Recently Mike Pietig, GM of CompliancePro Solutions, sat down with Christopher Lyons, Director of Cybersecurity, to discuss the intersection of healthcare compliance and security. This podcast was published on AEHIS and is available below, or wherever you listen to high quality podcasts.
Mike: Hello and welcome to the CompliancePro Solutions podcast for today’s topic: Does being compliant make you secure?
Mike: My name is Mike Pietig. I am the General Manager here at CPS and I will be the Mike for this podcast.
Mike: With me today is Chris Lyons, Director of Cybersecurity with CompliancePro Solutions. CompliancePro Solutions provides Security, Privacy and Compliance solutions. CPS provides security solutions to covered entities and business associates through Security Risk Assessments, Penetration Testing, and a SaaS Solution to help organizations identify their areas of risk and ensure they are HIPAA compliant and secure. Chris – thank you for joining me on today’s podcast.
Chris: Thank you for having me today.
Mike: We will be asking Chris about HIPAA compliance and if that makes a company secure.
Mike: Now on to our Q&A. If a company follows the rules that are included in the HIPAA Security rule, does that ensure that their organization is secure?
The HIPAA security rule is a set of requirements that have been enacted to establish a baseline set of requirements for healthcare organizations and other organizations that support healthcare to implement fundamental security requirements.
The original HIPAA security requirements were written to be very open ended for a reason. With the varying size and complexity of healthcare organizations it is tough to write a set of specific implementation requirements for security controls that would work for all organizations. There are many ways a company can implement controls to satisfy the specific HIPAA requirements but can range vastly in the cost to implement and the complexity.
If we take one area of security such as access control, the goal is the same no matter the size of your organization to ensure users can only access what is required in order to fulfill their job functions. With that being said, if a company has 5 employees, the controls they would implement would be much different than a company that has 500 employees.
Ultimately, the HIPAA security rules are up for interpretation by each organization and are the entry level to securing your company and its data.
Mike: That is helpful – a follow-up question:
- What do you mean by entry level?
- If the rules are “up for interpretation” or “open ended,” how does an organization know they have successfully implemented the HIPAA security rule requirements?
Mike: If HIPAA rules are the entry level for security, does that mean that companies that only use the HIPAA requirements to set their standards are not secure?
Good question. Using only the HIPAA requirements in setting a company’s security posture does not automatically mean the company is not implementing adequate security controls. You have to look at how that company is viewing the rules and how they are designing the controls to ensure the basic rule requirements are met. Most companies that have a strong security stance are using at least one other framework such as NIST or ISO in addition to the HIPAA requirements.
In reference to the first question, the HIPAA rule is written to work across all organization sizes and types. In the real world, each organization type and size have different security implementation to comply with the rule.
Ultimately, the implementation of controls and how the organization assesses them will identify the level of compliance/security.
Mike: How would you define or measure the difference between a company being compliant and a company being secure?
Chris: When you are talking about being compliant and being secure, especially in a healthcare environment where HIPAA is the regulatory body, being compliant and being secure can be the same thing, but is many times not. The main things to remember are:
- HIPAA as a regulatory framework is intentionally vague, and as such does not set a lot of specific requirements for compliance. This allows the companies to tailor their security controls to fit their environment. Not all implementations are equal, some are more secure than others. Typically, the more secure controls are more expensive and time intensive to setup. This can lead to less secure controls being used to meet the compliance requirements.
- While a company can never be immune to having security issues, the more time, energy and resources put into the controls can ensure a higher level of security.
- And finally, always remember that the HIPAA regulation is an entry level to security, it is not the gold standard. HIPAA requirements ensure a minimum level of security, and does not necessarily ensure that a company is secure.
Mike: Who (what roles) is typically responsible for an organization being secure and who is responsible for being compliant?
Chris: Everyone is responsible for being secure and being compliant.
Mike: If our audience is interested in learning more about CPS is helping organizations with their HIPAA or other security requirements and framework, where should they go to get more information?
Chris: Go to our website: https://www.complianceprosolutions.com
Mike: Thank you Chris for joining us today for this discussion. The information you shared will help our audience understand the difference between being compliant and being secure.