The IT Service Management Series - Part 2: Information Security Management – Beyond Compliance
When asked, some healthcare IT companies may describe compliance season as stressful. Others might say the word “stressful” is polite. The entire activity takes us out of our comfort zone. It calls for opening your playbook to outside entities, calibrating your business to one or more third party standards, and dedicating a tremendous number of working hours. Worse yet, success rarely yields more business, but rather the ability to keep business as usual.
Compliance can feel like a burden but the path you created to establish your security infrastructure is a worthy reward. A comprehensive Information Security Management program adapts to technology, evolves with risk, and matures through regulation. CloudWave is no stranger to compliance. We undergo many of the same audits as our clients as well as additional assessments to test our processes (1) and strengthen our partnerships. (2)
Compliance audits require organizations to:
- Decipher legal and business language that may or may not be industry specific.
- Locate and evaluate policies and procedures (or develop new versions).
- Solicit resources from multiple teams to review and update documentation.
- Draw conclusions between audit requirements and the way you do business.
- Submit evidence to prove you comply with regulations.
- Finalize your submission, gauge your standing (pass or fail), and rehearse your greeting to the certifying authority.
Where is Information Security Management going?
Compliance regulations are not only here to stay, they are likely to become more demanding and invasive. (3) HIPAA and HITECH established important protections for health information but the requirement to “share data and make it more accessible” conflicts with “protecting data from unauthorized disclosure.” As compliance regulations demand more hospital attention, information security is charged with balancing dueling requirements and confronting the latest risks.
Direct information security vulnerabilities: (4)
- Loose “bring your own device (BYOD)” policies- insufficient or non-existent requirements to protect access to or data within personal devices in the workplace.
- End user negligence- improper use of sensitive information or business tools resulting in data loss, unauthorized access, or the introduction of threat actors.
- Inadequate hygiene- weak controls for privileged access management, avoiding patching and release management for aging infrastructure (clinical and non-clinical).
Indirect information security vulnerabilities. (5)
- Limited investment in cyber security- patient care usually outranks security, limiting investment options in security tools, stronger networks, and critical infrastructure.
- Healthcare is a goldmine for threat actors- high value of black market EHRs and low effort/high return success rates of ransomware make healthcare a prime target.
Although compliance makes healthcare IT better, patient health is usually the priority, making annual compliance more like cramming for a mid-term exam rather than thoughtfully planning and implementing enhancements.
BUSINESS AND SECURITY TEAMS MUST ALIGN
In ITIL, an effective Information Security Management program means information security is managed in every service and service management activity. (6) This is possible through a joint effort between two organization partners:
- Security team- who owns and enforces security policies.
- Business team- who provides input into security policies and incorporates the guidelines into their work.
Both teams are integral to achieving and maintaining your security standards. The business team must define and prioritize assets to be protected, (7) while the security team oversees implementation, organization adherence, and proactive changes and updates.
INFORMATION SECURITY MANAGEMENT IS YOUR COMPLIANCE COURIER
The greatest pitfall to both information security management and compliance, is allowing the business team to rely on the security team for IT security and protection. (8) This disengages the largest body of the organization and introduces opportunities to knowingly or unknowingly violate security standards, misuse sensitive information, or abuse information systems.
Despite the hardship of meeting or maintaining compliance, most guidelines are good business practice and your teams should be encouraged to reach them. Additionally, compliance standards incorporate risks the business team may find interesting (i.e., impact of data loss, response plan to losing clients, continuous operations after a disaster, etc.) (9)
Change of mindset: find the positives during your compliance audit
Although compliance audits are typically involuntary, the preparation phase is one of the rare circumstances for your organization to work together as a whole. It’s an opportunity to perform an environment check and monitor how effectively the business is meeting its objectives (e.g., change management, business operations [inputs and outputs], planning for the future).
Two reasons the Business should welcome an audit:
- Compliance is the perfect excuse to step back and exercise your processes to observe business flow.
- Some “voluntary” compliances are strenuous activities- and if achieved, should not be ignored as selling points (e.g., HITRUST is not a government mandate but it encompasses and exceeds several mandatory audits and demonstrates maturity).
Two reasons Security should welcome an audit:
- Security is rarely the center of attention and there is no better opportunity to persuade the organization to test controls and residual risks line-by-line.
- Security managers may gain a seat at the bargaining table to ensure their tools have adequate investment and their staff is challenged to take on the latest technical risks.
MORE THAN JUST CERTIFICATION
Information Security Management is more than protecting data and minimizing risk. The focus is to quickly and safely provide the organization access to everything it needs and nothing more. The compliance audit simply validates your commitment to these goals.
Compliance audits are routine activities with major implications for budget and staff planning. Earning or maintaining a certification is an important achievement but the security program you built as its foundation is the greater accomplishment. CloudWave is undertaking additional, more vigorous, audits to both strengthen our appeal and test our mettle. Meeting these guidelines will shape and shift our organization, potentially introducing challenges and conflicts. However, like an inoculation that temporarily pains the surface, the health of the organism is protected in the long term.
(6) ITIL Service Management Practices , Sharon Taylor (AMPG, 2007)
(7) ITIL Service Management Practices , Sharon Taylor (AMPG, 2007)
(8)ITIL Service Management Practices , Sharon Taylor (AMPG, 2007)
Travis Campbell, PMP, ITIL is a Technical Documentation Manager for CloudWave.