The Resource Guide and other industry standards are critical to the success of our clients to safeguard electronic protected health information (ePHI) and personally identifiable information (PII). Although we do not store, process, transmit, or interact with client PHI in our environment, we hold ourselves to the same standards—if not higher—to demonstrate compliance to both the HIPAA Security rule and to NIST Cybersecurity Framework (CSF).
We strongly support the intentions of the Resource Guide, and believe a revision can make the guidance even more useful for healthcare organizations in the current threat landscape, which continues to pose significant risks to all industries—especially healthcare.
4 Opportunities for Improvement
Overall, we feel the Resource Guide is well-suited for assessing compliance with the HIPAA Security Rule and addresses requirements within the rule. The sample questions contained within the Guide are a beneficial resource for determining how best to assess implementation of HIPAA Security Rule requirements.
The ability to leverage mapping to the NIST CSF is a great benefit to set a minimum level of compliance that is accepted by the industry and by health organization management. The coupling of NIST CSF and the HIPAA Security Rule creates the opportunity to bring best practices to compliance assessment and remediation, that ultimately increases confidence in the process.
We offered the following recommendations:
- Tiered security approach. Assessing a healthcare organization with a less mature security program presents challenges in following some content within the Guide. A tiered security approach that differentiates maturity of an organization would be useful, as would assessment guidelines for various types of organizations, based on probability and impact.
- Need for ePHI inventory. A requirement for organizations to maintain an inventory of authorized IT assets and applications that store, process, transmit or interact with ePHI data would be beneficial to address a common challenge that assessors have when defining scope of compliance for the assessment. Many healthcare organizations do not have a comprehensive inventory of systems or IT assets that store, process, transmit, or interact with healthcare confidential information such as ePHI. This guidance would form the scope for any security assessment, that allows organizations to properly define compliance scope within their IT environments.
- Organizational security program prioritization. Lack of organizational support and/or funding of security initiatives is often the root cause for security program immaturity and related security risks. We suggest additional guidance on the minimum size of an organization’s security apparatus based on the number of supported users in the organization. A self-assessment tool or similar resources can help more immature organizations recognize and quantify the type of security structure they need to maintain security and compliance.
- Common security protocols. A list of the top security protocols that present the greatest risk relevant to every organization, regardless of maturity, would help compliance with the most mission-critical systems, followed by an assessment of the security program maturity level of the organization. More guidance related to security based on organization type (single hospital, small health system, larger health system) would also be useful.
Our Commitment to You
Fortified undergoes annual risk assessments, both HIPAA and NIST, and we use them in an amalgamated way to examine our policies, processes, procedures, and our technical security controls. We perform annual risk assessments against our formal security policies and document and publish them as part of our overall governance and compliance program. Although we do not store, process, transmit, or interact with ePHI, we demonstrate compliance against both the HIPAA Security rule and NIST CSF.
We are dedicated to helping our healthcare providers, payers, and business associates protect their patient data with a variety of purpose-built services to evaluate their unique risk profile, strengthen their cybersecurity posture, and improve security operations. We focus solely on the healthcare market, with purpose-built strategies in three main categories: Advisory Services, Healthcare Security Operations Center (SOC) Services, and Threat Assessment & Intelligence Services.
Security is in our name, and we remain committed to providing the highest service levels to our healthcare clients.