenges.

Jordan Eisner (04:06)
Right. Yeah, you’re right. Right. And a lot of times it can be a pretty big workforce too. The training requirements can be pretty, pretty broad in all areas. And then this is just one piece of it. So and that was interesting to talking about the hyper attention on the specific data set and not the organization as a whole. So maybe not quite but almost like missing the force for the trees sometimes and just being so hell bent on protecting the specific data set that other controls.

Alec Harrell (04:46)
Yes, and a lot of times what happens with that, I think this happens in PCI is we naturally just try to segment the environment. Hey, let’s put the healthcare environment over here. Let’s have our corporate environment separated from that. And it makes applying controls in a uniform fashion difficult because now maybe the healthcare environments on-prem, the corporate stuff is in the cloud or vice versa. And it’s not, it’s hard to manage all of that. The security of that, right?

Jordan Eisner (05:13)
Yeah, and it makes training all that harder to when it’s segmented and treated differently and not consistent across the board, which it really can’t be. So there you go. Catch 22. And you’d probably be listening or watching and thinking, man, you’d have to be pretty sick to want to hack into some of those medical devices and certain things. But it happens. does. This space is attacked pretty often.

Alec Harrell (05:39)
Yes, it does.

Jordan Eisner (05:43)
So HIPAA, which governs a lot of covered entities and all covered entities and business associates to those covered entities and has rules for not only privacy, but security and breach, has a requirement that an organization perform regular security risk assessment.

Alec Harrell (06:03)
Yes.

Jordan Eisner (06:05)
Well, OK, what I was going to I guess. The rule itself beyond just that I got a little sidetracked with that question, but the rule itself, just the security rule. Is that doing enough right and doing assessment looking at that and treating those risks or? Is there? Work beyond justice security rule. For organizations covering disease and business associates alike.

Alec Harrell (06:34)
Yeah, I think there definitely is more work to do because again HIPAA is very narrowly focused on protecting ePHI, right? But you can naturally do that and comply with HIPAA while still having organizational risk, right? For example, if we take the example of we segment the healthcare network and so we’re going to try to apply the security rule to that healthcare network, but the security rule.

It was established in 2003 and I think had an effective date of 2005, right? So this was before cloud computing before SAS applications before AI machine learning, right? So it’s naturally going to be outdated and also we’re going to naturally try to just do the bare minimum with it. We’re going to try to comply with it in that specific space, right? And so no, I don’t think it’s enough because there’s elements that it doesn’t really address and we’re going to talk a little bit about that today, but different elements of a good cybersecurity program like third-party risk management, security awareness and training, incident response. These elements are addressed with a very narrow scope with ePHI and safeguarding it, not necessarily total incident response for an organization, right? Not necessarily training your workforce on general security best practices. So there’s ways that you could comply with HIPAA.

Maybe I train my workforce on what HIPAA is, what their responsibilities are, and what ePHI is, but I don’t necessarily train them on how to recognize a phish attempt. And now my workforce is an attack vector, right? There’s a threat there, but I’ve complied with HIPAA. So. Right.

Jordan Eisner (08:15)
Yeah, right. It’s age old adage, right? Compliance doesn’t equal security. Yes, and vice versa. But probably be better to be secure than compliant.

Alec Harrell (08:29)
Yeah, I mean probably, but HIPAA is the law, right? So there’s some regulatory things there, some civil fines that you probably don’t want to find yourself on the wrong end of. But yes, as a general rule, security more important than compliance. I would say.

Jordan Eisner (08:47)
So you talked about some of those key elements already. Third party risk management, security awareness, training, incident response, anything you would add, any other key elements or anything to bolster?

Alec Harrell (08:59)
I’ll just talk about those specifically. I think those are the three most important right, first being third party risk management. All HIPAA really talks about there for covered entities and business associates is having a business associate agreement, right? Making sure that your subcontractors understand what their responsibilities are for ePHI and safeguarding it, storing it, things like that. But that is not enough to really understand who your vendors are what organizational risk your vendors pose to you, right? And that could be independent of HIPAA and ePHI. That could be financial risk and dependency risk. You know, maybe you use a vendor that that’s all they do or you’re the only, they’re the only vendor that provides this type of service. It’s very niche. And so if they go out of business, your operation suffers. That’s a risk that really wouldn’t be captured in any sort of HIPAA risk assessment, right?

So things like that, right? I think security awareness and training are important because again, we need to train our healthcare workforce on how to identify indicators of compromise, not just ePHI safeguards and regulations around that, but how do I recognize that phishing attempt? And then once I can recognize it, where do I go to report it? Do I just click on the Microsoft button, report phish? Is there a compliance hotline? You know, things like that.

Jordan Eisner (10:29)
So what are some options you give health organizations looking to improve security beyond the HIPAA security rule or complying with HIPAA in general?

Alec Harrell (10:36)
Well, I would start with NIST Special Publication 800-66. It’s really a guide to implementing the security rule that NIST put out, and so it helps you operationalize. know, HIPAA is written as a regulation, right? It’s in the code of regulations and it’s hard to understand sometimes. So when they say things like, hey, you need to make sure that your workforce has appropriate access to ePHI. Well, how do you really do that, right? Is that an access review? And so that special publication kind of guides you into how to operationalize and how to implement that. So that’s a good starting point.

I would say that HITRUST is a good starting point as well. It started out as an assurance program and a certification program for the healthcare industry, but then it expanded into they’re trying to be industry agnostic and bring in different requirements outside of just healthcare. So that allows the scope to be more of a risk management framework and less of a compliance with HIPAA, right?

Another one I would say is HHS 405D is a public and private partnership and a program that was established through the Cybersecurity Act of 2015. And what that really did was get together, HHS got together with leading medical universities, hospital networks, insurance companies, and they all kind of said, look, the security rule is outdated. What do we do about this?

And so they came up with a technical document of 10 practice areas. They’re referred to as the healthcare industry, cybersecurity practices. And it’s really just 10 things you need to be doing, right? There’s technical controls within that, but it’s email security, it’s vulnerability management, and how do you get to that? So here at CompliancePoint, we do our HIPAA risk assessments are based off that document because it is a little bit more updated.

Jordan Eisner (12:33)
And then I would imagine you’d say after 866, if you want to go beyond what? NIST CSF, NIST 800-53.

Alec Harrell (12:40)
Yeah, I would start with CSF, right? It’s a great starting framework for organizations that want to improve security posture. It’s higher level, I would say, and it focuses on good cybersecurity outcomes, right? What does a good program look like? It doesn’t always tell you how to get there, but it’s a good starting point to kind of assess where you are today. And then I would start with that and after you feel like you’ve addressed that and you know where your gaps are. You’ve sort of baselined your organization. 800-53, the special publication from this, is really the gold standard for cybersecurity here in the US.

Jordan Eisner (13:18)
Okay. Well, this was good. Short and sweet. A lot of good information for our listeners. Just to repeat those back. NIST SP 800-63, that’s 800-66. 66, yes. HITRUST, if they’re in the healthcare space, probably familiar with. HHS405D, which is, that’s put out by the SER, right? That’s what you just said is…

Alec Harrell (13:47)
Health and Human Services, yes. That’s right. And it’s really the document is called HICP, the Healthcare Industry Cybersecurity Practices. So there’s a technical document. It’s broken down into a version for enterprise businesses and then one for small medium-sized businesses.

Jordan Eisner (13:49)
HHS that’s right.

And then when you’re graduating from those, can look at NIST CSF as a starting point and eventually gold standard NIST 800-53. And bolster your third party risk management, security awareness, training and incident response. Don’t miss the forest or the trees and focusing just on PHI and not control surrounding it. Don’t segment it so much that it’s inconsistent with the rest of the practices of the organization. Good deal.

Alec Harrell (14:13)
Yes. Exactly.

Jordan Eisner (14:36)
Well, you’re natural, which of course, right? You’re you’re making man. So yeah, we’ll have to have you back on for our listeners and watchers. Thank you, as always for tuning in. If you want to get content like this on regular basis, be sure to subscribe and follow us where we can be followed. And Alec or myself are available on LinkedIn. If you have questions specific to this podcast, you can reach us at CompliancePoint.com. Many channels to communicate with us from there, but the simplest one is just emailing at connect@compliancepoint.com. Until next time, everybody be well. Thanks, Alec.

Alec Harrell (15:14)
Thanks for having me.