A CISO’s most valuable tool, apart from their team, is their security program. These procedures govern an organization’s processes in order to protect its information, as well as computer systems, and assets. Potential threats are always looming, and the possibility of a breach by a hacker, theft of information, or system crash is always at the forefront of a CISO’s mind.
Often, the role of a CISO is about more than leading their team to develop strategies to prevent and mitigate threats. Legal compliance is also an issue. In the healthcare world, for instance, CISOs must take HIPAA requirements into consideration in order to protect patient information and remain within the letter of the law. Here are the important things every healthcare CISO should know about the ins and outs of HIPAA.
What organizations must be HIPAA compliant?
HIPAA concerns about healthcare information security extend beyond just doctors’ offices and hospitals. In fact, any organization that handles or has access to protected healthcare information (PHI) must be fully HIPAA-compliant. Beyond healthcare providers such as doctors, hospitals, dentists, optometrists, pharmacies, nursing homes, and others, this includes a wide variety of other organizations.
Health insurance providers, for instance, must take HIPAA privacy and security rules into consideration. Healthcare clearinghouses also fall within the category of businesses that handle PHI. In addition to these, any vendors or subcontractors who work with any of the above organizations and have access to PHI must also follow HIPAA guidelines.
How must PHI be protected?
A chief information security officer is responsible for ensuring that their organization develops and carries out procedures and programs to protect PHI. The organization is also responsible for documenting the procedures they’ve implemented in order to provide proof of compliance during HIPAA audits.
HIPAA governs PHI protection in many specific areas, including organizational requirements, security standards for the protection of electronic PHI, notification in case of a breach, and privacy of individually identifiable health information.
Start with a checklist approach
When an organization is new to applying HIPAA guidance, starting with a checklist-based approach is an efficient way to get the fundamental’s on where to begin. There are many HIPAA starter checklists available, but it’s up to the CISO to find and interpret them, as well as work with the organization to establish a way forward. Once agreed upon, they should review these requirements (all of which are mandatory) and develop an approach that enables their organization to achieve and maintain compliance. This approach may include items such as standards pertaining to the HIPAA Security Rule that includes all safeguards needed to protect electronic PHI both in the organization’s system and as it’s being sent to a third party. This often will also include information about the HIPAA Privacy Rule and will detail when/how PHI can be disclosed. Examples of other items on the list are procedures covering HIPAA’s Breach Notification Rule and its Enforcement Rule, among others. The most important item on any HIPAA checklist will be the implantation of a security risk management program.
Mature to risk-based approach
At the core of HIPAA guidance is direction for an organization to use a risk-based approach in making its decisions about how to adequately protect PHI. So start with a checklist to get acquainted on how to move forward, but then ensure that you implement a security risk management program to get you over the finish line. In many instances, this will save you time as you can use risk analysis as a valid way to demonstrate why you do or don’t need to implement safeguards, as well as the degree of complexity in the implementation.
Employees and third parties
Each organization that’s covered under HIPAA requirements must ensure that its employees are all following the proper procedures in order to avoid a breach. It’s also the covered organization’s responsibility to make certain that all third parties with which it works (subcontractors and vendors, for instance) that have access to PHI are HIPAA-compliant. This compliance must be documented in writing.
It’s the healthcare organization’s responsibility to be certain that all of its employees and third-party connections are maintaining and documenting procedures that comply with all of the various HIPAA requirements. At the end of the day, however, it’s the organization’s CISO who is supremely responsible to develop the strategy and implement the education and training necessary to make all of this happen.