If you are concerned that your security program is non-compliant, you should be-because you're worried about the wrong issue.
Medical practices often ask, “Is our security program compliant?” While meant with the best of intentions, this is the wrong question to ask. The question practices should be asking is, “Is our security program operating effectively?”
“Is our security program compliant?” evidences a compliance-focused mindset that provides a minimum level of security.
Many medical practices base their cybersecurity program on government or industry frameworks, such as the Department of Commerce’s National Institute of Standards and Technology (NIST) Cybersecurity Framework, the Department of Health and Human Services’ Health Industry Cybersecurity Practices (HICP), and the Health Information Trust Alliance (HITRUST) Framework. These frameworks provide cybersecurity best practices, templates, and other resources to create cybersecurity programs.
The problem is that these frameworks are intended to apply to the broadest audience possible. They are non-customizable and apply to practices of every size, every medical specialty and subspecialty, and every configuration of technologies and software. The minimum baseline created by the framework may be sufficient for risk mitigation and compliance for some practices, but for many practices it will not be enough.
Compliance to these frameworks, therefore, leads to a check-the-box approach that provides a low level of security but fails to adequately address actual threats to a practice.
Furthermore, frameworks are static documents that cannot keep up with the constantly changing threat landscape. Identifying a new threat, evaluating it against the framework, and revising the framework to address the threat all take time. During this time practices adhering to the framework are unprotected from the threat.
Compliance-based efforts are blind to the specific business needs, potential risks, and security objectives of a practice. Taking actions merely to ensure that minimum requirements of a framework are met can lead to spending resources unnecessarily while still leaving a practice at risk.
Risk-conscious and security-aware
“Is our security program operating effectively?” promotes a risk-conscious, security-aware approach that allows a practice to customize cybersecurity efforts to ensure that measures taken are optimized and cost-effective. Risk management becomes the primary focus of the cybersecurity process, and specific security measures become secondary.
This approach recognizes that not all risks are the same. The consequences of some risks are so low they can be ignored, while the consequences of other risks are so severe they must be avoided at all costs. Adopting this approach requires a practice to identify each risk, analyze the likelihood and consequence of each risk with and without an appropriate security measure, and evaluate whether the risk is acceptable or serious enough to warrant adopting a security measure. A risk-aware approach does not eliminate the consideration of compliance, but merely treats it as another risk.
By focusing on risk management practice leaders can evaluate the risks associated with their infrastructure and data assets, identify the acceptable levels of risk, and pinpoint the resources available or necessary to minimize risk. It is a more encompassing view that addresses a practice’s unique risks, threats, vulnerabilities, risk tolerance, and existing and proposed security measures. It also takes into account the human element of cybersecurity since a risk-based approach must involve personnel from all areas of a practice and account for their strengths and weaknesses.
Practices with this approach have a dynamic cybersecurity program that can evolve quickly with changes to a practice’s goals and objectives, patient care, industry, technology, the threat landscape, and laws and regulations.
In the event of a breach, a risk-aware approach offers an additional benefit over a compliance-based approach. One question arising following a breach is whether the breached party met its due diligence obligation (based on industry-accepted norms or standards of care) to take appropriate actions to protect against the breach. But those norms and standard are not always clear. For cybersecurity, they may vary from industry to industry, or in the case of medical practices, from subspecialty to subspecialty. In some situations, the standard of care may not even align with industry norms. Documenting that a risk management plan was carefully considered and adopted may go further in meeting the due diligence standard than a compliance-based approach.
“Is our security program compliant?” or “Is our security program operating effectively?” One question will lead toward creating a robust set of cybersecurity controls designed to meet the specific business needs of your practice. The other will lead to adopting a one-size-fits-some regulatory or industry framework.
Which question will you ask?
Joseph E. Guimera is an attorney and founder of Guimeralaw Cybersecurity Advisory where he helps organizations plan, build, and execute cybersecurity programs. He can be reached at firstname.lastname@example.org.