Healthcare CISOs Sound Off, Volume 3: HIPAA Compliance and Risk Management

Blog Post by Brian Selfridge, Partner at Meditology Services and Host of The CyberPHIx Podcast

I have been hosting The CyberPHIx healthcare cybersecurity podcast for over three years now. During that time, I have had the honor and privilege to speak with some of the healthcare industry’s most innovative thought leaders and experts in cybersecurity, privacy, compliance, and risk.

We have produced 69 podcast episodes and counting thus far. For those who don’t quite have the time to binge-listen through the entire catalog, we have compiled some highlights from our guests on a focused set of topics. We will be releasing these as our Healthcare CISOs Sound Off blog series in several installments.

Volume 3 of this series will address HIPAA compliance as part of a larger risk management program. The following are quotes and recordings from some of the industry’s best and brightest leaders related to this important area of focus for healthcare risk management programs.

Britton Burton, Director of Risk Management, Information, Protection and Security, HCA Healthcare

Interview question: I want to talk about compliance just for one moment here and especially at scale. Are there techniques that work or don't work when you're trying to figure out how to check the HIPAA boxes and PCI boxes and other sort of typical compliance areas, state compliance?


“I think the short answer to that is to spend time doing the detailed legwork that it takes to tie every control standard, every actual control implementation in your environment to the authoritative sources that are driving that control. This is not simple, not quick. It's not glamorous work. But the more you can, you know, make that just a foundational piece of your program through your controls framework, the easier it becomes to report on compliance requirements.


And you can still focus on the big picture of we care about risk at the end of the day, not compliance. Well, of course we care about compliance, but our main focus is risk. But as we have all this mapping inherent to do, we do this control and this performing this well, mitigating this threat and this vulnerability. If we know that that control exists because it's tied to a HIPAA requirement or a PCI requirement or whatever it is, it's just a lot easier to report on that.


Again, that's difficult work. You don't just snap your fingers and you've got it. But that's in the wheelhouse of GRC and IRM platforms. Right. So how do you leverage those tools to try to make that reporting as seamless and as quick as possible, but still have to be a part of your bigger picture risk framework, making risk visible to your leadership? I think you can have it both ways. You just got to build the foundation, and that can take a very long time.”


John Jessop, Associate Director of Information Security Programs, Large National Healthcare Entity Headquartered in New York City

“Our current model is, think of it as a capabilities maturity model. It's our initial model, and so we actually have a tiered model. So we are in what we call the basic security layer, and next year, we'll be starting on our advanced security layer. You have to do the gap assessment. You have to tie it back to your actual threats and vulnerabilities, and it has to be supported with an underlayment of controls. Now we use obviously HIPAA, HIPAA security, and we use payment card industry data security standards. And we've cherry picked a number of NIST controls out of SP 800-53.


I love that special publication. It's just great, but it's extremely comprehensive, and you have to start someplace and work your way up to that. And so that's what we're doing.”


Joey Johnson, CISO, Premise Health

“We'll take on HIPAA for a second. I think the HIPAA approach to required controls versus those that are not, right, that's bad because you can't have a framework where a large healthcare payer invested billions and put all the right tools the technologies in, but it's a much bigger target, is battling to be HIPAA compliant. Whereas you have Dr. Joe's Vision Shop, you know, up in the farthest northwestern corner of Montana, also can say that they are HIPAA compliant, and they don't have half of the controls in place.


Now I understand, obviously there's scales of what organizations can invest in. But to be able to use a different measuring stick that makes those organizations come out on a different end of the equation is a broken model to me. So that's what I think on that one.”


Mike Wilson, SVP & CISO, Molina Healthcare

“HIPAA clearly makes the point that we are to understand the inventory of assets, and we're to categorize those by tiering and risk. And we are to think about them in terms of threats and then obviously apply controls appropriately and then to test the efficacy of those on a regular basis. So I see medical device very much coming under the realm of HIPAA.”


“All of a sudden under the digital world, I'm having to think about things in are far broader away. I would argue I'm having to think about things about in a product way that perhaps I haven't thought about before. I have to think about the settings of these products and these solutions with the hardware each to them in settings like homes that I haven't had to before.


And I would argue, therefore, that my role is changing. My role is probably becoming far more business contextual and risk management orientated in its sort of outlook than necessarily focused on back room I.T. efficacy around controls and such, which there's always been a little bit of an ongoing tension there.


I would suggest that our traditional role as a CISO or CSO in a company is being disrupted with this digital story that we're having a discussion about today in very, very real ways now. The challenge is do the current CISO sitting in IT shops think that is their role going forward? Or are we creating a new role that is sitting in regulatory affairs or something, looking at quality and dealing with issues around medical devices and FDA compliance and things like that?


I don't have that answer. It could be a whole new class of roles that have been created or it could be an evolution of this role.”


Stoddard Manikin, CISO, Children's Healthcare of Atlanta

“I think that as an industry, we have historically focused on being compliant here in the US. We're focused on things like HIPAA. And what we really need to be focused on is what is the risk to the patient. We've always been mostly worried, too, about disclosure of data and the fact that hackers would steal data and post it or expose it online and that sort of thing, and then we'd have to report it as a breach and go through that whole legal compliance government rigmarole.


Patients can recover from a data breach in those cases. They cannot recover if they are killed due to a safety event created by either a bad medical device or a ransomware event. And I think that needs to be the number one focus as we run our security programs to say, of course, we're worried about patient data confidentiality. But at the end of the day, the most important thing is to do no harm.


And we have got to make sure that we're enabling our caregivers to take care of patients in the best way possible. And that means that they need the availability of systems that are otherwise compromised due to ransomware.”


Nick VanDuyne, SVP/CIO at Healthix

“Maintaining audits is as mundane as it sounds. And as unglamorous as it is, is really an important part of making sure that you've established good trust with both your clients and with the community at large.


Again, because if we don't really have that level of trust, and people can't feel that they're being taken care of, that their data is being taken care of, then we sort of lose the whole premise of what we do, right.


Because everything is based on respect and trust, and we have to make sure that we maintain that. So we take it very seriously. We probably over audit to be honest, but in our sense, we feel that does us a better service than not.”


Contact our team at Meditology to learn more about our HIPAA compliance, security, and risk management services and capabilities.

Read Healthcare CISOs Sound Off, Volume 1: Medical Device Services
Read Healthcare CISOs Sound Off, Volume 2: Risk Reporting & Engaging with the Business
Most Recent Posts
SOC 2 + CIS Controls Read More
A Cybersecurity Professional's Guide to HIPAA-Compliant Online Tracking Read More
SOC 2 + HIPAA Examination Read More