Are You Certifiable? Navigating Healthcare Security Certifications

PODCAST TRANSCRIPT

Brian Selfridge: [00:00:20] Hello and welcome to CyberPHIx, your audio resource for information security, privacy, risk and compliance, specifically for the health care industry. I'm your host, Brian Selfridge. In each episode, we will be bringing you pertinent information from thought leaders and health care information security and privacy. And this episode will be speaking to Bethany Page Ishii, who is a director at Meditology Services. Bethany leads Meditology Health Care Cybersecurity Certification Services and shares her insights and working to successfully certify countless health care entities for more than a decade. I'll be speaking with Bethany today about health care security certifications overall, specifically will be looking to answer some common questions about certifications like what certification is best for my organization. How do I limit the cost, time and requirements to achieve certification? Will obtaining a health care certification make us hyper compliant, for example? What else do I need to know to get through the certification process? And much more so now let's get to another great conversation with yet another amazing guest, Bethany Page Isihi.

Brian Selfridge: [00:01:26] Hello, welcome to the CyberPHIx year leading podcast for cybersecurity, privacy, risk and compliance, specifically for health care. I'd like to welcome my guest, Bethany Page, who is director at Meditology Services that leads Meditology health care cybersecurity certification services and has more than a decade of experience supporting health care organizations and their risk and compliance programs. Bethany served as a CISO for five years, the Meditology Services and Corl Technologies, where she was responsible for leading the firm's data security and threat response activities, including securing the firm's SOC 2 attestation, which is an important part of this conversation today. She's helped contribute to getting many organizations high trust certified and to certified and has in-depth knowledge of security technology frameworks such as NIST, HITRUST, SOC 2, PCI and much more in our session today. Are you certifiable? Navigating health care security certifications? We're going to tap into Bethany's extensive experience getting health care entities certified for common cybersecurity standards and frameworks. So with that, Bethany, thank you so much for taking the time to join us today. We're really excited to get a chance to speak with you.

Bethany Page: [00:02:30] Thank you, Brian. Very excited to be here. Thank you for having me.

Brian Selfridge: [00:02:34] So let's start out talking about what certifications are out there. It seems like the adoption of cybersecurity and risk management certifications is skyrocketing in the industry. But what are really the top handful of certifications that you're seeing actually adopted out there? If you could just give us sort of the high level review of maybe what's the difference between them at again, at a high level?

Bethany Page: [00:02:56] Sure, absolutely. So as far as you know, what I'm seeing out there and what I work with with my clients, I'd say HITRUST is in the lead. So HITRUST certifications especially, you know, I think what back in 2015, we had the big payers kind of mandate that, you know, in order to continue working with them, they required either high trust certification or SOC 2 examination. So the the two certifications in while SOC 2 isn't necessarily a certification, it's still showing good faith effort for having a security program in place. But HITRUST and SOC 2 are definitely the the forerunners and leaders in the certification space that that I am seeing, especially within the health care industry. From an international market perspective, ISO is is out there, but again, not really seeing much momentum in that space.

Brian Selfridge: [00:03:56] So why are organizations getting these certifications, what's driving the industry to go out and obtain these? If you get if you have a sense of it, is is there one primary reason or. There's several reasons?

Bethany Page: [00:04:08] Yeah, definitely say there are several reasons. And I think you I had mentioned the the the drivers from the big payers, the Blues that required their business partners receive a certification, either HITRUST or SOC 2 to examination if they wanted to continue doing business with them. So there was a lot of uptick in the industry once that was communicated. You know, the other reason that I think is is a big driver is that there's a lot more awareness around breaches and cybersecurity. You know, you don't as I speak to various C-level executives from different companies, you know, they're hearing about breaches and security concerns from various sources. Now, you know, it's not just the security forums that are that are out there, but, you know, it's in the news now. We're hearing big names like Microsoft in the news and even the government putting out their concerns. You know, late last year, there was a notice published by the SBI. So based on the various news outlets and publications out there, it's getting to the sea levels and it's becoming more of a concern. And I think the idea is that these security certifications, they're not bulletproof, but it's allowing organizations to demonstrate that they're taking the right steps and again, demonstrating an act of good faith. The last thing I'll say as far as a driver, and I think it's more of an aftereffect or more of an afterthought, is that there are certain monetary incentives from insurance companies. So if you are high trust certified, you can get a discount from your insurance provider. But I think, you know, I haven't heard of any numbers falling above 10 percent. It's usually around a 10 percent discount or so.

Brian Selfridge: [00:06:02] So it sounds like there's really two dominant certifications available for health care entities that you mentioned. I trust and talk to a particularly maybe maybe we can dig into those in a little bit more detail here. And we'll start with start with HITURST. What does it take to get HITRUST certified? That sounds great. I'm sure if I could if we could do it, we could do it. But what really what's the the level of effort of the process? And does it change depending on what type of organization you are, if you're a health care provider or payer or any other organization type, you know, how does what does that high trust certification process look like?

Bethany Page: [00:06:35] That is a loaded question, but a great one, so, you know, luckily with HITRUST, it is very scalable, right. So if you're a pair business associate or a provider, you know, there are certain scoping questions that really, you know, once the scoping piece of a HITRUST engagement is complete, you're left with your in scope requirements. And again, it's tailored to your organization type the systems that are in scope and also the the size and complexity of your organization. From there, once you go through the scoping exercise, you have all your end scope requirements and that could range from around two hundred requirements or all the way up to the nine hundred range if you go for that comprehensive security assessment. But from there the process is is similar across the board, regardless of what type of organization you are. So high trust is really looking to make sure that at each requirement level you have a policy, a supporting procedure, and that you can demonstrate that the requirement is implemented. So being able to provide a screenshot or some type of proof that the requirement is implemented, there are some additional levels, what I like to call extra credit. So some measured and managed pieces that get more into, you know, I'd say the more mature organizations that have gone through a high trust certification for a couple of years that really is is geared to metrics, reporting and communicating up to management.

Brian Selfridge: [00:08:27] So I know you've done a million of these HITRUST certs. I might be exaggerating a little bit, but it's close to a million. What are some of the the biggest kind of pitfalls and missteps that you see? Where do organizations kind of mess this up? And not that not necessarily to the extent that they wouldn't get certified, but that may be introducing cost, time, money, things that they would otherwise like to avoid.

Bethany Page: [00:08:47] Yeah, I say first and foremost, a pitfall and a recommendation is going through a readiness assessment. So you want to go through the exercise to to go through and assess the requirements that will be in scope for when the certification time comes. So it's almost like a you know, we call it a readiness because it's getting not only the organization ready, but also you're building that relationship with the client. So the assessor and the organization are building that relationship. The assessor is getting to know the stakeholders and the control owners ahead of the certification period. So it's really just setting up both parties to be successful as possible when the certification period comes around. So not doing a readiness is definitely a common pitfall because organizations will be seeing a request for the first time. Whereas if you go through a readiness assessment, you're familiar with the request, you know what documentation needs to be provided. And by the time the certification comes, you're really just refreshing the documentation that was collected during that readiness period. Another common pitfall I see is having external drivers setting the pace of sometimes there's a deadline and you're backing up into the deadline. Sometimes you can't help that. But to that end, if there is a hard deadline, I've seen organizations not give themselves enough time following a readiness assessment to really go through and remediate the gaps that were found during that readiness period. And there are certain rules HITRUST has. Right. And one of those is a 90 day control run period. So you need to have policies and procedures in place for 90 days leading up to that certification period and outside of policies and procedures. You also need to make sure that you have a control implemented and operating effectively for 90 days. And the whole intent behind that is just to ensure that the organization doesn't install anti malware on all their servers a week before certification, and then we go through and test it. So the 90 day rule makes sense and is something that organizations definitely need to make sure they take into their timeline when they're looking to achieve high trust certification.

Brian Selfridge: [00:11:25] So those are great pitfalls. Well, not great pitfalls. We don't want to fall into them. Are there any other recommendations? We'll stick with Hydrosphere just for a second, then we'll move on to some other stuff. But any other. Commendations that things that can be done well to kind of accelerate the process, if you're stuck with one of those timelines that you don't have the the luxury of backing out of or you have to pack into any other accelerators or things that organizations to do to make it go a little bit more smoothly.

Bethany Page: [00:11:50] Yeah, absolutely. And one of those is making sure you understand the HITRUST requirements, you know, the spirit of the control and again, know where you need to go to to get the information. A lot of time is wasted figuring out who the right person is. So kind of deciding that upfront can really help accelerate the assessment process go more smoothly and having that document repository. So and really the document repository can be extremely helpful in future years. So you've collected the information once during your initial year, but for repeat assessments, maintain that documentation. Then when it comes time for the interim assessment or complete research, you're really just refreshing that document list. And the evidence and the control owners and points of contacts are wasting time figuring out what they need, what they need to provide. It's just refreshing the documentation. The other accelerator I've seen work really well is around having good metrics and KPIs like you need to be able to to tell a story to the stakeholders and organization on where things are. So if things start getting behind schedule, you know, maybe you can get by in and more time and resources dedicated from the staff to really focus on high trust. And that's especially important if you have that really hard deadline and not a lot of time to work up to it. And to that point, make sure you have your stakeholders engaged and that you are reporting up to them. You know, usually certifications take more work than the organization plans for. So a shift in priorities or policy parsing other in-flight projects may be warranted. And you don't want to go to your stakeholders and executives and ask for that, you know, mid HITRUST certification. If you're continuing to inform them and providing executive updates on a on a set cadence, they'll be well informed and they might even jump to that conclusion themselves.

Brian Selfridge: [00:14:06] So we've been talking a lot about HITRUST, and I suspect a lot of those recommendations and pitfalls would apply to any certification soc 2 HITRUST the like. Is there anything specific about SOC 2 any lessons learned there? Good, bad pitfalls, recommendations about that. We call it a certification. Right. But like you said, it's not really certification, but anything specific to talk to you that you would want to point out?

Bethany Page: [00:14:27] Yes. Yes, absolutely. And really, I'm thinking through it and similar pitfalls and best practices. But the one unique component of a SOC 2 is you have what we call a reporting period. And that reporting period is is the audit period. And I'd say for organizations going through a SOC 2 for the very first time, you think about starting with a smaller reporting period for the first year and then the following year, adding on more months. And what that shows is, one, if we have a smaller reporting period and in the smallest reporting period you can have is three months. But typically organizations are eager to go ahead and get that SOC 2 report so they can share it with their business partners and say, hey, we got it, we're taking the right steps. And so a three month reporting period allows you to go through a readiness within, say, two or three months, go through, remediate anything that may have come up during the readiness period and then that three month clock starts, you know, so if it ended in December, that three month period would be January through March. And then a CPA firm, Meditology Assurance could come in at the end of March and start that stock two. And you're not waiting as long. So that would be my recommendation for SOC two organizations or four organizations looking to be holding a stock to report within a year or so. And then from there, you really want to demonstrate that your controls continue to be in place and operating effectively. So you look to increase that reporting period. So you go from a three month to a six month to a nine month to a 12 month, if you want to do that, that gradual increase in the reporting period. And really what you want to work up to is that twelve month reporting period, because what that tells other organizations is you your controls are. In place and operating effectively for an entire year, and there is no lapse in that time period.

Brian Selfridge: [00:16:41] I want to switch gears a little bit and talk about breaches and the sort of intersection with cybersecurity certification. So it seems like health care is just getting ransacked right now with ransomware, of course, being the dominant theme. And we've got high impact events to operational processes, patient safety perspective on these breaches. And then we've got the third party risk breaches, solar winds, Microsoft Exchange. I'm sure depending on whatever listeners process this, this seems to be a new one every week. So I'm I'm dating myself a little bit with those. Those are the recent ones. So do cyber security and risk certifications like Sock to you. How do they help combat these type of breaches and how how so if they do.

Bethany Page: [00:17:22] Great question. Yes, it helps really where we see these certifications come into play, as you know, oftentimes or not oftentimes every single time with HITRUST, every single time with SOC 2 you know, we're looking at third party security vendor risk management supply chain. So where we're commonly seeing these these gaping holes where these certifications are going through and really doing analysis to make sure that any type of third party risk is it's covered to allow for, you know, a clean, quote unquote, certification, you know, other areas that these certifications look at that kind of, you know, help with combating breaches. Is your incident response activities. If a breach does occur, are you able to detect and respond to it and really eradicate it within a timely timeframe? And then lastly, and in addition to third party risk management incident response, the last piece really is, is overall risk management. Right. These certifications. Look at your risk management program. Are you performing periodic risk analysis? You know, it's great that you're doing a security certification once a year, but what are you doing after the fact? So ensuring that there's continuous monitoring of controls is really what ties it all together. And these certifications, high trust and SOC to you know, they do consider these overall risk management and government governance pieces that really are meant to be part of the the entire cybersecurity lifecycle. It's not just a one and done, but it's you know, it's a journey.

Brian Selfridge: [00:19:22] So you mentioned risk analysis in that in that last comment there about conducting routine risk analysis, how certifications help with that. Let's talk a little bit about HIPAA compliance, because I think I often hear a lot of confusion between getting a certification like a HITRUST or SOC 2. And then there's all the hype of security rule stuff we need to do. Is there overlap between the two when you go through the certification process, does it help you help you with HIPAA? If you do "the HIPAA" the other way around, if you're doing all the right stuff from a hipper perspective, does it help you with your security certification? So kind of where's the where's where's the overlap there?

Bethany Page: [00:20:02] Yes, I'm glad you brought that up, Brian, so recently, there's this new OCR safe harbor rule that was released earlier this year, and the law really is incentivizing Covid entities and business associates to adopt security frameworks and and really just adopting security best practices. And they specifically call out the HITRUST CSF certification, as well as NIST standards. And really, what what this will do is if a business associate or covered entity gets into. You know, a resolution agreement with OCR at OCR actually has to take into consideration and recognize these security practices, including adoption and certification of the HITRUST CSF. So in summary, it does serve organizations well to go through a security certification like HITRUST, because it it will ultimately end up saving money if they ever do get into an OCR resolution agreement and start having those conversations with the government.

Bethany Page: [00:22:20] As far as "the HIPAA" goes, you know, HIPAA does require that a security risk analysis be performed. They lay some groundwork of what needs to be in place. But it's it's not prescriptive. We all know that now. And one great thing that the HITRUST does is that high trust is very prescriptive. So it it does provide a great risk management framework for going through and being able to satisfy the risk analysis requirement of the security role. And of course, it does touch on a lot of the other HIPAA security role components. And in fact, if you go through with a with a HITRUST certification, you do kind of have that alignment. And there's a report that kind of lines an organization up and shows where there is overlap with the HITRUST framework and the HIPAA security, the security rule.

Brian Selfridge: [00:23:29] So we've been staying pretty high level with our conversations on sort of process and leadership, I want to because I know you've been in the weeds, so to speak, with these certifications. I want to kind of speak to maybe some of our audience that is in the middle of this is dealing with the challenges of specific security controls that are required. You mentioned several hundred controls earlier, and that seems seems pretty daunting. What does an organization do if they can't meet a specific control? And I don't mean that they don't want to, but they just you know, they have to get certified within this calendar year to do so. They're going to have to meet some really very specific technical requirements or something of one of 600 controls. You know, what? Can they still get certified? How do they how do they handle those sort of one offs, wonky controls, so to speak?

Bethany Page: [00:24:20] The one off, wonky controls, they're out there, you know, going into what I tell my clients from the from the onset is you're not looking for one hundred percent, you're not trying to get a plus. And if you look at the the high scoring rubric, you know, what equates to an A plus in terms of what we're used to in grade school translates to a seventy one percent. So again, not looking to achieve perfection and most organizations I've worked with, they don't get one hundred percent for, for implementation because that's the. It's not the scary monster in the room, the implementation piece, but compare it to policies and procedures, I tell clients, look, it's a documentation exercise. Make sure it's easy to get 100 percent for policies and procedures for implementation. If you don't have if you're not able to get to 100 percent for a certain requirement, that's fine. As long as your overall score and average at the domain level meets that passing score, aiming for seventy one percent, you can get by with a sixty three percent as well. But as long as that weighted average is within that passing score, you're fine. You might have to to document a corrective action plan if it's a control that's considered required for certification. But that's normal and you've got to start somewhere. And then in the future years you continue to build on and you get less caps on your high trust report. And one example that really comes to mind know this was years ago and there used to be a requirement for having to firewall's by two different vendors.

Bethany Page: [00:26:19] And this organization I was working with was really struggling because they wanted to get one hundred percent, but it was going to cost them at least a million dollars. So there were a ton of internal conversations that occurred. And ultimately the decision was we're passing. We're going to get our HITRUST certification based on how things are panning out with the other scores is it's almost comes down to a pride thing, right? Are we going to spend a million dollars to try to save our pride and get one hundred percent or no cap high trust report? No, that doesn't make sense. And since then, we've seen that requirement go away. You know, the the that the challenge in the beauty depends. What lens you're looking at is that high trust continues to evolve and comes out with a different version. So as the regulatory landscape changes, you know, HITRUST adapts and changes their requirements set. And they listen to the the organizations that were really struggling with that to firewall requirement and ended up removing it. So, you know, I wouldn't I would tell an organization not to get hung up on any one control. And you're you're targeting an average. So so hit the average and you'll be in good shape and you can get certified.

Brian Selfridge: [00:27:42] I think that's a great point. Just as a commentary, you know, that frequent cycle frequency cycle of updates for I trust, I agree can be really challenging. But, you know, we just saw NIST release a new version finally of eight hundred fifty three and put in like supply chain controls, for example, which are now kind of the dominant risk function. So these things do update over time. I suspect that's a challenge. I mean, how much how much work, if you've been certified, is there is there a lot of work or what does it look like to get recertified year over year when these things change? Does that is it sort of, you know, fairly minimal or can it be pretty extensive, depending on what the regulations are changing or or the situation on the ground, so to speak?

Bethany Page: [00:28:27] Yeah, I'd say it depends. So some years there are some drastic changes that come out from HITRUST, especially, you know, over a year and a half ago with version nine, there were a lot more requirements with the illustrative procedures were beefed up, so to say. And we also saw a lot more requirements come into scope. So a three hundred requirement certification might have grown to five hundred requirements, but their interim version releases as well that don't necessarily impact the number of baseline requirements outside of just a handful. So, so really high trust drives whether or not it will be a heavy lift or not moving forward. And what we're hearing with version 10 that's supposed to be released in the next month is that it shouldn't be that drastic of a change. And if anything, it will help kind of clarify certain requirements and really help clear, clear things up. But to get to the part of your question around what does it take for the recertification year three after the interim and year two, it's by that point, the organization is is comfortable with high trust. You should know where to go to. But I know we talked about common pitfalls and accelerators. And one recommendation I would give is make sure you're maintaining your your high trust documentation and you have a repository of, you know, who to go to for where. And that recertification will be a lot less painful when that time comes. Lastly, make sure you're keeping up with your policy and procedure reviews so those should be reviewed at least on an annual cycle. So if you stay ahead of that, it won't be a catch up once that recertification time comes around.

Brian Selfridge: [00:30:49] So I've got one more question for you, and it's really just to address those members of the audience that may be a little annoyed with me by this point for having a title about security certifications and then talking about organizational certifications instead of personal certifications like CISSP and things like that that you can get if you're a practitioner. So for anybody that's in that camp and has actually managed to stick around this long in the conversation, what are their what cybersecurity certifications are out there? Just just quickly that you would recommend for folks that are health care professionals that want to kind of up their game and get their own individual certification in addition to these sort of larger certifications out there for the enterprise?

Bethany Page: [00:31:31] Yeah, I would start off by telling folks to to really think about, you know, what their career aspirations are or why they're looking to get the certification in the first place. You know, do you really want to hone in on your your technical skills? And if so, then perhaps the certified ethical hacker is the route to go. If you know that you want to say more within an audit type role than the the CISA or Certified Information Systems auditor is a path I'd recommend. And then same with its management as some people want to move up and climb the ranks and go into management and even look into running a business one day. So in addition to, you know, a certification like the system, maybe it makes sense to look into exploring a master's program, maybe in an MBA. So there are a lot of great certifications out there. And of course, I'd be remiss if I didn't mention the CISSP. So if you want the grandfather of security certifications, that's definitely the route to go. I have been really impressed with Sande's training and recommend any any course that the SANS Institute offers. And then, you know, if you I think, you know, the prior certifications I mentioned, is there really industry agnostic? But if you want to stay within health care and that's your schtick, then there is a certification called the P, which stands for health care information security and Privacy Practitioner. And that's a great certification, especially if you want to get your feet wet and come up to speed with health care regulations as well.

Brian Selfridge: [00:33:36] Fantastic. Well, Bethany, thank you so much for your insights. I think, unfortunately, we've run out of time like we always do. And I always have a million more questions. But you've got to go get people certified, get organization certified. And I can't thank you enough for taking the time to join us and sharing his insights into health care, cybersecurity certifications and and how they'll they'll plan to evolve. I suspect these are going to be around for quite some time and continue to be a dominant force as we see all these breaches and other business drive, as you mentioned. So thank you so much for taking the time to be here with us today. A great discussion.

Bethany Page: [00:34:10] Thank you so much for having me, Brian.

Brian Selfridge: [00:34:15] Again, I would like to thank my guests, Bethany Page Ishii, for sharing your insights on health care security certifications. I appreciate you. Bethany's practical guidance for requiring certifications, as well as some of the implications for certifications on the industry as a whole going forward. Sounds like certifications are going to be a staple of the health care security risk management ecosystem for some time to come, as long as we keep seeing breaches in the volumes and scale that we've been seeing them over the last several years. As always, I'd like to have your feedback and hear from your listeners. Feel free to drop us a note about what topic you'd like to hear about or a thought leader you'd like to hear from. Our email address is CyberPHIx @ meditologyservices.com. Thanks again for joining us for this episode of CyberPHIx. We look forward to having you join us for the next session coming up soon.