Chasing certifications won’t prevent data breaches
In the electronics industry, the UL stamp of approval means that a product has been deemed safe. But in the healthcare field, there isn’t a single certification that ensures that Protected Health Information is safe – or that risks are being properly managed.
Even if such a silver bullet existed, a certification cannot guarantee that your organization will never suffer a data breach, complaint or penalty from the Office for Civil Rights (OCR).
Any healthcare organization that places its trust solely in the payment card industry standard (PCI-DSS), HITRUST or Service Organization Controls 2 (SOC 2) is on shaky ground. That’s because the OCR has never accepted SOC 2 “opinions”, PCI-DSS audits or HITRUST “certifications” as evidence of compliance with HIPAA regulations. If submitted in response to an investigation or audit, such documentation would be immediately rejected.
Here’s why these three approaches fall far short of meeting HIPAA requirements:
- SOC 2 is essentially an accounting standard that focuses on data security, confidentiality and integrity. But it doesn’t come close to providing compliance assurance or sound information risk management processes.
- The Payment Card Industry Data Security Standard (PCI-DSS) has long been a requirement for retailers, but it’s proven to be hugely ineffective (witness the highly publicized breaches at Target and Home Depot).
- HITRUST uses a Common Security Framework, but a framework alone isn’t adequate for HIPAA compliance and an effective information risk management program.
It ain’t gonna happen
There will never be a single certification that will effectively ensure HIPAA compliance and information security that will be recognized by OCR. That’s why covered entities should not impose a certification requirement on their business associates. Here’s why:
- It’s a rapidly changing environment. Because of the ever-changing regulatory landscape, a certification that “guarantees” a level of compliance would likely be outdated within a week or even a day. To achieve program maturity, an organization needs to continuously assess and monitor information assets, risks, threats and vulnerabilities.
- Many states are wrestling with what “certification” means. The California attorney general’s office took a stab at this in its 2016 Data Breach Report, which provides a list of safeguards that the attorney general believes constitute reasonable security practices required by California law. Keep in mind, this list came from an analysis of 657 data breaches from 2012 to 2015 that affected over 49 million Californians. Unfortunately, the recommendations for mitigating data breach risks are a look back, not a look forward.
- The test of what is “reasonable and appropriate” is complicated. One-size-fits-all controls “checklists” do not assure that a healthcare organization has taken reasonable and appropriate steps that match its unique circumstances.
- The Federal Trade Commission (FTC) is not going to allow one proprietary organization to “own” an industry segment. The FTC works to prevent business practices that are anticompetitive or unfair to consumers. They likely won’t allow a standard for retail risk management to hold sway over the healthcare field – or vice versa.
- The HITRUST Common Security Framework has limitations. Many payers did not seek broad industry consensus before requiring their service providers to have HITRUST certification. No due diligence appears to have been applied to whether the certification can serve as an effective or sustainable mechanism for validating true risk management capabilities of business associates.
Government agencies have made it abundantly clear that certifications do not absolve covered entities of their legal obligations under the HIPAA Security Rule. Regulatory groups don’t want healthcare organizations to consider a certification to be a safe harbor in the event of a cybersecurity breach. They want those organizations to strive diligently to prevent those breaches from ever occurring.
Instead of chasing certifications, healthcare organizations should focus on the four efforts that are essential to effective information risk management: compliance assessments, risk analyses, technical testing, and implementation of a comprehensive risk management program.
In order to sleep better at night, healthcare leaders should take action from three perspectives:
- Strategically, complete an enterprise information risk management maturity evaluation:
- Tactically, complete a 10-point HIPAA and cyber-risk management assessment; and
- Operationally, conduct an enterprise-wide, comprehensive risk analysis.
Tags: certification, Clearwater Compliance, cybersecurity, data breach, Federal Trade Commission, FTC, HIPAA, HITRUST, OCR, Office for Civil Rights, Payment Card Industry Data Security Standard, PCI-DSS, Service Organization Controls 2, SOC 2