What does “Compliance” mean to a Healthcare CISO?

The role of the healthcare CISO has expanded exponentially since the HITECH Act of 2009.  CISOs were traditionally charged with the responsibility to maintain the IT environment consisting of applications and infrastructure.  Today they are taking on an expanded organizational role consisting of innovation, operational responsibility and compliance.  Although, the governance for compliancy consists of a village when it comes to leadership and stakeholders, CISOs still remain at the center of the universe.  A multitude of federal and state regulations are at the CISO’s doorstep and pressing on the their scope of responsibility. Among these regulations are PCI, ICD-10, Meaningful Use and, the biggest and most daunting of all, HIPAA.  If a Healthcare Organization (HCO) fails to meet the compliancy standards required by these regulations, the results may be penalties consisting of fees, possible imprisonment and the loss of credibility. The “experts” all agree that the following are the largest and most challenging force vectors for the healthcare CIO to confront in order to achieve and sustain compliance:

  • Employees:
    • The HCO must groom the employee culture to be aware and sensitive to the imposed regulations.  This requires strong policies and continuing education. 
  • Mobile Devices:
    • The sprawl of mobile devices in the Internet of Things (IoT) has created multiple and diverse conduits into the patient data.  A strong Mobile Device Management solution should be implemented along with encryption where appropriate.  CIOs are taking responsibility to map the information flow of patient data to ensure that the data is following the authorized path.
  • Rogue Applications:
    • None of the enterprise applications in healthcare can meet all the point specific needs across the HCO enterprise.  This void has spawned the sprawl of rogue applications.  These apps are often acquired without the knowledge of the CISO.  The CISO and IS are not able to provide the best controls without being a part of those 3rd party solutions.

 

The Cloud:

  • The use of Cloud Service Providers (CSP) in healthcare has its advantages and benefits.  Lower cost and scalability are two of the most common benefits.  However, the CISO must ensure that the CSP is HIPAA compliant and a strong Service Level Agreement is negotiated.
  • Payment Card Industry (PCI):HCOs are accepting charge/debit cards for payment both on site and via the internet.  Just like any other industry, healthcare must protect the cardholder’s security against a cyber-attack/breach.  The CISO must ensure that the HCO is certified under the PCI standards and best practices.
  • HIPAA:
    • The number one compliancy challenge for CISOs is HIPAA.  The HITECH Act expanded the scope of HIPAA and the Omnibus bill in 2013 gave definition and guidance for the implementation of the HITECH requirements.  The Meaningful Use requirements expanded the access to the electronic medical records thus creating additional opportunities for security breaches.  The good news is that CISOs have the technical controls available in the market place to build a fortress against the onslaught of breach opportunities.  The other side of the coin the CISOs must build the case for a security budget that will allow for the acquisition and implementation of those controls.

In order to be successful and achieve the appropriate level of compliance, the CISO must advocate for a Compliance Governance within the HCO. The CISO can be the catalyst but it will take a village of leadership and stakeholders to weather the strong currents that drive compliancy.