In January of 2021, the President signed into law the HIPAA Safe Harbor Bill that requires the Department of Health and Human Services (HHS) Secretary to consider the security practices of an organization when assessing fines and performing investigations. The law states that organizations should receive credit for complying with recognized security practices as defined under section 2(c)15 of the National Institute of Standards and Technology Act (NIST) and under section 405(d) of the Cybersecurity Act of 2015. Section 405(d) of the Cybersecurity Act of 2015 is especially relevant to organizations involved in health care, as it resulted in HHS developing the Health Industry Cybersecurity Practices (HIPC) that examined the threats facing healthcare and presented practices to address those practices.
However, to have an effective cybersecurity program, it’s necessary to do more than identify risks or threats. You must also address those threats. In most organizations, this responsibility is vested with the Information Security Officer (ISO) or the Chief Information Security Officer (CISO). But does your ISO have the ability to actually address those threats?
A few years ago, at the Health Care Compliance Association Annual Compliance Institute, someone questioned a representative from the HHS Office of Civil Rights (OCR) regarding their response if they discovered that a breach had gone unreported because the security officer lacked the authority or resources to investigate. Their response was that the representative would expect an increased penalty. Additionally, there’s the example of the $4.3 Million fine the OCR imposed on MD Anderson, citing their failure to respond to an identified risk that created a threat to the security of ePHI.
Increasing Security Officer Effectiveness
Traditionally the security officer has reported to the Chief Information Officer (CIO) or equivalent at an organization. Additionally, the security budget is included in the overall information technology budget. This reporting structure can create conflicts and reduce the effectiveness of the security officer and, by extension, the entire security program. For example, a CIO is normally focused on delivery and revenue, while the security officer may just be seen as another expense that won’t increase revenue. There’s also the concern that security officers may not be able to effectively raise concerns about security.
The HIMSS 2020 Cybersecurity Survey reported that 57% of the personnel responding on the state of cybersecurity at their organization were not in executive management. While it’s possible that these personnel report to someone in executive management, it’s also possible that the responsibility for cybersecurity is not vested with someone with the ability to implement an effective cybersecurity program. Additionally, the IDG’s 2020 Security Priorities Study indicated that approximately 33% of the time, the ISO reported to the Chief Information Officer.
Unfortunately, the regulatory guidance on security officials for health care does not provide much guidance on the reporting structure. While the HHS Office of Inspector General has provided guidance indicating an organization’s Compliance Officer should have the ability to report issues to the governing body and the resources to effectively run a compliance program, the guidance on security officials is less clear.
The HIPAA Security Rule (45 C.F.R. § 164.308(a)(2).) requires an organization to identify the security official who is responsible for the development and implementation of the security policies and procedures. The security official should also oversee training, resolve breaches, and oversee or perform the risk assessment that identifies the risks to ePHI. In addition, the OCR audit protocol requires that an organization have an identified security officer who has been assigned the responsibility for compliance with the security rule.
NIST Special Publication 800-53 Program Management indicates that an organization should appoint a senior-level security official with the resources required to develop, implement and maintain an organizational security program.
In order to better demonstrate an organization’s commitment to security, the security officer should ideally report outside of the Information Technology reporting structure. The security officer should have the independence to evaluate and report on cybersecurity practices without fear of retaliation from their superiors. Ideally, a security officer should also have the ability to report to the governing body of the organization. One prominent healthcare certification, HITRUST, recommends that the security officer provide formal reports on the cybersecurity practices to the governing body at least annually. HITRUST also requires that organizations demonstrate a commitment to security by properly funding it in their budging process.
And, of course, if your security officer has the independence to do their job without interference from other areas, that would increase the evidence you can provide to the OCR to demonstrate your compliance with the HIPAA Safe Harbor Law.