Privacy and Security

Aligning Governance, Risk, and Compliance

By Ty Greenhalgh, HCISPP

 

Operational systems in healthcare have a lifecycle. The analysis and design of niche software solutions automate resource intensive processes, leading to integration with several other niche systems that ultimately merge and collapse into one larger more complex solution. The integrated product produces superior workflow, improved resource utilization, and financial efficiency bridging previously impassable departmental and technical divides.

HIM now is responsible for privacy in many organizations. New resource-intensive processes are challenging today’s HIM, privacy, information security, compliance, and cybersecurity departments to automate and integrate operations. There is a category of software that holds promise in aligning these department’s objectives and creating new bridges called GRC software, which stands for governance, risk and compliance.

Interrelating Compliance with Cybersecurity and Privacy
The complexities of adhering to detailed legal compliance requirements such as Payment Card Industry Data Security Standard, HIPAA, Sarbanes-Oxley, California Consumer Privacy Act, and General Data Protection Regulation are formidable. Implementing risk-based cybersecurity and privacy best practices is equally challenging. Governing the integration of these crucial workflows has created a demand for vendors to provide economical versions of GRC software.

In an effort to reduce risks associated with privacy and cybersecurity, healthcare organizations attempt to meet 100 percent compliance with all regulatory requirements mandated by law. Unfortunately, this does not always ensure effective security. Others focus on technical cybersecurity solutions, addressing the threat du jour. Similarly, this will not guarantee compliance. Many attempt both, but without effective coordination of efforts.

The Office for Civil Rights (OCR) understands that compliance with HIPAA’s Security Rule is not enough to secure ePHI. In early 2016, aiming to identify the gaps in healthcare organization security posture, the National Institute of Standards and Technology (NIST) and the Office of the National Coordinator (ONC) released a crosswalk between the NIST Cybersecurity Framework and the HIPAA Security Rule. OCR stated that “addressing these gaps can bolster compliance with the Security Rule and improve an entity’s ability to secure ePHI from a broad range of threats.”1

The best efforts of small and large organizations to protect patient data are failing. For example, Facebook was recently fined $5 billion for privacy violations by the Federal Trade Commission (FTC). And, seemingly there are daily news reports of hacked healthcare organizations that failed to protect the patient’s confidentiality, integrity, or availability of their data. In an effort to respond to meaningful use requirements and incentives, we urgently digitized our medical records without sufficient forethought of security. Now, our industry is suffering the repercussions.

Breaking the ’Silo Mentality’
Organizations have discovered they need to tie critical cybersecurity and privacy controls directly to compliance regulations and manage them with a risk-based methodology. This inter-departmental risk-based approach typically yields increased compliance, reduced privacy and security risks, and increased financial support from executive leadership.

There is a natural flow to the GRC acronym. Governance sets the context by defining the objectives of the organization. Risk management assesses and monitors risk to those objectives within the context of governance, mitigating risk through identification, analysis, and treatment. Compliance frames the regulatory requirements, contractual commitments, and corporate social responsibility values within which risk management must work. Risk management fails without compliance, as compliance is needed to ensure controls are in place and operational to mitigate risk.

Understanding GRC
For years only the largest, most complex, and highly profitable organizations deployed a GRC. Earlier solutions focused on overly complex workflows that led to protracted and often failed installations. If this didn’t dissuade users, increased staffing and total cost of ownership often did. As the market usually does, it seems to have found a need and filled it. Vendors are releasing streamlined, cost effective versions of GRC designed for healthcare data processing and security requirements. They integrate the niche software functionality found in existing compliance, cybersecurity, privacy, and vendor management.

GRC solutions produce a tool that not only ensures there is a control addressing a compliance requirement, it can graphically depict the impact of those controls. This provides organizations the ability to conduct risk-based assessments, create a collaborative decentralized workflow, access/validate and monitor controls and their effectiveness, and document all activity for easy audits and manage by exception.

Assessments provide IT and security-related compliance reporting against an abyss of industry standards, a variety of state-level, national, global and industry specific cybersecurity and privacy related guidance, overlapped with information security guidance. Assessments need to calibrate a scope, review existing controls, determine threats—including their likelihood and impact, and assign risk levels that allow organizations to focus on the most serious threats first.

A GRC that is integrated with an organization’s business operation tools facilitates a quicker implementation and easier adoption. Reaching across departments allows multiple decentralized teams to work together. Automated distribution of policies and tracking attestations make sure the right people have the right information at the right time, the right objectives are established, and the right actions and controls are in place. Collaboration and communications across departments leverages the following:

  • Creating and editing workflows
  • Task assignment
  • Approval and escalation options
  • Email notification integration
  • Calendar to-do population
  • Document sharing
Assessing the validity and effectiveness of controls that are being monitored is crucial to successful compliance and risk management. Increasingly, organizations are looking for more than a static risk analysis. They strive for a documented mitigation response to risks with continuous monitoring and validation of controls as required within the administrative safeguards of the HIPAA Security Rule. GRC software can document the controls and their effectiveness in mitigating threats, likelihood, and impact. These risks are incorporated into a centralized risk register that provide heat maps to graphically categorize the severity of all risks allowing intelligent assignment of scarce resources.

Time and resources required for audits can be drastically reduced if user workflow automatically documents user tasks, control management, and compliance activities. Documentation can contain sufficient detail to validate the accurate and thorough manner in which assessments have been conducted. Central repositories store, organize, and distribute the documentation as audit evidence. A GRC provides auditors security clearance to access specific compliance requirements to quickly validate reasonable diligence without consuming expensive department resources.

The headwinds of complexity will arguably increase for our industry. Advancing common health data standards for interoperability and enhancing individuals’ access to their data will create unprecedented challenges. They will exacerbate the systematic problems we already face with confidentiality, integrity, and availability of patient information. Governance, risk, and compliance have an intricacy of interconnectedness as an integrated whole, not a disassociated collection of systems and parts. GRC may be a mechanism to establish a bearing, anticipate the weather, and identify shoals in the approaching uncharted waterway ahead.

Notes
  1. US Department of Health and Human Services. “Addressing Gaps in Cybersecurity: OCR Releases Crosswalk Between HIPAA Security Rule and NIST Cybersecurity Framework.” https://www.hhs.gov/hipaa/for-professionals/security/nist-security-hipaa-crosswalk/index.html.
 

Ty Greenhalgh (Ty@CyberTygr.com) is the CEO of Cyber Tygr.