Why Healthcare Privacy and Security Matter
Cybersecurity in healthcare is not just a technical necessity or a business consideration. It’s a moral obligation. Healthcare organizations (as well as other stakeholders such as regulators) have a moral obligation to protect patient data because breaches often endanger human lives. We’re talking about real people. Real lives. When healthcare operations are disrupted, patient care is directly affected. Security incidents can immediately restrict access to critical systems and information necessary for the continuity of care, such as access to medical records. With systems being down, things often shift to manual processes, creating inefficiencies. For patients with severe ailments, for example, this could be the difference between life and death. Given the dire consequences, cybersecurity in healthcare is mission-critical.
A recent cybersecurity incident, the Ascension breach,[1] is a prime example where long outages caused extended care disruptions; ambulances were diverted, medical procedures were delayed (particularly with elective procedures), appointments were delayed and canceled, and Electronic Health Record (EHR) systems like MyChart were taken offline. In some instances, the incident required emergency medical care to be redirected to other facilities, straining acute care services and overall capacity. This incident underscores the direct and significant impact of cyber attacks on human health and livelihood. Often, we think of corporations as the victims of cyber attacks, but this serves as a reminder that there are tangible repercussions for real people.
This Article discusses core aspects of healthcare privacy and security, emphasizing the importance of protecting sensitive health information in an increasingly digital healthcare landscape. It begins by examining the ethical, financial, and operational impacts of cyber attacks within the healthcare sector. In doing so, it stresses the urgent need for proactive cybersecurity measures. It recommends fostering a cybersecurity-conscious culture within healthcare organizations. Organizational culture is essential for establishing an environment where strong cybersecurity practices are prioritized. With a solid cultural foundation, healthcare organizations can effectively implement administrative, procedural, and technical privacy and security compliance solutions.
This Article frames the discussion regarding solutions within the Governance, Risk, and Compliance (GRC) framework, which guides the effective development and management of a healthcare cybersecurity program. It endorses an organization-wide collaborative approach to developing and sustaining a resilient cybersecurity posture. Specifically, the Governance Section explores how healthcare organizations can establish clear and effective structures and guidelines informed by various compliance obligations and strategic objectives. The Risk Section encompasses risk management, risk assessment, and risk mitigation, focusing on conducting a comprehensive security risk assessment to identify, manage, and mitigate potential or actual threats. The Compliance Section outlines the execution of the governance components and risk tolerance. This Article closes out with a forward-looking lens, which proves skeptical but hopeful.
Risky Business
As if human lives are not enough to justify a need for robust cybersecurity measures, let’s explore additional costs. Business losses of this magnitude can put a business under. A fundamental risk analysis looks at the overall impact and likelihood of a given risk actualizing. By that token, we’re talkin’…riskaayyy business. Let’s start with the impact.
Impact: Costs Beyond Patient Care
Healthcare organizations incur significant financial costs following a security breach. These include financial losses from disrupted operations, potential ransom payments, remediation efforts including legal costs (e.g., patient lawsuits and settlements with the government), reputation damage, and patient distrust. For example, in the recent Change Healthcare incident,[2] United Healthcare (Change Healthcare’s parent company) estimates mitigating the damage could cost up to $1.6 billion. And that doesn’t include the $22 million as ransom that Change Healthcare paid to BlackCat, the ransomware group responsible for the attack.
Prevalence of Cyber Attacks: A Question of “When” Not “If”
Let’s turn to the likelihood. Objective data shows how prevalent and large-scale cyber attacks in healthcare are. And the numbers are only going up. You may have heard this before once or twice or one too many times…it’s a question of when, not if. It’s only a matter of time before your organization faces one. U.S. Department of Health and Human Services (HHS) tracks large data breaches through its Office for Civil Rights (OCR), whose data shows a 93% increase in large breaches reported from 2018 to 2022 (369 to 712), with a 278% increase in large breaches reported to OCR involving ransomware from 2018 to 2022.[3] Why does the healthcare industry experience such a disproportionately large number of cyber attacks? Let’s break it down.
First, the COVID-19 pandemic accelerated healthcare organizations’ digital transformation initiatives. Healthcare organizations have considerably increased their investments in automation technologies and migrated their IT systems and applications to the cloud to increase operational efficiency and lower costs. This upside comes with a security downside. Generally, more digitalization means more risk. Second, remote work dramatically increased with the advent of COVID-19, so from a security perspective, it’s no longer just about the “four walls.” This is for both workforce members doing their jobs and patients receiving care (i.e., telehealth).
Third, healthcare organizations are data-rich entities. Protected Health Information (PHI)[4] is thought to be worth roughly 50 times as much as credit card numbers, for example.[5] Fourth, the attack surface is ginormous. Imagine having to hit a target the size of which makes it nearly impossible to miss. With a target the size of the black hole, my golf game would be off the charts despite my objectively questionable swing. But I’m working on it. Okay…if a seamless golf tangent could survive a U.S. presidential debate,[6] there’s no reason why it should be criticized here. Anyway, going back to the point, the attack surface is significant because there are countless vectors for exploitation by cybercriminals, including systems, portals, and networks, all of which are further exacerbated by the abundance of third-party relationships and relatively longer retention requirements that are governed by various laws (the question of which laws apply is discussed below in the Governance Section).
A fifth reason for the prevalence of cyber attacks in the healthcare industry is that clinicians are often overwhelmed with critical patient care responsibilities and day-to-day operations. The resulting lack of attention increases the rate of error and exposure to certain attacks, such as phishing. Phishing is a very common entry point for cybercriminals to access credentials and systems. And in cybersecurity, speed skills.
Finally, the investment is not there. The industry generally lacks in culture and awareness. So, the allocated resources are often inadequate. Interestingly, there is a bit of a disconnect here regarding what healthcare executives think and what the reality is. According to a recent cyber readines report from Kroll, healthcare is the industry that’s most likely to self-assess as having “very mature security.” This is somewhat problematic because it appears the folks in charge don’t see the insufficient allocation of resources to their cybersecurity initiatives as an issue. Therefore, the issue persists because the first step to solving any problem is identifying it as such.
On the flip side, cybercriminals do see all these vulnerabilities, inadequacies, and the importance of operations for healthcare organizations. To make matters worse, adversaries are improving their capabilities through multiple methods across all sectors, including healthcare. Their attacks coming in are faster, smarter, and more organized. And now, with Artificial Intelligence (AI), non-technical hackers are committing much more sophisticated attacks. The truth is that while most threat actors in the healthcare sector do not intend to inflict harm on individuals, they won’t stop at a moral obligation. Regardless of their intent, the aftermath of their actions results in significant damage, as discussed above.
A fundamental risk analysis reveals that cyber incidents in healthcare are extremely high risk and should not be taken lightly. The combined degree of impact and likelihood is why healthcare organizations are so vulnerable and why healthcare privacy and security matter.
Cyber Hygiene – Solutions
In healthcare, like in many other industries, security and privacy go hand-in-hand. An effective cybersecurity plan will take both into account. Taylor Lehmann, the CISO at Google Cloud, said it best: confidentiality without security is nothing. How can sensitive data be kept private and confidential if it is unsecured? The goal is to implement a comprehensive security and privacy program that is in tandem. Let’s take a closer look.
Culture Change Management: Securing a Positive Cybersecurity Culture
It starts with culture. What is cybersecurity culture? It’s an accumulation of “knowledge, beliefs, perceptions, attitudes, assumptions, norms, and values of people [particularly, workforce members in this context] regarding cybersecurity and how they manifest in people’s behavior with information technologies.[7] Cybersecurity includes IT, information, network, and computer security and general awareness. Cybersecurity is becoming increasingly essential with the upturn in healthcare technologies and devices connected to digital infrastructures with many vulnerabilities. It is increasingly considered to be a concern for patient trust and safety.[8]
I’ve learned working with healthcare organizations that a positive cultural shift at an organization often takes something bad to happen. Only then does leadership realize that the same type of bad thing should be prevented in the future and that the cost of complying is justified. I call this organization trauma. It’s no different from the basic human behavior we exhibit as kids. Mom says, “Don’t touch the stove. It’s hot.” But for some of us, it takes doing it at least once (perhaps a couple of times for the less evolved ones) before never doing it again. It’s only becoming real once we’ve personally experienced it. As human beings, we’re anecdotally wired and to a fault. It's no different when it comes to organizational behavior. After all, an organization is nothing by itself. It’s merely a sum of all its parts, which are humans. How these humans act together is a collective behavior exhibited as an organization.
But let’s be real. Cybersecurity conversations shouldn’t just happen after a breach exposes sensitive data and interrupts or halts service delivery. The costs are too dire, as discussed above. These conversations should be ongoing. It takes a top-down approach where leadership sets the tone. If the CEO or COO doesn’t take cybersecurity as seriously as they should, neither will the lower-level managers or staff. As a leader charged with compliance, it becomes a difficult but not an impossible task to shift the culture. Culture change management is a key approach by which this shift can occur. It entails strategically aligning stakeholders to get the necessary buy-in for decisions related to a desired position. If cybersecurity is the goal, it involves convincing leadership with statistics, examples of incidents within the industry and the organization, the consequences of noncompliance and breaches, our moral duty to comply, and current enforcement trends and actions.
Healthcare organizations may implement policies and procedures to steer behavior and improve cybersecurity, but merely implementing such policies is insufficient. Workforce members may even find “workarounds” or ways to circumvent security measures. Investing in cybersecurity culture is necessary to prevent workarounds from being exploited, make workforce members more aware and invested in cybersecurity, and improve cybersecurity in healthcare organizations.
A large share of cybersecurity incidents in organizations are attributed to the activities and behavior of staff members. In addition to training (discussed below in detail), an organization's culture strongly influences staff behavior and the choices they make in their work. As such, investing in a security-positive culture will help to lower and prevent security incidents. Organizational culture is influenced by what personnel believe to be the accepted beliefs and values of the organization. As a result, these steer group and individual behavior.[9] Now that there’s a case for why culture matters, let’s dive into how a shift in the positive direction can be made.
The first step is determining the current cybersecurity culture. Before undertaking actions to improve the culture within an organization, it is necessary to analyze the current posture and issues of the organizational culture. While it may seem that human behavior is the primary issue for cybersecurity incidents, it may serve as helpful to determine if there are underlying causes within organizational processes and requirements that reinforce cyber-risky behavior. Additionally, staff members' resistance and workarounds to security measures may not always stem from bad intentions but can stem from fear, shame, or busy schedules.
It is best to use multiple sources to assess the current cybersecurity culture. Here are some ways to determine an organization’s culture:
Use surveys, observation, and interviews to assess staff members’ knowledge, beliefs, perceptions, attitudes, assumptions, norms, and values;
Review organizational processes and policies;
Interview management to assess where the core issues lie for their teams;
Use IT security tools, log files, and IT support tickets to determine key issues; and
Employ security testing methods, such as phishing and malware campaigns, to determine workforce member response (more detail below in the training discussion).
Now that there’s a baseline understanding of the current culture, improvement can happen. Keep in mind that organizational culture develops naturally and over time, but there are several ways to support the growth of a cybersecurity-aware and focused culture. Here are some ways:
Physical communication materials (e.g., posters, leaflets, banners) as well as digital materials (e.g., messages on staff portal and emails) in the communication strategy;
Relate to the experience and interests of the target audience in every communication outlet;
Implement training to support the knowledge and skills of workforce members;
Appoint champions in each team who can both advocate for cybersecurity behavior and support team members who need help; and
Support open communication about cybersecurity and address concerns that workforce members raise.
Culture and workforce training are very closely tied together. Values and beliefs are influenced by the knowledge and skills of staff members, so investing in training will support the development of a cybersecurity culture.[10] To successfully implement a cybersecurity-positive culture, focusing on creating multi-department teams as a single person is usually ineffective across an entire organization. Organizational leadership, especially the executive board, should actively support cybersecurity initiatives.[11] As noted above, organizational culture change takes time, so stakeholders should adjust their expectations and allow sufficient time for cybersecurity programs to run. Stakeholders should also explain why specific measures are implemented to increase acceptance. It’s not that workforce members need a deep, technical understanding, but they must grasp the importance of the measures and find the process workable within their respective spaces.
Governance, Risk, and Compliance
Once you’ve got the ball rolling in the right direction with your organization’s culture, it’s time to act by forming and executing a plan. The Governance, Risk, and Compliance (GRC) program is a common framework for achieving this. According to the CHIME Most Wired survey, 70.7% of hospitals leverage GRC systems.[12] Key objectives are to ensure that a cybersecurity program has appropriate oversight, identifies and addresses cyber risks, and complies with all applicable laws and regulations. Its principal functions are to reduce risk and meet all compliance obligations. Implementing a GRC framework includes identifying and complying with applicable laws, regulations, standards, and contractual obligations; developing appropriate policies and controls; establishing organizational oversight and reporting mechanisms; integrating cybersecurity risk management with Enterprise Risk Management (ERM) objectives and methodologies; and using GRC software tools for managing and streamlining all aspects of the GRC framework. An effective GRC framework can help continuously improve identity, application, cloud and network security, anti-ransomware efforts, zero trust, email security, threat intelligence, and third-party risk management.
Each of the three, governance, risk, and compliance, are inherently interconnected, with considerable overlap between them. They function as a cohesive unit, where each element supports and reinforces the others. A well-executed GRC program is holistic, shifting an organization’s approach from reactive to proactive. Conceptually, governance defines “what” should be in place (i.e., the rules, structures, and policies that guide the organization). Risk involves identifying and quantifying potential threats, much like governance identifies the applicable rules, and it informs how these risks should be managed in alignment with the organization’s strategic objectives and risk tolerance. Compliance, then, is ensuring that these rules and risk management strategies are adhered to and addressing non-compliance through monitoring, auditing, reporting, and corrective actions.
Governance: The “G” in GRC”
Governance refers to the structure and rules. It encompasses the laws/regulations, standards, guidance, contractual obligations, policies, procedures, processes, and controls (see my previous article on the Health Insurance Portability and Accountability Act's (HIPAA's) Security Rule for more on these controls) in place to manage and oversee functions like cybersecurity within an organization. It’s the strategy and guardrails for meeting specific requirements of an organization. The overall strategy is informed by an organization’s specific attributes and needs, including its resources and risk profile. Defining the overall strategy requires intricately balancing usability (efficiency of operations) and security.
Governance also means establishing proper internal and external communication channels, including notification and reporting obligations. It entails managing third-party risk and developing an adequate training program for workforce members. It further involves forming a Cyber Security Committee tasked with managing (i.e., implementing and continuously improving) and mitigating (i.e., incident response) cyber risk and exposure, assigning roles and responsibilities, and ensuring transparency and accountability. Additional components of effective governance include cyber insurance, processes regarding audits, risk assessments, enforcement, sanctions, and monitoring of relevant activity such as user access.
LAWS, REGULATIONS, STANDARDS, AND CONTRACTUAL OBLIGATIONS
Laws and regulations (state, federal, and international), industry standards (e.g., NIST), and contractual obligations inform what a cybersecurity program looks like. Let’s call these “Rules.” These Rules are the backbone of an organization’s GRC program. They set the parameters and define the scope of what must or should be in place to comply. The other governance components discussed below, such as establishing roles and responsibilities, developing policies and procedures, and implementing controls, are largely based on these Rules. This Article largely focuses on HIPAA, but remember that even for healthcare organizations, HIPAA is only one consideration. Several other state, federal, and international laws may apply depending on various factors, such as an organization’s location, the nature and scope of its operations, and the type of data it handles.
The first step is to identify compliance requirements. An organization needs to determine which Rules apply at the onset and on an ongoing basis. On the one hand, this entails identifying required compliance frameworks (i.e., laws and regulations) such as the Health Insurance Portability and Accountability Act (HIPAA), Health Information Technology for Economic and Clinical Health Act (HITECH), General Data Protection Regulation (GDPR), and Federal Trade Commission Act (FTCA).[13] On the other hand, this process includes identifying the required or selected standards to implement, such as those provided by the National Institute of Standards and Technology (NIST), the International Organization for Standardization (ISO), System and Organization Controls (SOC) 1 and 2, the Control Objectives for Information and Related Technology (COBIT), the Cloud Security Alliance (CSA), the Center for Internet Security (CIS), the Payment Card Industry (PCI), and Environmental, Social, and Governance (ESG) standards, among others. Finally, there are contractual obligations with vendors. The growing reliance on third-party vendors and partners for essential services such as data storage and telehealth warrants a strong focus on third-party risk management to ensure that these external entities do not compromise the security and integrity of data (more on third-party risk management below). Note that there is considerable overlap with the Rules. For example, a single risk assessment could potentially conform to both Health Information Trust Alliance Cybersecurity Framework (HITRUST CSF) certification requirements and HIPAA.
Recently, there’s been an emergence of new privacy state laws, some of which are more stringent (i.e., afford more protection to patients) or have a broader scope of what constitutes medical information than PHI under HIPAA. The IAPP Westin Research Center tracks proposed and enacted state privacy bills nationwide, compiling this information into a map and detailed chart of key legislative provisions to keep interested parties informed of the rapidly evolving privacy landscape. An organization operating in several states may need to comply with various data privacy and security laws in addition to applicable federal and international laws. For example, there are laws and regulations regarding patient data retention mandated by HIPAA. However, many states have their own patient data retention requirements as well. On top of that, trade associations have recommended retention schedules broken up by different categories of patient data. As you can see, developing and operationalizing Rules such as retention policies and procedures requires considering several considerations.
One recent consideration for healthcare organizations is OCR’s updated guidance on website disclosures as of March 18, 2024. The guidance is an update to OCR’s prior 2022 guidance on the uses of tracking technologies by regulated entities. OCR clarifies that the purpose of a person's website visit determines whether the information is PHI. But how helpful is this if organizations don’t have a way to determine the intent of each visitor?
The final HIPAA Privacy Rule was established over 23 years ago. Since then, an IP address is a patient identifier. The 2022 guidance clarified that an IP address or any other “unique identifying code” is PHI. It assumed that anyone visiting a covered healthcare provider's website is or could be a patient. This assumption drew criticism. The revised guidance acknowledges that “the mere fact that an online tracking technology connects the IP address of a user's device (or other identifying information) with a visit to a website addressing specific health conditions or listing healthcare providers is not a sufficient combination of information to constitute [individually identifiable health information] if the visit to the webpage is not related to an individual's past, present, or future health, healthcare, or payment for healthcare. However, the guidance does not address how entities can or should determine the visitor's intent. It does, though, provide some examples where website visits may or may not disclose PHI depending on the visitor's purpose. For example, visiting a hospital’s career webpage or hours of operation does not involve disclosure of PHI.
On the other hand, disclosing the IP address of a visitor on a cardiology-related webpage in connection with seeking a second opinion would involve a disclosure of PHI. While these examples are somewhat helpful, how can a regulated entity implement a reliable way to assess the intent of each visitor to each webpage? Not an easy task.
The guidance also suggests ways for regulated entities to handle situations where tracking tool vendors are unwilling to sign Business Associate Agreements (BAAs) with regulated entities. One option is to use a Customer Data Platform vendor to de-identify PHI and provide only such data to the tracking technology vendor. The other option is to obtain written authorizations from all individuals whose PHI would be disclosed to a tracking vendor that is a Business Associate (BA). Despite concerns and litigation, OCR is reinforcing its stance and doubling down on HIPAA compliance in investigations involving online tracking technologies.
As you can see, determining which Rules apply varies from organization to organization, and there is a lot of gray area regarding where to place guardrails. But with the right expertise and resources, it can be done. Once an organization has determined which Rules apply, it can create a governance structure that satisfies at least the most pressing requirements.
STRUCTURE, ROLES & REPONSBILITIES, POLICIES & PROCEDURES, AND REPORTING
Effective cybersecurity governance in healthcare revolves around establishing a comprehensive framework that includes the formation of a Cyber Security Committee, the clear assignment of roles, the development of robust policies and procedures, and the establishment of effective channels of communication. At the core of this governance structure, the Cyber Security Committee is responsible for managing and mitigating cyber risks. This committee should consist of individuals with appropriate expertise, ideally led by a Chief Information Officer (CIO) or Chief Information Security Officer (CISO) who is provided with adequate resources, including budgetary support.
A key component of this framework is the designation of essential roles, such as a HIPAA Privacy Officer and a Security Officer. The organization should know who these folks are, and descriptions of their job duties should be clearly set out, often in relevant policies. Depending on the organization’s size and needs, separate individuals might fill these roles to ensure that both privacy and security concerns are adequately addressed. Clearly defining each team member's functions, roles, and responsibilities—from maintaining security protocols to managing incident responses and handling external communications—ensures accountability and operational efficiency across the board.
Developing and implementing specific cybersecurity policies is crucial for protecting PHI and other sensitive data related to employees, patients, and vendors. These policies should encompass the entire data lifecycle, including record maintenance, access, destruction, and confidentiality. Additionally, the structure of the Cyber Security Committee, the responsibilities of its members, and the processes they follow should be well-documented within these policies. On top of these policies, a detailed incident response playbook should be created, ensuring that all team members are prepared to act decisively in the event of a security breach.
There should be a process to communicate events and changes to risk. A good practice might be to use a combination of weekly, monthly, and quarterly meetings and reports to communicate such risks across all parts of the risk management process. It is also recommended that a clear and direct reporting structure be established for the board of directors, which is vital for maintaining corporate accountability. Ideally, the security function, led by, for example, a CISO, should have a straightforward communication pathway to the board. This direct line of communication enhances the effectiveness of security measures and ensures that significant developments are promptly reported and addressed. It also communicates the importance of cybersecurity within an organization.
Organizations should implement an escalation process to provide management visibility into high-priority risks. This process should be outlined in the incident response playbook and relevant policies. Establishing a reporting tree and thresholds for each type of incident is often a good approach. Internal reporting should involve all relevant stakeholders, ensuring that any breach or risk is managed comprehensively. It’s advisable to include legal counsel for the benefit of privileged communication and guidance.
Moreover, external communication, particularly in a breach, should be coordinated across teams, including marketing and communications, to maintain transparency and trust with patients, employees, and vendors and comply with applicable laws and regulations. This also means making sure applicable authorities are notified when required. Cross-functional communication is also essential for effective routine cybersecurity governance. Collaboration between departments, especially IT, legal, compliance, HR, and operations, ensures that all aspects of cybersecurity are covered, from technical controls and physical safeguards to administrative functions, creating a unified approach to managing, assessing, and mitigating risks. Reporting should be automated to the extent possible. Note that doing the reporting is part of “Compliance” in a GRC framework. However, the parameters of doing so fall within governance and, thus, are discussed in this section.
By integrating these components—committee formation, assigned roles and responsibilities, and robust processes such as for reporting/communication channels—healthcare organizations can establish a strong governance framework that complies with regulatory requirements and actively minimizes cybersecurity risks.
Micro-Segmentation
One way to further strengthen security for healthcare organizations is through micro-segmentation. Micro-segmentation involves separating networks into different zones and applying security controls to each segment. This approach can effectively prevent cybercriminals from infiltrating an organization’s entire system. By compartmentalizing network segments, micro-segmentation increases protection by ensuring that even if a hacker infiltrates one area of the network, they cannot use that access to move laterally within the organization and reach deeper into its systems and data. This containment strategy significantly reduces the risk of a full-scale breach and helps to protect sensitive healthcare information from unauthorized access.
Zero Trust
A strong cybersecurity framework involves not only the implementation of various administrative, technical, and administrative controls but also the adoption of a comprehensive security strategy such as the Zero Trust model. The Zero Trust model is a cybersecurity approach that assumes that threats could come from inside or outside the network, and thus, no user or device should be trusted by default. This model operates on the principle that every request to access the organization's systems or data must be authenticated and authorized, regardless of origin. Zero Trust comprises three critical steps:
1. Mapping Out Critical Systems, Applications, and Data: Begin by identifying the most critical assets within the organization that require protection. This involves mapping out systems, applications, and sensitive data vital to the organization. By understanding what needs protection, appropriate security measures can be applied.
2. Assessing the Organization’s Zero Trust Maturity: Evaluate where the organization currently stands within the Zero Trust Maturity Model. This assessment helps identify gaps in existing defenses and provides a roadmap for enhancing the security strategy over time.
3. Strengthening Priority Pillars: Focus on building and strengthening the priority pillars of the Zero Trust architecture, such as identity security, application security, network segmentation, and access controls. Reinforcing these areas can significantly reduce the risk of unauthorized access and improve the organization's overall cybersecurity posture.
TRAINING
Training is a foundational part of an effective cybersecurity function, particularly in the healthcare sector, where the protection of sensitive data is no joke. With adequate training policies and procedures, organizations can mitigate some of the evitable human vulnerabilities born out of the human element. While this section focuses on HIPAA-specific requirements, it's important to note that the principles and practices discussed here are largely relevant to any organization dealing with sensitive data. Also, note that training is discussed in this section because it’s approached from a process standpoint. The part of doing the training and making sure it’s good enough is a compliance function.
A robust training program for workforce members requires that appropriate procedures, policies, controls, and safeguards are effectively implemented. Workforce members must be well-versed in data privacy and security and understand protocols related to their specific roles, including the processes around accessing and securely handling sensitive data. This could be for internal purposes such as performing daily functions, including billing or auditing, or it may involve dealing with third parties when authorizing access to PHI, for example. Workforce members must understand these protocols to maintain compliance and protect the organization’s integrity. For healthcare organizations, this also includes policies and procedures covering patient rights, such as accessing, amending, and obtaining an accounting of disclosures for PHI. Specialized departments, like Health Information Management (HIM) teams, are often tasked with securely handling these functions.
Where to start? Before developing and implementing any training programs, conducting a Training Needs Assessment (TNA) is essential.[14] This assessment identifies the organization's specific needs, ensuring that the chosen training content and methods are relevant and practical. This process should be conducted periodically to ensure that training efforts align with the organization's overall strategy. Key components of a TNA include defining the business need, conducting a gap analysis to identify knowledge and skills deficiencies, analyzing participant needs, evaluating training options, and establishing metrics to assess the effectiveness of the training. In addition to other training for healthcare organizations, this includes conducting routine HIPAA training for workforce members at least during orientation and then annually. Legal counsel should routinely review and update training materials to comply with regulatory changes and updates.
Awareness of phishing and social engineering attacks is critical to cybersecurity training. They are amongst the most common methods used by cybercriminals to exploit vulnerabilities. These attacks are regularly conducted via email, which is often used by most, if not all, workforce members within an organization. At a minimum, organizations should train workforce members on what phishing is and how to identify and report any attempts. Slowing down can make all the difference in becoming a victim or spotting an attack. If an email seems strange or unexpected or urges you to act quickly in a way that violates standard procedures, think twice. Communicating any suspicious activity helps to prevent breaches.
It is vital to communicate to workforce members how personal information will be requested and to establish that following up in person is recommended (or required) when, for example, a request for personal information has been received. While email is the standard phishing method, phone calls and texting can also be used to collect information. Taking a moment to think before acting on a request may make all the difference.
With a company-wide understanding, regular phishing simulation tests should be integrated into the organization's training strategy. These tests, which simulate real-world phishing attacks, are akin to practicing. With practice, workforce members become more proficient in recognizing and responding to such threats, and organizations can assess and improve their programs accordingly. Organizations should retain statistics from these phishing tests to continuously improve their cybersecurity posture. This data can help identify recurring issues and areas for improvement, increasing overall awareness and accountability among staff.
Following each phishing test, participants should receive feedback so they know whether they passed or failed. This process can be automated using various tools such as Microsoft Outlook add-ons or those offered by companies like CrowdStrike. Think of this as basic, conditional learning, essentially how all organisms learn. Boiling it down to biological terms, it’s giving a treat for good behavior and nothing (neutral) or something bad (negative) for bad behavior. We’re talkin’ carrots and sticks. Over time, this consistent reinforcement leads to overall improvement across an organization. For example, workforce members who repeatedly fail these tests should receive additional training (document and retain for compliance purposes) or other remediation to address their weaknesses. Organizations can opt for alternative forms of “sticks” or have a more nuanced approach depending on various factors unique to each organization. On the flip side, rewarding individuals or teams who excel in phishing tests can reinforce good practices across the organization. This could be recognition in organization-wide meetings/newsletters or a small appreciation such as a gift card for the department(s) with the highest success rate of identifying and reporting phishing threats over some period. “Carrots” also encourage a positive cybersecurity culture.
Staff should be regularly trained on things like discussing or accessing patient information, locking their computers when not in use, and following all other workplace rules. Workforce members’ access, use, or disclosure of sensitive data such as PHI should be appropriately restricted based on their roles until such security/privacy training is met. Workforce members should receive security reminders periodically and as needed, such as protecting workstations and sensitive data (e.g., PHI) from unauthorized access, safeguarding passwords, malicious software, and virus alerts. These reminders can be communicated in several ways, including via email, meetings, postings, or newsletters. Organizations should implement other important procedures such as avoiding suspicious websites or links, updating software when necessary, and making sure only to use approved technologies (such as known USB devices or hard drives). Each remote device in the network is essentially another gateway–another potential access point for an attacker.
An effective governance program must have ample reporting mechanisms in place to ensure compliance. Organizations should train workforce members to identify and report certain occurrences, including slow access to hosts on the internet, as well as any other suspicious behavior on their workstations or the physical premises of where they’re working. To promote a healthy compliance environment, it’s advisable to implement an anonymous reporting mechanism that staff could use to report potential or actual incidents. All workforce members should know the designated communication channels. This will, among other things, ensure that adequate reporting procedures are in place for when something seems suspect or out of the ordinary. To protect an organization, it takes every workforce member. It’s not the sole responsibility of leadership. We’re talkin’ boots on the ground.
Organizations should emphasize the possible consequences for a training program to be effective. Failing to adhere to training requirements should subject any workforce member to disciplinary action. Monitoring whether these requirements are met and imposing sanctions where appropriate are compliance functions as discussed in the Compliance Section below. The governance part is having the policies and procedures in place. Many organizations implement a tiered sanction approach, where the severity of the disciplinary action—ranging from warnings to termination—depends on the nature of the violation. This approach underscores the critical importance of maintaining rigorous data security practices.
It should be noted that having training that is not mandatory (i.e., there are no consequences for not completing it) is entirely ineffective. Everyone has limited time and a million things to do at work, so they will put training off unless it’s mandatory. Certain laws, such as HIPAA, also require these sanctions.
Once the training programs are implemented, continuous assessments and improvements are necessary. By focusing on HIPAA-specific requirements and general cybersecurity training, healthcare organizations—and any organization dealing with sensitive data—can create a resilient workforce capable of mitigating risks and safeguarding critical information.
THIRD-PARTY MANAGEMENT
Effective third-party risk management is essential for maintaining strong cybersecurity governance, particularly in healthcare organizations that rely heavily on external vendors, including for data storage and processing services. The complexity of healthcare data and the increasing number of third-party relationships demand stringent oversight to ensure that vendors adhere to the highest privacy and security standards. Organizations often underestimate the negative consequences of a third-party vendor breach.
The third-party management process involves overseeing the entire lifecycle of a vendor relationship, from initial vetting to the sunset phase when the relationship ends. This process should be integrated into the internal contract review process, ensuring that all engagements with third-party vendors are thoroughly vetted from the onset. This integration ensures that any party seeking to engage a particular vendor adheres to a well-established process. Organizations should designate a responsible person or group to manage third-party relationships. One goal is to limit vendor data to the least amount necessary. Give them access to only what they need, not everything. Another goal is to only do business with vendors with a good enough security posture so that it’s not reckless to engage them. Finally, it’s key to have an ongoing process with audits and oversight.
Initial Legal Determination and Vendor Vetting
The process begins with legal counsel determining whether a BAA is necessary. This agreement is crucial when a vendor will access PHI. Where a BAA is appropriate, it should clearly delineate the parties’ respective responsibilities, including related costs, in the event of a breach affecting patient information. Entities may also seek vendor indemnification for breaches of unsecured PHI or broader HIPAA violations. It’s vital to carefully consider any limitation of liability provisions in service agreements or BAAs that could affect the entity’s right to seek indemnification. Additionally, compelling vendors to maintain cyber liability insurance can help cover breaches that could trigger liability for the healthcare entity.
Given OCR's lack of distinct guidance on what constitutes an agency relationship, Covered Entities (CEs) and BAs must be aware of the potential for increased risk exposure due to their BA's acts or omissions. Therefore, entities may wish to reconsider the terms of their vendor agreements, such as the degree of control the entity maintains over the vendor’s obligations, to avoid a determination of agency where feasible.
After establishing the need for a BAA, the next step is thorough vendor vetting. There should be an established process for doing this. The big picture goal here is to determine whether the value of the third-party engagement (i.e., provision of services) is worth the risk at the outset. This vetting process involves assessing the vendor’s policies, procedures, and safeguards to ensure they meet the organization’s standards for privacy and security.
Given the challenges of conducting direct audits, such as a lack of expertise or resources, many healthcare organizations implement a self-audit protocol. Think of it as having vendors complete a standard form assessing their cybersecurity posture. Vendors would be asked to provide detailed information about their privacy and security measures during this process. This might include structured questionnaires or assessments that cover key areas such as personnel and subcontractor screening, employee training on compliance issues, privacy and security measures, and the vendor’s compliance history. To implement this effectively, healthcare organizations should assign individuals with contracting authority to request the self-audit, identify teams to review the reports, and train relevant personnel on the tools and information requests used in the process. It might also be a good idea to ask vendors to self-certify the accuracy of the information provided during the self-audit. This added layer of accountability ensures vendors take the process seriously.
Another option is to obtain a certification, audit report, or attestation of compliance by engaging a third-party, independent auditor. Organizations should consider engaging third-party risk management auditors like CyberGRX and CyberVadis.
Ongoing Oversight
Once a vendor has been vetted and engaged, the relationship enters a critical phase of routine monitoring. Continuous monitoring is essential to ensure the vendor remains compliant with the BAA and other relevant agreements. This involves regular audits, reviewing the vendor’s practices, and responding swiftly to any incidents. Given the heightened level of oversight required by OCR and the increasing cyber threats targeting the healthcare industry, healthcare organizations should prioritize certain vendors based on factors like the amount of PHI they access, the criticality of their functions, and any known deficiencies in their security program.
Healthcare organizations should integrate vendor oversight into their overall HIPAA compliance plan. For example, the HIPAA Security Rule requires entities to implement access controls to ensure that only authorized users are permitted access to systems containing PHI and to regularly review information system activity, such as audit logs and access reports. Vendor risk management should be incorporated into these practices. Before contracting with a vendor that will have access to a medium containing PHI, CEs should consider how their authentication controls and system activity reports can be extended to the vendor. It’s important to determine whether the CE will be able to track the vendor’s access to and use of the system. If the vendor maintains its own server or network containing the CE’s PHI, the CE should request and review the vendor’s access reports and audit logs. Integrating vendors into the compliance plan helps identify and mitigate risk factors associated with vendor operations.
Transparency in reporting data breaches is critical when working with third-party vendors. Every vendor agreement should clearly outline immediate notification of cyber events. Importantly, a CE that becomes aware of a BA’s breach of HIPAA obligations but fails to take corrective action, such as ending the breach or terminating the contract, if necessary, could be in violation of HIPAA. OCR may impose penalties if it’s revealed that the CE was aware or should have been aware of deficiencies in a vendor’s cybersecurity practices but continued using that vendor for PHI functions.
As discussed, some healthcare organizations may require vendors to provide written attestations regarding their security programs or to sign separate security compliance agreements. Others adopt more stringent measures, including on-site reviews and periodic (e.g., annual) attestations/assurances. Either way, third-party vendors are important to every organization’s risk profile. They should be treated with the same seriousness and scrutiny as internal operations.
The Sunset Phase
The sunset phase occurs when the relationship with a third-party vendor is ending. This phase is as crucial as initial vetting and monitoring. Upon termination, the healthcare organization should ensure that all PHI or other sensitive data is either returned or destroyed according to applicable laws and regulations and as outlined in the BAA. The HIPAA Security Rule requires that CEs implement policies and procedures to address the final disposal of electronic PHI and the hardware or electronic media on which it is stored.[15] One recommended approach is clearing PHI—using software or hardware to overwrite media with non-sensitive data. When permanently deleting files from your network, remember to address all backups, including those stored on the cloud, servers, and off-site. It’s good practice to obtain a certificate of destruction or other assurances that the data has been appropriately destroyed or returned. The sunset phase should include a formal review to confirm that the vendor has complied with all requirements, mitigating the risk of data breaches or unauthorized access after the relationship ends.
Leveraging Vendor Relationships in Crises
At the end of the day, let’s not forget that this, too, involves maintaining good relationships. Vendor relationships can be particularly valuable during crises, such as ransomware attacks. When a hospital’s EHR system is compromised, for example, the vendor’s systems may contain the only accessible records of upcoming patient appointments, procedures, and other critical healthcare activities. Having strong communication channels and rapport with vendors is key in such situations. Vendors should be prepared to assist with data extraction to ensure continuity of care.
While the process described above is critical for managing relationships involving PHI, healthcare organizations must also consider the privacy and protection of other types of sensitive data. A similar vetting process should be in place for any third-party vendor relationship that involves sensitive data other than PHI. Although the overall process would be very similar, it may involve certain differences, such as establishing non-disclosure agreements (NDAs) or other contractual obligations to protect sensitive information sufficiently.
Healthcare organizations should manage third-party risks with the same level of seriousness as their own internal operations. A well-established and comprehensive third-party management process should include initial vetting, routine monitoring, incident response, and a structured sunset phase. Vendors’ compliance with privacy and security standards ultimately affects healthcare organizations' overall privacy and security posture.
CONTROLS & SAFEGUARDS
Implementing robust cybersecurity controls and safeguards is critical for healthcare organizations to protect sensitive patient information and maintain compliance with regulatory requirements like HIPAA. Refer to my previous article for more detailed information on Security Rule's administrative and technical safeguards. These measures are designed to manage the flow of data throughout all its phases, including access, storage (data at rest), transmission, and processing. Each phase of data management presents unique security challenges, making it essential to establish comprehensive controls that address the confidentiality, integrity, and availability of sensitive data. Managing access controls in-house lessens the risk that patient data will be inadvertently (or purposefully) altered or destroyed. It also ensures accountability by minimizing doubt as to who was accessing what and when.
These controls should be clearly defined and captured in accompanying policies that guide the organization’s approach to securing data and systems. While this discussion focuses on the practical implementation of these controls, it is essential to remember that these measures should be tailored to the organization's needs. This includes standard practices such as using multi-factor authentication (MFA), encryption, Virtual Private Networks (VPNs), and securing endpoints. It should be noted that these controls alone are inadequate. They require accompanying policies and procedures and ensuring that execution. This includes no password/account sharing, avoiding public WIFI, and restarting computers for necessary security updates. Let's discuss a few of the big ones.
Multi-Factor Authentication
One of the most effective measures to prevent unauthorized access is MFA (Multi-Factor Authentication). MFA requires users to provide two out of three independent methods of authentication—something you know (like a password), something you have (like a security token or cell phone), or something you are (like a fingerprint or iris scan)—to gain access to systems containing PHI. Implementing this control significantly reduces the risk of breaches by ensuring that even if one credential is compromised, additional layers of security remain intact.
While MFA might seem like a pain in the butt, especially in the healthcare setting where efficiency is critical, it’s a small trade-off for the substantial security benefits it provides. To maximize protection, MFA should be enabled for every account, including privileged accounts, remote access systems, and all SaaS (Software as a Service) solutions, as well as corporate communications platforms. Moreover, IT Help Desk employees must be trained to recognize and mitigate MFA vulnerabilities, ensuring that MFA bypasses are never allowed, even when requested by users calling the Help Desk.
Encryption of PHI
Encryption is a cornerstone of data protection, particularly for PHI (for a more detailed discussion of HIPAA's provisions, refer to my previous article). Healthcare organizations must implement mechanisms to encrypt and decrypt maintained PHI. By using strong encryption standards, such as AES-256, healthcare providers can ensure that data remains secure, even if intercepted by unauthorized parties. This safeguard is crucial for protecting the confidentiality and integrity of sensitive information.
Email is a common vector for data breaches in healthcare. HIPAA requires the implementation of a mechanism to encrypt PHI transmitted over an electronic communications network whenever deemed appropriate. Healthcare organizations should utilize secure email services or patient portals to communicate sensitive information, avoiding unencrypted email services. Additionally, email disclaimers should remind recipients of their responsibility to protect the information. However, simply shifting the blame from the sender to the unintended recipient is insufficient. Standard email encryption policies and procedures should be in place to protect patient data by rendering it unreadable until it’s “unlocked” using a decryption key. This process should be automated to the extent possible.
Wireless networks in healthcare facilities must be secured with strong encryption protocols, such as WPA2, and guest networks should be isolated from internal networks to prevent unauthorized access. Workforce members should refrain from using public WIFI. Regular scans for rogue access points and unauthorized devices should be conducted to ensure that only authorized devices can connect to the network. In addition to protecting wireless networks, VPNs should be used to create a secure and encrypted connection over less secure networks such as the Internet. Using a VPN guides your IP address and encrypts your internet traffic to protect online privacy and security.
Firewalls and Network Segmentation
Firewalls act as the first line of defense against unauthorized access to healthcare networks. These systems monitor incoming and outgoing traffic and can be configured to block potentially harmful data based on predefined security rules. In addition to firewalls, network segmentation is vital, particularly for isolating critical systems like EHR databases. By segmenting networks, healthcare organizations can reduce the risk of attackers moving laterally within the system after gaining initial access. It makes sense to strategically focus efforts on the highest-risk assets as determined by an organization’s security risk assessment (discussed in detail below).
Role-Based Access Control
HIPAA requires healthcare organizations to implement Role-based Access Control (RBAC) systems.[16] RBAC limits access to critical data such as PHI and other sensitive systems and networks based on the specific roles and responsibilities of users. This practice ensures that only those with a legitimate need to access certain data can do so, minimizing the risk of potential threats. Maintaining an up-to-date list of roles and the necessary access levels for each is essential for enforcing these controls.
Under the HIPAA Privacy Rule, the use or disclosure of PHI in connection with payment or healthcare operations must be limited to the minimum amount necessary to accomplish the purpose of the intended use or disclosure. This is referred to as the “minimum necessary” standard.[17] CEs must make reasonable efforts to limit such access to PHI. This means that even within an institutional healthcare provider, PHI access should be limited to those having a “need” to know the information. For example, if there isn’t a need to disclose an entire file or patient record–the disclosure should be limited to the portions that need to be disclosed.
However, the “minimum necessary” standard does not apply where the use or disclosure is for treatment purposes. One underlying goal of this exception is to facilitate collaboration among medical professionals and ensure the patient receives the best possible care. So, suppose a CE or BA discloses PHI to another provider involved in the patient's care or uses it internally for other treatment purposes. In that case, HIPAA allows full disclosure to promote the patient's safety and care.
Access controls are a critical part of an organization’s security posture. Limiting access in an appropriate manner goes a long way in mitigating at least some potential risks. The more a workforce member can access, the greater the liability that person poses in the event of a compromise. Restricting and auditing access controls do not make organizations immune to phishing attacks, but these controls limit the impact if and when an attack surfaces.
Monitoring and Logging Management
Effective log management is vital for detecting and responding to security incidents. HIPAA mandates that organizations maintain detailed logs of system activities involving PHI.[18] Regularly reviewing these logs helps identify unauthorized access attempts or anomalies that could indicate a breach. Implementing automated log management systems allows healthcare organizations to automatically collect and generate alerts, enabling swift incident response. Logs should be securely stored and protected from tampering, with retention for at least six years to comply with HIPAA requirements.
System Configuration and Hardening
Proper system configuration and hardening are essential to minimize vulnerabilities within healthcare networks. This involves disabling unnecessary services, removing default accounts, and applying the latest security patches to all software and operating systems. Ensure that the IT department is soundly performing regular backups and that system upgrades are conducted when necessary. Hardening systems in this way helps prevent attackers from exploiting known vulnerabilities. Similarly, regular vulnerability scans and penetration tests should be conducted to identify and address any weaknesses. If possible, organizations should automate vulnerability scanning.
These cybersecurity controls and safeguards create a more secure environment for sensitive data, ensuring compliance with the Rules and minimizing cyber risk exposure.
Risk: The “R” in “GRC”
Within the GRC framework, the "R" encompasses the comprehensive management, assessment, and mitigation of risks. These interconnected elements work together to form a unified strategy aimed at safeguarding the organization from existing and emerging threats and vulnerabilities. A thorough risk assessment is a pivotal first step in this process, involving the identification and quantification of potential risks. This serves as the foundation for developing an effective risk management plan. This process aligns the identified risks, such as those related to data privacy and security, with the organization’s risk tolerance. An understanding of the risk that emerges from this process constitutes an organization's risk portfolio. Let's discuss each one in turn.
RISK MANAGEMENT
Risk management feeds directly into governance and compliance efforts. Effective risk management ensures that governance structures are informed by the identified risks. Done properly, risk management informs risk-driven decisions by business leaders and determines the allocation of resources. For organizations embarking on this journey for the first time, the approach will differ significantly compared to those with a baseline risk management function to build upon. The European Union Agency for Cybersecurity (ENISA) defines risk management as "the process of identifying, quantifying, and managing the risks that an organization faces."[19] This process should be continuous, enabling organizations to act on potential or active risks and prioritize which risks to address.
In practice, risk can be addressed both proactively and reactively. Effective risk management seeks to prevent risks before they are actualized by identifying and assessing an organization’s cyber risk exposure, evaluating the potential impact against the organization’s risk tolerance, and formulating a corresponding risk management plan. This typically involves a series of activities such as risk assessments, penetration tests, gap analyses, tabletop exercises, and vulnerability scans, all designed to uncover weaknesses within the environment.
Risk assessments are crucial to any organization's strategy, especially within sectors that handle sensitive data, such as healthcare. The type and nature of risk assessments vary based on what a company does, the types of sensitive data it handles, and the relevant legal and regulatory requirements. In the healthcare sector, one of the most critical but often misunderstood requirements is the HIPAA Security Risk Analysis (SRA). This assessment is not only a cornerstone of risk management but also serves as a vital component of ERM, which is becoming increasingly integral in healthcare organizations. The Risk Analysis, as referred to in the HIPAA Security Rule, involves a systematic process that identifies the risks to information system security, determines the probability of occurrence, and evaluates the potential impact for each identified threat and vulnerability pair, given the security controls in place. It further prioritizes these risks and recommends possible actions or controls that could reduce or offset the identified risks. Such assessments are essential for maintaining compliance and safeguarding the confidentiality, integrity, and availability of PHI.
In recent years, significant shifts in risk management within healthcare have been marked by two key changes: a shift in focus and a shift in approach. Healthcare organizations have expanded their risk assessments from focusing solely on patient safety and staff health to adopting an organization-wide perspective. This broader focus now includes evaluating risks to IT systems, medical devices, data protection, privacy, and other critical areas. Moreover, organizations have transitioned from reacting to risks after they occur to proactively identifying and addressing potential risks before they manifest.
As a result of these transformations, healthcare organizations are increasingly investing in ERM, which considers all processes and their interrelations. ERM maturity is now a core priority, as evidenced by the growing emphasis on comprehensive risk assessments like the SRA under HIPAA. A properly conducted and managed SRA can serve as the backbone of an organization’s risk management strategy, effectively encompassing the "R" in GRC. Let’s dive deeper into a HIPAA SRA.
HIPAA SECURITY RISK ASSESSMENT
This Article covers a HIPAA risk assessment (also referred to as "risk analysis"), but organizations should conduct others, too (e.g., market, financial, reputation, legal, etc.). Essentially, organizations should conduct a risk assessment for each business line (e.g., mission, market, products/services, financial, etc.) and for each type of asset. A primary goal of the assessment is to determine a target profile. This is a combination of end-state capability and maturity. Another goal is to document deficiencies and identify gaps for purposes of resource allocation. Finally, form and execute a strategy. Using pre-established threat models can simplify the risk assessment process, both initial and updates.
The HIPAA Security Rule (Security Rule) requires that CEs and BAs conduct an accurate and thorough assessment of the potential risks and vulnerabilities to PHI's confidentiality, integrity, and availability.[20] While comprehensive, the Security Rule allows flexibility. For more on which organizations are considered CEs and BAs or specifics on the Security Rule, check out my previous articles on these topics. Conducting an SRA is essential for a HIPAA compliance program. OCR investigations and enforcement actions highlight the importance of conducting an SRA. It’s not a “check-the-box” exercise. OCR commonly requests a copy of an organization’s SRA following reported breaches of unsecured PHI or alleged Security Rule violations. Failure to properly conduct an SRA is a frequently identified deficiency, either alone or as an additional issue during OCR investigations of other violations or breach reports.
OCR has provided guidance on conducting an SRA. The OCR Guidance describes an SRA as the foundational element in compliance with the Security Rule. It acknowledges that the Security Rule itself “does not prescribe a specific risk analysis methodology [for conducting an SRA], recognizing that the methods will vary depending on the organization.[21] Organizations can implement any security measures that reasonably and appropriately meet the standards, considering the organization’s size, complexity, and capabilities, the technical infrastructure, hardware and software security capabilities, the costs of security measures, and the probability and criticality of potential risks to PHI.
The OCR Guidance lists the elements that an SRA must address: scope of the analysis, data collection to determine all locations where PHI is stored, identification and documentation of potential threats and vulnerabilities, assessment of current security measures, determination of the likelihood of threat occurrence, determination of the potential impact of threat occurrence, determination of the level of risk, finalization of documentation, and periodic and as needed review based on updates to the risk assessment (discussed in detail below). The Security Rule does not specify how frequently to conduct an SRA and that the frequency of performance will vary among organizations. However, at a minimum, it should be done at least annually and revisited on an as-needed basis in the event of certain material changes—such as experiencing a security incident, changes in ownership, turnover in key staff or management, and plans to incorporate new technology.
OCR has made available a recently updated, free resource for conducting an SRA. The SRA Tool is a desktop application that guides users step-by-step through the security risk assessment process using a straightforward, wizard-based approach. Users are led through multiple-choice questions, threat and vulnerability assessments, and asset and vendor management. References and additional guidance are provided along the way. Reports can be saved and printed after the assessment is completed. This tool is an improvement from OCR’s previous SRA guidance, which was merely an Excel template.
While risk management is predominantly the responsibility of management-level staff, the outcomes and decisions following the assessment affect the entire organization. Therefore, it is important to involve more stakeholders in the risk management chain than just IT when conducting a risk assessment. The CISO typically oversees the process. However, conducting any risk assessment often involves collaboration among the Security Officer, Chief Privacy Officer, compliance, legal, system owners, and other stakeholders. The privacy, compliance, or legal teams may help ensure the SRA process aligns with HIPAA’s legal requirements, prepare templates, answer questions, and review SRA documentation drafts. The security team, which understands relevant asset categories and existing security measures, usually handles the substantive aspects of the SRA, such as analyzing threat actors, threat events, and vulnerabilities. Involving legal and/or compliance is crucial not only for their expertise but also for the benefit of attorney-client privilege.
Alternatively, many organizations engage third-party vendors to assist in conducting an SRA. The SRA process is not necessarily intuitive, and even highly trained in-house information security personnel may lack sufficient familiarity with the process to conduct it in accordance with HIPAA and OCR Guidance. When engaging a third-party vendor, ensure they understand the SRA process described in the OCR Guidance and that their written deliverables align with these guidelines without including unnecessary sensitive recommendations. Leveraging internal or external counsel to vet the vendor’s processes and deliverables before engagement is advisable. Even vendors claiming to conduct SRAs may need coaching on the OCR Guidance process and appropriate deliverable content. If a vendor is engaged by or at the direction of outside counsel, their drafts, work product, and other materials may be subject to attorney-client privilege or work product doctrine. In such cases, all parties should comply with any special terms or requirements to preserve these protections throughout the engagement.
Keep in mind that many of these SRA vendors provide additional security assessment services that may be useful to the organization. These services include technical assessments (such as vulnerability scans or penetration tests), security compliance gap assessments, comprehensive cybersecurity assessments, and Health Information Trust Alliance (HITRUST) Common Security Framework (CSF) certifications. This process can be automated with companies like HoundDog.ai, which provides excellent solutions for privacy compliance automation and sensitive data protection. While these assessments or certifications do not constitute an SRA, performing them in parallel with the SRA may yield synergies.
SRAs are also relevant in healthcare transactions. For example, in mergers and acquisitions, a competent buyer’s due diligence review of a HIPAA-subject target typically includes evaluating whether the target has conducted a compliant SRA. A common deficiency identified during due diligence is failing to conduct an SRA per OCR Guidance. In such cases, buyers may consider requiring the target to perform an SRA before the transaction closes or, with some incremental risk, as soon as possible after closing. The risks of not performing an SRA may be heightened by factors such as active regulatory investigations, ongoing litigation, recent complaints, or recent PHI breaches.
In conducting an SRA, many organizations undertake a process and produce documentation that does not conform to the OCR Guidance. Specifically, they do a Security Rule "compliance gap assessment" instead of an SRA. A compliance gap assessment reviews each standard and implementation specification in the Security Rule and assesses the organization’s implementation of relevant security safeguards and measures. While valuable for compliance validation and improvement, it does not meet the SRA requirements described by the OCR Guidance and should not be confused with an SRA. This is a common error in SRA processes.
Additionally, unless conducted under attorney-client privilege, a compliance gap assessment may inadvertently create a discoverable document that outlines the organization's compliance or non-compliance with each Security Rule standard or specification. Suppose an organization wants to conduct a compliance gap assessment in anticipation of litigation or for other reasons where privilege might apply. In that case, it should consider conducting the assessment at the direction of counsel.
In the eyes of OCR, an SRA is the “first step” in an organization’s Security Rule compliance efforts and is the foundation of the risk management plan. However, some in-house IT professionals or executives may undervalue the importance of performing an SRA, focusing instead on technical assessments, cybersecurity assessments, penetration tests, and vulnerability scans. While these exercises are valuable and may enhance an organization’s IT infrastructure, an SRA is required for HIPAA compliance and an enforcement priority for OCR. It should not be overlooked or de-emphasized.
The SRA is an in-depth and time-consuming process, especially for organizations doing it for the first time. It will take time, but subsequent ones will be much easier and less time-consuming after the initial SRA. Conducting an SRA is essential for a HIPAA compliance program. Let’s take a look at the basic steps for conducting an SRA.
HIPAA SRA Steps
1. Define Scope of SRA and Collect Data: Identify each legal entity of the organization that is a HIPAA CE or BA (or that voluntarily wishes to adopt a HIPAA-like compliance program). These entities will be in the scope of the SRA. The SRA process does not materially differ between a CE and a BA. An SRA for two or more related CEs or BAs may be combined into a single SRA if they share common or similar IT assets, processes, policies, procedures, and infrastructure. An example is an MSO-type structure where the administrative arm, a BA, provides non-clinical services to a CE. However, the SRA should still specifically identify all organizations covered and note any entity-specific nuances.
Generate a comprehensive list of asset categories regardless of the particular medium. The risk analysis will be applied separately to each asset category, which refers to a distinct type of IT asset that creates, receives, maintains, or transmits PHI. In other words, where is your PHI? It may be prudent to create PHI diagrams showing how PHI enters the network, the systems it touches as it exists and flows within it, and any point at which it may leave the network. The OCR Guidance does not prescribe specific asset categories. Each organization must create a list that is specific to its environment. Assets include mobiles, laptops/computers, routers, servers, software, hardware, operating systems, databases, clinical equipment, physical location/storage (e.g., filing cabinets), and removable devices.
The key is determining how much PHI there is, what type it is, where it rests within the organization, which systems handle it, and who has access. The asset categories should be analytically useful (i.e., assets that are similar in description and have common threat sources and vulnerabilities that can be assessed uniformly should be grouped). Creating asset categories requires balancing the need for analytically useful groups while avoiding unnecessary length or complexity in the SRA process. For each asset category, the SRA will outline all unique threats and vulnerabilities (discussed further below). This step will consume much time and coordinated effort across teams, especially if it’s never been done before. This means gathering a lot of information, having weekly meetings across teams, reviewing past or existing projects, conducting interviews, reviewing relevant documentation, or deploying other data collection techniques. The goal is to get and document a detailed accounting of the “environment,” everything that touches PHI.
Among other things, data classification will help determine which laws and regulations apply (discussed further in the Governance Section). It will also inform the organization’s data handling protocols, including its retention and destruction policies and procedures. Classification of data will further allow an organization to gain an understanding of its risk allocation. Certain areas within the environment will have higher concentrations of risk based on factors such as the type of data, where it rests, and its retention requirements. Among other things, this will inform strategy in terms of data segregation and consolidation. For example, it may make sense to implement a decentralized infrastructure where data is separated into several silos so that an attack could be more easily contained (discussed in more detail in the Governance Section above).
At this stage, it might also make sense to gather and classify other sensitive data (e.g., workforce data or financial data that does not fall under the definition of PHI) the company deals with to secure such data and comply with applicable laws. Once there is a comprehensive accounting of sensitive data (e.g., PHI), the current security posture can be assessed.
2. Identify Potential Threats to PHI: Identify all potential threats to the confidentiality, availability, and integrity of PHI created, maintained, received, and transmitted by the organization. Integrity refers to data in its original form and, if destroyed, properly done so. Focus on relevant threat sources, including human, environmental, and structural threats:
- Human Threat Sources
Malicious outsider
Hacker seeking to extract information
Hacker seeking to deny or disrupt service
Malicious insider
Rogue workforce member
Snooping workforce member
Identity thief/dark web seller
Negligent workforce member or BA
Thief of physical assets (e.g., laptop)
- Environmental Threat Sources (continuity of business and disaster recovery plans should address this)
Infrastructure failure/outage
Electrical power failure
Telecommunications failure
Natural disasters (e.g., earthquakes, hurricanes, tornados, and fires)
Force majeure events (e.g., war)
- Structural Threat Sources
Hardware failures
Software failures
Environmental control failures (e.g., temperature/humidity controls and power supply)
3. Assess Current Security Measures: Assess the sufficiency of existing security measures to safeguard PHI. This can be done by referring to any completed Security Rule gap assessment results. Additionally, organizations can look to other information security frameworks, such as those issued by the U.S. Department of Commerce’s National Institute for Standards and Technology (NIST).
4. Identify and Document Existing Vulnerabilities to PHI: Identify existing vulnerabilities of the organization's PHI. These vulnerabilities should be specific to each asset category, as different categories may have different vulnerabilities. These include internal and external threats, as well as digital and physical. Make sure to document thoroughly. If you don’t document, it’s no good. Examples of vulnerabilities include:
- Non-technical Vulnerabilities
Insufficient policies and procedures
Insufficient workforce training
Failure to consistently sanction workforce members who violate/security policies and procedures
Insufficient physical safeguards (e.g., facility access controls, locks, fire extinguishers, security cameras)
Failure to perform due diligence on prospective BAs’ privacy and security practices
- Technical Vulnerabilities
Unsupported and outdated software or operating systems (legacy systems)
Lack of antivirus software
Generic user accounts/password sharing
Weak passwords
Lack of MFA
Insufficient audit controls
Insufficient encryption solutions
Insufficient integrity mechanisms
User accounts with excessive privileges as opposed to RBAC
Improper configuration of network security devices
Insufficient intrusion detection system
Insufficient audit logging
5. Identify and Document Potential Threat Events Identify potential “threat events” that result from threat sources exploiting existing vulnerabilities to PHI. These threat events will vary across different asset categories. Examples include:
- Threat Events
Denial-of-service attack
Phishing scam
System hacking
Theft
Exfiltration of PHI
Insertion of malware
Zero-day attack
Unauthorized access by a third party
Unauthorized access by a workforce member
Unauthorized disclosure by a workforce member
Natural disaster at data center/damage to work equipment
System outage
Improper disposal/destruction of media
6. Determine Likelihood of Threat Event: Assess the likelihood of a potential threat occurring based on established policy and procedures. Commonly, this likelihood is classified as “Low,” “Medium,” or “High.” This determination is based on the organization’s existing security measures and controls, as well as the assessor’s judgment, experience, and understanding of the current threat environment. Consulting external resources can provide a better understanding of the threat environment.
7. Determine Overall Adverse Impact: Determine the impact of a threat event on the confidentiality, integrity, and availability of PHI. Using the classification system of “Low,” “Medium,” or “High,” assess each type of impact. Then, these levels will be averaged to determine the overall potential adverse impact. For example, if the impact on confidentiality is low, integrity is medium, and availability is high, the overall impact on PHI would be medium.
8. Determine Level of Risk to PHI: Calculate final risk ratings for each combination of threat, vulnerability, and event. Risk is the likelihood that a threat will exploit a vulnerability. Categorizing risks in this way helps facilitate risk management decisions and allows organizations to prioritize necessary remedial actions. Risk ratings can be classified as “Low,” “Medium,” or “High.” To determine the final risk ratings, use the following formula:
- Final Risk = Likelihood of Threat Event Occurrence x Impact of Threat Event
Document the incident using a spreadsheet, table, or OCR’s software with each asset category-specific threat, vulnerability, and event combination as its own row. Such a spreadsheet or table could have dozens of rows or more, depending on the organization. If you use the OCR tool discussed above, you don’t have to create a spreadsheet or table manually. You can use the Excel template, or alternatively, you could download the OCR software and complete it that way. The risk analysis documentation directly informs the risk management process.
9. Recommend Mitigation Strategies: Identify mitigation strategies to reduce identified risks to reasonable and appropriate levels or determine whether to accept any identified risks based on business risk tolerances. This step will form the basis for creating the “risk management plan” required by the Security Rule. One approach is to prioritize measures to quickly reduce all risks with a rating of “Medium” or “High” while accepting or de-prioritizing risks with a rating of “Low.”
10. Develop and Implement a Risk Management Plan: After completing the SRA process, the next step is risk management. Risk management includes implementing security measures to reduce risks to reasonable and appropriate levels. Involving key workforce members, including senior management and key decision-makers, is crucial for successful development. The SRA process provides these members with the information needed for risk prioritization and mitigation decisions. The result is a written Risk Management Plan that outlines prioritized risks, next steps for mitigation, and an implementation plan. This plan guides the organization in implementing security measures to reduce risks to PHI to reasonable and appropriate levels. It should be revised in accordance with subsequent routine and as-needed risk assessments.
As a practical matter, the goal isn’t to make the environment bulletproof across the board. Instead, applying the 80/20 rule can be effective. The aim is to maximize utility under the management plan based on specific needs and risks.
The more critical assets in the environment, the more robust the security measures should be. For example, externally facing assets are often among the most critical. Also, while prioritizing, it often makes sense to address low-hanging fruit first. For instance, a relatively easy change is to stop using PHI in email subject lines. It might require alignment with leadership, updating policies, and ensuring workforce awareness.
The SRA process is often poorly understood, especially among small and medium-sized healthcare organizations. Despite the availability of OCR guidance and a downloadable SRA tool provided by the Office of the National Coordinator for Health Information Technology (ONC) and OCR, common misconceptions persist. Given OCR’s enforcement emphasis on conducting SRAs, organizations should ensure they have performed an SRA, that it remains current, and that it follows the process described by OCR in its guidance. By following the steps outlined and leveraging available resources and expertise, organizations can ensure they meet regulatory requirements and protect PHI effectively. Keep in mind that we did not cover other compliance requirements related to cyber risk management that may be implicated.
RISK MITIGATION: CYBERSECURITY INCIDENT RESPONSE
In the past year, healthcare organizations nationwide have faced an unprecedented number of cyber attacks, dealing with legal, regulatory, monetary, and reputational fallouts. Cybercriminals exploit security gaps and human errors. Even organizations with robust cybersecurity programs can fall victim. Ransomware is a common and challenging threat. Its attacks often follow a pattern. Cybercriminals cast a wide net, exploiting unpatched firewalls, improperly configured systems, or compromised credentials. Once inside, they conduct reconnaissance, copying and exporting data. After extending their reach, they encrypt or corrupt the victim’s files, causing disruptions. Employees may notice slow internet or inaccessible records, and a cyber ransom note soon reveals the attack, demanding contact and negotiation.
Any organization that works with digital technologies and deals with sensitive personal data should have an incident response strategy in place. Recent reports indicate that healthcare organizations still need improvement in this area, as plans were often informal or non-existent.[22] Incident response is crucial for managing cybersecurity risks before, during, and after they occur. However, it remains a significant challenge, especially in PHI security.
According to the European Union Agency for Cybersecurity, “Incident response and management is the protection of an organization’s information by developing and implementing an incident response process (e.g., plans, defined roles, training, communications, management oversight) to discover an attack quickly, contain the damage, eradicate the attacker’s presence, and restore the network and systems' integrity.”[23] It encompasses all actions by an organization or a specific team to handle cyberattacks or incidents, typically focusing on the short-term effects. It should not be a one-time act. A holistic incident response strategy or plan dramatically increases an organization’s resilience. Organizational resilience is the ability to “anticipate, prepare for, respond and adapt to incremental change and sudden disruptions to survive and prosper.”[24] There should be a continuous evaluation process for cyber incidents.[25] There should also be a(n) incident response team, policies, and procedures on how to deal with cyber incidents.
During the first of Google’s Healthcare and Life Sciences Summer Camp, Google Cloud’s Taylor Lehmann, Director, Office of the CISO, was asked by Will Morris, Office of the CIMO, “What’s the instant reaction after a security incident occurs?” His response was somewhat counterintuitive but informative. When systems go down, don’t jump around looking for information at every corner available. Often, the information that initially comes out is not reliable. For example, with the Change Healthcare incident, one such third party recommended turning off all systems connected to Change Healthcare. This “denial of attack” advice is misplaced. Folks who disconnected had to wait months to reconnect. The problem is that many organizations are news/trade associations with an incentive to create more havoc during these incidents. Instead, the aim is to consult organizations that are reliable according to industry standards. Many experts consider Health-ISAC to be at the top of that list. Get the data, understand the problem, and go to the experts. That’s an effective reaction, according to Taylor.
An effective incident response depends on proper policies and procedures, including a cyber incident plan (i.e., playbook) and an incident response team with practice under their belt. Forming a Cybersecurity Committee is an important part of an effective incident response. And, of course, preparation is key. It’s about setting appropriate guidelines in advance for an incident response, conducting risk analyses, and implementing preventative measures. The goal should be to limit system interdependence (proactive containment). There are several things at interplay. For example, it’s necessary to put into place other related policies and procedures, such as a Business Continuity Plan (BCP), which includes procedures for disaster recovery.
Preparation also means training for all staff and a well-equipped incident response team to tackle the incident. This is accomplished by practicing. The team should routinely (annually, at a minimum) run through tabletop exercises and subsequently address identified risks and vulnerabilities. The goal is to make sure everyone on the team knows their role and is ready and able to act immediately to address it. This ranges from technical controls (e.g., disabling affected credentials, isolating attacks, and patching vulnerabilities) to administrative functions (e.g., reporting, notifying, retaining counsel, and filing a cyber insurance claim). An added benefit of having everyone in the room is that it strengthens cyber security culture, empowers staff, and establishes accountability.
Ultimately, it’s about making decisions on things like what to do/not do, when to do it, how to do it, etc. For example, should law enforcement be involved or how should certain systems be secured to get them back to service in the most safe and efficient way? A healthcare organization must act swiftly and thoughtfully to restore operations and meet legal obligations. Here are important steps for responding, some version of which should be outlined in the cyber security policy and playbook (i.e., the incident response plan):
Incident Response Steps
1. Identify Appropriate Points of Contact Based on the Incident: Convene with the pre-determined incident response team (i.e., the Cybersecurity Committee) quickly, including IT, legal counsel, C-suite executives, compliance, HR, operations leaders, and communication experts. Identify the incident, its origin (who/what/where/when?), and its progression phase (active, complete, or spillover). How did the incident occur? Determine the attack vectors and scope. This is a technical step led by the head of security (preferably a CISO). Establish alternative communication methods if key systems or members are unavailable. For example, while working with one client, we exchanged cell phone numbers with other incident response team members.
2. Stop the Bleeding: IT and third-party forensic vendors (engaged by legal counsel to maintain privilege) should contain the spread and decide the next steps, including, for example, disconnecting non-critical systems or devices from the network. Remove malware, infected devices, and reboot systems. Avoid wiping systems until authorized by legal counsel. Restore from backup if necessary. This is because there should be a retention policy and procedures as well as a destruction policy and procedures that would be informative on such a process. Similarly, avoid erasing critical forensic evidence. Preserving logs and data helps forensic investigators, legal counsel, and law enforcement understand the attack and assess legal obligations.
3. Contact Cyber Insurer: If appropriate, notify the cyber insurer to start coverage evaluations and connect with outside experts. For example, IT resources with third-party forensic firms could assist in assessing the attack's scope, expel the criminal, and support privilege. If warranted, bring in experienced legal counsel to ensure attorney-client privilege and oversee the forensic investigation. Responsible designee(s) should know the ins and outs beforehand. This should not be the first time folks are looking at the cyber insurance policy. The compliance team, or General Counsel’s Office, should be familiar with it and have a well-versed plan to execute per the procedures set out in a written policy and playbook.
4. Assess and Document Findings: Forensic investigations should reveal how and when the attack occurred, the data at risk, and the affected individuals. Findings should be shared through status calls and a final written report. Many organizations have an internal platform for keeping track of cyber incidents, communicating confidentially with other incident response members, and documenting action steps. A cyber security committee should govern this process following established cyber security policies and procedures.
5. Analyze Notification Responsibilities: Assess whether notifications to patients, workforce members, partners, other stakeholders, or regulators are required based on the forensic investigation findings. Ensure compliance with relevant laws and contracts as well as internal policy and related procedures on breach notifications (including as required by HIPAA). Notification will also be dictated based on each BAA. Tracking all such contractual notification obligations and automating the process via contract management software is advisable. This is key for efficiency. For some organizations, if many individuals require notification (and perhaps the media if over 500 individuals are affected by a breach), it might make sense to engage a third-party vendor to handle mailings and call center operations directed by legal counsel.
Where appropriate, coordinate with Information-Sharing Organizations (ISOs) or Information-Sharing and Analysis Organizations (ISAOs). It may be advisable to report indicators of compromise to such organizations and request information on similar incidents. Similarly, where appropriate, notify the Federal Bureau of Investigation (FBI) for assistance with the attack. This notification is crucial if the organization needs to pay a ransom or report the attack to regulators.
6. Prepare for Regulatory Investigations: Be ready to answer questions from OCR and state attorneys general about the incident and overall compliance. Cooperate with other relevant regulators as well. Regulatory inquiries and litigation may follow an incident, but an effective incident response can stabilize operations and reduce liabilities. Preparation is crucial. Litigation often involves class actions, and under certain circumstances, executives may face personal liability for cyber risk failures. Legal counsel can help navigate inquiries, protect privilege, and defend against potential claims.
7. Document and Track: Review the incident, the activities that led to it, and the activities to respond to and manage it. Detailed documentation with response actions under the direction of legal counsel is necessary. Continue to monitor until deemed a non-threat. Identify areas of improvement. The outcomes should feed back into the preparation phase.
Compliance: The “C” in “GRC”
You can have the policies, procedures, processes, and controls in place, but without execution, what’s the point? Compliance ensures that these governance and risk management frameworks are effectively carried out. This includes monitoring activities, conducting internal and external audits, and reporting. Compliance is the mechanism that brings the governance components and risk assessments to life. Compliance is deeply intertwined with governance in this way. A well-structured governance framework ensures compliance obligations are clearly defined and integrated into the organization’s operations and strategy, facilitating effective compliance. By aligning compliance activities with the broader GRC framework, healthcare organizations can meet legal obligations while managing data privacy and protection risks.
Why comply? Beyond avoiding regulatory consequences like penalties and reputational damage, internal compliance allows organizations to identify and address issues before they escalate. Proactive compliance efforts help mitigate risks and prevent sanctions. However, compliance is more than a gatekeeping function. Compliance officers foster an ethical culture within the organization. By setting standards and expectations, they influence corporate behavior and decision-making, extending their responsibility beyond adherence to legal requirements to promoting ethical practices that enhance trust and integrity.
Compliance Structure
Typically, it makes sense to designate a Compliance Officer. While this role is sometimes filled by in-house counsel, such as general counsel, HHS-OIG has advised against it. This advice makes sense: an in-house lawyer has a fiduciary duty to the organization and its client, which could conflict with the objectivity required for enforcing compliance. In contrast, the compliance officer reports, investigates, and enforces compliance matters impartially. To maintain this impartiality, the compliance function must operate independently from other business units, especially legal. Whether handled in-house or by a third party, the compliance function should remain free from undue influence. If you’re a general counsel, resist the urge to take on this role—do what’s right and ensure independence in the compliance function. This will better serve your organization.
The compliance function requires the allocation of sufficient resources. The compliance function becomes toothless without the necessary financial, human, and technological resources. For example, if the IT department is too overburdened to monitor unauthorized access adequately, that is an issue. Hire more people. Do something. In a similar vein, the compliance function should have sufficient authority. This means having the power to enforce rules and policies across the organization. The governance framework should clearly define this authority in relevant policies. Further, compliance officers must have direct access to the board or senior management for reporting to ensure accountability, transparency, and prompt action when necessary. For example, if a compliance issue arises, it should be reported to top executives responsible for making informed decisions based on the compliance officer's recommendations.
Monitoring
Monitoring is another important part of compliance. The Governance Section above establishes what needs to be monitored and how. Compliance involves carrying out these activities. In other words, the compliance part is doing it. Monitoring means ensuring ongoing compliance with what's been established as part of an organization's governance structure. This includes conducting regular audits and risk assessments and continuously overseeing compliance efforts. Risk management (discussed in the Risk Section above) also influences compliance. Regular risk assessments and ongoing monitoring allow for the identification and mitigation of non-compliance risks. This should feed back into the governance structure, ensuring that compliance efforts are maintained and continuously improved.
Reporting
Reporting ensures transparency and accountability within the organization. Compliance officers should regularly report to the board and regulatory authorities following internal policies. Internal reporting helps improve the compliance function by enabling informed decision-making at the executive level. External reporting, on the other hand, ensures that the organization meets its regulatory obligations. For example, under HIPAA, healthcare organizations must report breaches annually to the OCR. Governance policies should clearly outline reporting requirements so compliance officers understand what needs to be reported and when.
Audits
Compliance officers play a central role in managing and sometimes conducting internal and external audits to ensure comprehensive compliance. They are often responsible for planning the audits, including determining the scope, gathering relevant documentation, and coordinating with other departments. Compliance officers often serve as the primary liaison when engaging external auditors, ensuring auditors have the necessary resources and clarifying any issues. Compliance officers may oversee the entire process or delegate specific tasks for internal audits. After an audit, they review the findings, particularly areas of non-compliance, and work with relevant teams to implement corrective actions. Post-audit, compliance officers continue to monitor the impacted areas to ensure ongoing compliance and report the results to senior management and the board. This process ensures that audits reveal gaps and lead to meaningful improvements across the organization.
Disciplinary Action & Investigations
A critical component of any compliance program is the establishment of clear, enforceable disciplinary measures. The organization should respond promptly and consistently when compliance breaches occur, ensuring violations are met with appropriate consequences. Often, disciplinary actions are triggered by specific events, such as suspected behavior in violation of standards, a report from a whistleblower, or findings from an audit or ongoing monitoring activities. These triggers prompt investigations, which are crucial for determining the root cause of non-compliance and ensuring a fair assessment of the situation.
Investigations can vary depending on the source of the trigger, but the process should always be thorough and impartial. Whether an issue is flagged through routine monitoring, raised by a colleague, or discovered during an audit, the compliance team must follow established procedures to assess the situation, gather facts, and determine the appropriate response. After the investigation, disciplinary actions may range from additional training and warnings to suspension or termination, depending on the severity of the breach.
Implementing and enforcing disciplinary measures upholds accountability and reinforces the importance of compliance across the organization. It sends a clear message that non-compliance will not be tolerated and deters future violations. Furthermore, an effective disciplinary and investigation process should be fair and transparent, ensuring that workforce members understand the procedures and the repercussions of non-compliance while fostering a culture of improvement and ethical responsibility.
Feedback Loop
Let’s talk about the feedback loop. Compliance officers should ensure continuous improvement. The compliance function should provide feedback to the governance framework through ongoing monitoring and internal reporting, ensuring policies and procedures evolve alongside regulations. Leveraging technology and data analytics can help streamline compliance efforts and identify potential areas of risk more efficiently. While the compliance function operates independently, collaboration with other departments, such as legal and IT, is critical. For instance, although the compliance officer should maintain ultimate authority, consulting with legal before reporting significant issues can be beneficial. Encouraging open communication and feedback from staff further strengthens compliance by fostering an environment where concerns are addressed proactively.
Example: Training Compliance
Let’s look at an example—the big picture. Consider the role of compliance in workforce training. Governance establishes what the training should look like, while compliance is responsible for rolling it out, ensuring all workforce members complete it, identifying gaps, and reporting deficiencies. Compliance ensures that training programs are continuously improved and that any failures to comply are addressed, including sanctions if necessary. This feedback loop allows for consistently improving the organization’s compliance posture, ultimately minimizing non-compliance risk.
CYBERSECURITY CENTER OF EXCELLENCE: SECURING TOMORROW STARTS TODAY
Healthcare organizations should strive to create an effective cybersecurity function—a center of excellence. This involves a proactive, holistic approach to cybersecurity initiatives, starting with awareness and training. The human element ultimately determines an organization’s security posture and resilience. No amount of compliance technology on its own can result in a strong cybersecurity posture and eliminate the potential for a cyber attack.
As healthcare organizations integrate AI and expand their digital ecosystems, the need for robust compliance strategies has never been greater. These developments introduce new risks and regulatory challenges. One of the biggest challenges is identity authentication. With the advent of deepfakes, it’s challenging to determine who is who. On the other hand, by deploying AI capabilities, organizations can defend more proficiently. At the end of the day, AI is here to stay, and like with any other groundbreaking innovation, there’s good and bad. Let’s make the good outweigh the bad. Let’s choose to be prepared when we’re faced with bad things like cyber attacks instead of waiting for the if.
Ultimately, the path forward lies in preparation and adaptability. As the threat landscape evolves, so must our strategies. By investing in both the technological and human aspects of cybersecurity, healthcare organizations can create an environment that is resilient against current and future challenges. The time to act is now.
[1] Chad Van Alstin, Ascension Confirms Ransomware Caused Service Shutdowns, Ambulance Diversions, Health Exec (May 13, 2024), https://healthexec.com/topics/health-it/cybersecurity/ascension-confirms-ransomware-caused-service-shutdowns-ambulance-diversions.
[2] Sriparna Roy & Leroy Leo, UnitedHealth to Take Up to $1.6 Billion Hit This Year from Change Hack, Reuters (Apr. 16, 2024), https://www.reuters.com/business/healthcare-pharmaceuticals/unitedhealth-warns-115-135share-hit-this-year-hack-2024-04-16.
[3] U.S. Department of Health and Human Services, Healthcare Sector Cybersecurity: Introduction to the Strategy of the U.S. Department of Health and Human Services, https://aspr.hhs.gov/cyber/Documents/Health-Care-Sector-Cybersecurity-Dec2023-508.pdf.
[4] For the purposes of this Article, the term "Protected Health Information (PHI)" includes both PHI and Electronic Protected Health Information (ePHI). For more on the differences between the two, see Sam Khan, Spotting the Hungry, Hungry HIPAA-potamus: https://www.talkinghealthlaw.com/post/spotting-the-hungry-hungry-hipaa-potamus-what-is-hipaa-and-does-it-apply-to-you.
[5] Brian Eastwood, How to Prevent Healthcare Data Breaches (and What to Do If You’re a Victim), CIO (Jan. 5, 2015), https://www.cio.com/article/286397/healthcare-how-to-prevent-healthcare-data-breaches-and-what-to-do-if-you-re-a-victim.html.
[6] Alan Blinder, An Unpredictable Debate, a Tussle Over Golf Was Par for the Course, N.Y. Times, (June 28, 2024), https://www.nytimes.com/2024/06/28/us/politics/debate-trump-biden-golf.html.
[7] European Union Agency for Cybersecurity (ENISA), Risk Management for Cybersecurity 7 (2018).
[8] Lynne Coventry & Dawn Branley, Cybersecurity in Healthcare: A Narrative Review of Trends, Threats and Ways Forward, 113 Maturitas 48-52 (2018).
[9] K. Thomson, R. Von Solms & L. Louw, Cultivating an Organizational Information Security Culture, 26 Computers & Security 38, 38-43 (2006); J. Van Niekerk & R. Von Solms, Information Security Culture: A Management Perspective, 29 Computers & Security 476, 476-486 (2010).
[10] J.F. Van Niekerk & R. Von Solms, Information Security Culture: A Management Perspective, 29(4) Computers & Security 476-486 (2010).
[11] Coventry, Lynne, & Branley, Dawn, Cybersecurity in Healthcare: A Narrative Review of Trends, Threats and Ways Forward, J. CYBERSECURITY (2018).
[12] HealthCare’s Most Wired Survey, College of Healthcare Information Management Executives (CHIME) (2022).
[13] 15 U.S.C. § 45 (2018).
[14] U.S. Office of Pers. Mgmt., Planning & Evaluating (n.d.),
[15] 45 C.F.R. §§ 164.310(d)(2)(i) and (ii)).
[16] 45 C.F.R. § 164.312(a)(1).
[17] 45 C.F.R. §§ 164.502(b); 514(d).
[18] 45 C.F.R. § 164.308(a)(1)(ii)(D).
[19] Nicolas Mayer & Jocelyn Aubert, A Risk Management Framework for Security and Integrity of Networks and Services, 23 J. Risk Res. 1521, 1523 (2020), https://www.tandfonline.com/doi/full/10.1080/13669877.2020.1779786.
[20] 45 C.F.R. § 164.308(a)(1)(ii)(A).
[21] U.S. Dep't of Health & Hum. Servs., Guidance on Risk Analysis Requirements under the HIPAA Security Rule (July 14, 2010), https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/rafinalguidancepdf.pdf.
[22] Jane Snell, Healthcare Cybersecurity Report: Gaps in Incident Response Planning, 23 Health Tech. Rev. 45 (2018).
[23] European Union Agency for Cybersecurity, Incident Response and Management 7 (2016), https://nsarchive.gwu.edu/sites/default/files/documents/2838117/Document-10.pdf.
[24] British Standards Institution (BSI), Organizational Resilience: A Summary of Research, Analysis, and Considerations (n.d.).
[25] John Bandos, The Importance of Continuous Evaluation in Cybersecurity, Cybersecurity Journal 12, no. 3 (2019); Mohamad S. Jalali, Robyn Russell, Safina Razak, & William J. Gordon, Cybersecurity Incident Evaluation and Continuous Improvement, Journal of Cybersecurity 8, no. 2 (2019).
Comments