Category: Information Security
Next week, I am scheduled for a semi-annual risk assessment with my dentist. He performs a very specific, highly focused type of risk assessment that is totally worth the $125 it will cost. In addition to performing specialized maintenance (hypersonic cleaning), he will provide a threat assessment (for oral cancer, cavities, periodontal disease and other anomalies). I’ll leave his office confident that my mouth is in a low-risk situation for the next six months as long as I continue to follow best practices and perform daily maintenance procedures. I am only vulnerable to these threats if I fail to follow a daily program of brushing and flossing.
I could always choose to save the small fee for these risk assessments and wait for a major dental disaster to occur. The problem with this approach is that a single incident may cost thousands of dollars if I need a root canal or some other type of procedure. Ten years of checkups are less costly than even a single disaster.
Enterprise IT risk assessments
Unfortunately, in the world of local government and SMBs, the most common approach to risk management is to allow a major catastrophe to occur before realizing the value of an enterprise risk management program.
I am at a loss to explain it. Incidents or problems involving your information and IT infrastructure are far more costly than risk management programs. Data loss, breaches, major downtime, malware, lawsuits and fines for compliance violations may cost hundreds of thousands or millions of dollars. They can permanently shut down your small business or really irritate your board of directors in a corporate environment. In the public sector, constituents pay for major screw-ups through increased taxes while the events are often covered up and the culprits skirt the blame and keep their jobs.
When was your organization’s last risk assessment? Can you put your hands on the report? If you haven’t had a risk assessment recently, it’s a safe bet that your policies are sorely lacking. Defining an organizational policy for risk assessment is an essential component of any comprehensive suite of security policies. Both HIPAA and GLBA require periodic risk assessments, but it is a sound practice for all types and sizes of organizations.
Where to start?
If you haven’t previously conducted an enterprise IT risk assessment you should carefully consider your starting point. For example, if you have few or no security policies, it may be wise to form an IG (information governance) committee and begin by developing of a comprehensive set of policies, procedures, standards and guidelines. On the other hand, your management team may benefit from the kind of wake-up call that a devastatingly thorough risk assessment can produce. A 100-page report that says you suck at security and risk management on every page may be just what you need to get everyone’s attention.
The results of a risk assessment should be used to reduce your organization’s risk exposure, improve CIA (confidentiality, integrity and availability), initiate positive change, and begin building a security culture. While using risk assessments as a punitive device isn’t the best approach, such reports often expose malfeasance and incompetence of proportions so vast that appropriate consequences are in order. In other words, if you have been paying a CIO $200,000 and the assessment uncovers gaping policy, security and privacy holes, you should certainly replace the CIO with one who has the required skill set.
Scope the project carefully
Risk assessments come in a lot of flavors and the specific purpose and scope must be worked out with the auditors in advance. A few years ago, a client of mine released an RFP for a risk assessment after we worked extensively on the development of their information security policies. The proposals ranged from $15,000 to well over $150,000. This can happen even with a pretty clear scope. Big 4 firms, for instance, have hourly rates that may be several times what a local, independent practitioners may charge. NIST SP 800-30 provides valuable information on how to perform risk assessments, including some information on scoping.
Risk assessments may be qualitative or quantitative. You may be able to do some of the quantitative work in-house by gathering cost data for all your assets in advance of the assessment. Regardless of the scope and approach, the auditors will ask to see lots of documentation.
One positive outcome of a risk assessment is that it may force your management team to rethink EVERYTHING – in-house application development, infrastructure support, IT staffing & responsibilities, LOB (line of business) staffing & responsibilities, budgets, and just about everything else related to the manner in which your organization is run.
Risk assessments are way cheaper than disasters, so go schedule your checkup.
© Copyright Jeffrey Morgan, 2017by
Free Whitepaper download for County/Municipal executives.by
Are you a covered entity?
Basing a county/municipal information security (infosec) and cybersecurity framework on HIPAA is a logical choice, especially if you have one or more covered entities (CE) in your organization.
How do you know if you have or are a CE? If some department or division within your organization is a healthcare provider, a health plan or a healthcare clearinghouse, they are a CE. If you have clinics, doctors, psychologists, clinical social workers, chiropractors, nursing homes or pharmacies, you are a CE [i]. Moreover, many counties have divisions or departments that function as accountable care organizations (ACO), managed care organizations (MCO), healthcare clearinghouses or health maintenance organizations (HMO). These are all common functions, especially within large county governments.
Are you in compliance?
If anything described above applies to your county or municipal organization, one or more divisions of your organization is a CE and is required to be in compliance with both the HIPAA Security Rule and the HIPAA Privacy Rule.
In my experience, most county governments that have covered entities are out of compliance. Where does your organization stand?
I suspect what often happens is that executives look at something like information security policy requirements and say:
This has tech words in it. IT handles tech stuff. Therefore, I’ll turn it over to IT to handle.
What a huge mistake. An organizational policy dealing with the manner in which information is handled, regardless of whether or not HIPAA regulations apply, requires communication and coordination with legal, HR, IT, information security, risk management, archives, county clerks and other divisions within your organization. It’s not a tech issue; it’s a high-level, interdisciplinary executive function. It is an information governance (IG) issue, and it shouldn’t be handed off to your IT director or CIO to address unilaterally.
Trust but verify
There are a number of reasons why IT should not be delegated sole responsibility for organizational information security. For one, a successful information security program requires checks, balances and oversight. Trust but verify! A successful program also requires expert knowledge of departmental business processes that often exceeds the knowledge of the IT staff. Moreover, if your department heads have equivalent status within the organization, it is not appropriate for a CIO or IT director to unilaterally dictate policy to his or her colleagues of equal status. There are far too many IT departments that have adversarial relations with their end users because of their autocratic and often illogical decrees. Information security requires a team approach with executive and board oversight.
Extend HIPAA to your enterprise
If you have covered entities in your organization and have limited or nonexistent enterprise security policies, I would recommend that you consider building your entire enterprise information security policy on the HIPAA Security Rule in order to raise the entire organization up to that that level while also getting compliant with federal law.
Why? It is highly probable that your organization uses shared facilities, shared IT infrastructure and shared services. Multiple information security levels create a significant management challenge and are certain to cause chaos and confusion. Multiple security stances will lead to security gaps and ultimately to breaches. Keep it simple and operate at the highest standard using generally accepted, good practices.
Develop your policy with the HIPAA Security Rule
There are two major components to HIPAA, the Privacy Rule and the Security Rule. For the purpose of this discussion, only the Security Rule matters, but we’ll definitely discuss privacy another day.
The original HIPAA Security Rule document, 45 CFR Parts 160, 162 and 164 Health Insurance Reform: Security Standards; Final Rule, is 49 pages of small print. However, the meat of the document is contained within the final six pages and includes a handy matrix on page 48 (8380 of the federal register).
The security standards in HIPAA are broken down into three sections, each of which has multiple layers and sub components:
- Administrative Safeguards (9 components)
- Physical Safeguards (4 components)
- Technical Safeguards (5 components)
These three major areas break down into at least 43 separate policy areas where your organization must build safeguards, including risk analysis, contingency planning, backup, passwords, HR sanctions and terminations, disaster recovery, encryption and many more.
Using the components in the matrix should enable you and your IG committee to quickly generate a suite of security policies and procedures that, when implemented and enforced, will vastly improve your current information security stance.
These are all policy areas that must be addressed as a matter of good practice whether or not you are a covered entity. This is why HIPAA is an excellent starting point for municipal governments that are infosec policy deficient.
1. Find out where your organization stands in terms of information security policies and procedures.
2. Find out whether or not you have covered entities in your organization. Must you comply with HIPAA? Are you compliant?
3. Meet with your IG committee to discuss your findings.
4. If you don’t have an IG committee — start one!
5. Download and review the HIPAA Security Rule. Use it to build your organization’s information security policies.
6. Use either the PDCA (Plan, Do, Check, Act) approach or the DMAIC (Define, Measure, Analyze, Improve, Control) approach to maintain continuous improvement.
7. Begin building a culture of security in your organization.
We’ll continue the discussion next week, so check back then.
This article first appeared in cio.com at http://www.cio.com/article/3188667/governance/hipaa-as-an-umbrella-for-countymunicipal-cybersecurity.html
© Copyright Jeffrey Morgan, 2017by
The cybersecurity risk to local government
Weak or nonexistent cybersecurity programs represent a massive organizational risk to county and municipal government agencies in the United States. County and municipal executives are often unaware of these risks because they assume that their IT Director, CIO, or an external vendor is managing security and addressing the risks. It is rare that such an assumption is correct.
While the Ponemon Institute[i] found that “federal organizations have a stronger cybersecurity posture than state and local organizations,” the Brookings Institute[ii] concluded that “the vast majority of public agencies lack a clear cybersecurity plan.” Much of the available research is based on small samples and I believe that these studies may understate the scope of the problem. Based on my 23 years of working with public sector organizations, I can state with confidence that most lack any cybersecurity plans at all.
Your job as a municipal executive is to provide leadership and management in order to get the big picture right throughout your organization. What follows is advice on how to ensure that an appropriate cybersecurity program is established and functional in your organization. I recommend that you, the municipal executive, assume high-level responsibility for cybersecurity oversight. You don’t need to know the technical details, but you must know whether or not the appropriate frameworks, infrastructure, policies and procedures are in place and working correctly.
The need for information security is as old as civilization and possibly as old as life on earth. Information Security (Infosec) was invented to protect the first secret – whenever and whatever that was. Infosec is not solely a human artifact — my Great Dane always felt the need to maintain security concerning the location of his favorite bones and dead woodchucks. Techniques, methods and models for protecting information haven’t changed all that much and the methods of cybersecurity are largely based on models for protecting physical information.
Information Security refers to the discipline and processes to protect the confidentiality, integrity and availability of all your information regardless of form. Cybersecurity is a subset of information security and applies to digital data. In this article, I may use them interchangeably even though they are not, but counties and municipalities need an Infosec plan that includes cybersecurity.
Municipal data – a pot of gold
County and municipal networks are treasure chests overflowing with priceless gems. Mortgage documents, deeds, births, deaths, ugly divorces, medical records, social security numbers, and military discharge documents are among the many types of publicly accessible documents that may contain PII (Personally Identifiable Information), PHI (Protected Health Information), or other sensitive information. Constituents turn over all this information naively assuming that you are doing everything in your power to protect it from theft and misuse. Are you a worthy steward of this treasure?
Root causes and obstacles
Let’s discuss eight of many root causes of failure to establish appropriate information security programs in local government organizations. Subsequently, we’ll move on to a methodical, practical approach you can initiate immediately to improve your cybersecurity posture.
“A lack of skilled personnel is a challenge at both federal and state and local organizations.”[iii] One problem is that many public sector IT Directors and CIO’s don’t have the knowledge, training and background to plan and deliver acceptable, standard’s based comprehensive information security programs. They are often unaware of widely accepted standards, guidelines and frameworks that are readily available, so cybersecurity planning is often amateur and homebrewed. Moreover, HR and hiring managers often don’t understand the required skills[iv] and look for the wrong people.
The largest municipal agencies may employ a CISO (Chief Information Security Officer) but the vast majority of public sector organizations do not have a dedicated information security executive and staff, nor should they necessarily require one.
IT staff members are rarely trained in or even familiar with relevant statutory compliance requirements. I have come to expect a deer in the headlights look from public sector CIO’s and IT staff when inquiring about security policies, privacy policies and other matters of security and compliance. Questions about HIPAA Security Rule compliance, for instance, are almost always met with “What’s that?”
A jumble of regulations
Municipal organizations may have dozens of departments, divisions, or lines of business with varying regulatory requirements from numerous federal and state agencies. Municipal governments do a lot. They may be involved in building bridges, managing traffic signals, providing water, waste, electric and sewer services, supervising elections and recording deeds while providing physical and mental health services and dental care.
A typical County government may have to comply with regulations like HIPAA[v] (Health Insurance Portability and Accountability Act) and 42 CFR[vi] while also complying with policies from CJIS[vii] (Criminal Justice Information Systems) in addition to compliance with state regulations from organizations such as an Office of Mental Health, or Department of Health. Additional requirements for records management from State Archives agencies add to those complexities and often contradict other regulatory requirements.
Departments with vastly different information security and regulatory compliance requirements often coexist on a shared network where the security posture is designed for the lowest common denominator rather than for the highest. Often, municipal IT staff members don’t have clearly defined policies and procedures for reviewing information such as security logs and system events. Even if they do record these events, their stance is usually reactive rather than proactive.
Silos and turf wars
Counties and municipalities may have highly distributed management structures which function as silos rather than as a cohesive team. In some states, the silos may be a “feature” of constitutional government where elected officials manage some departments and may not be accountable to central executives. One result of this is that a county executive, and consequently County IT, may not have global control of IT and information security because other elected officials choose not to cooperate. Some real world examples I have seen include:
- County Judges and their staff members refuse to sign and abide by acceptable use policies.
- County Sheriffs refusing to cooperate with an IT security audit claiming their security policy and processes are “secret.”
- Social Services commissioners unilaterally declaring that HIPAA regulations don’t apply to their operations.
Silos in organizations create massive gaps in security management. When multiple parties are responsible for security, no one is responsible.
Most security problems are internal
90% of breaches occur because of an internal mistake[viii] and 60% of breaches are a result of internal attacks[ix]. Unfortunately, county and municipal information security programs often treat outside threats as 100% of the problem rather than focusing on more probable internal threats.
Insufficient budget is often used as an excuse for low quality IT services and lack of security in public sector organizations. It’s usually a red herring. In my experience, there is no correlation between budget and quality in the public sector. I have seen small, low-budget organizations build excellent security programs and have also seen large organizations with eight-figure tech budgets fail to establish even the most elementary components of an information security program. A cybersecurity program will cost money, but it doesn’t have to bust your budget.
In local government, critical management positions are often filled based on political considerations rather than quality of candidates. Expertise in information security should be a major component in your CIO’s toolkit.
Tech versus strategic thinking
If you think in terms of technology, stop it! I am always a little suspicious of industry professionals who fall in love with a particular technology. Technology is rapidly replaced or superseded so think strategically instead. There is no such thing as a technology problem; there are only business problems. Identify and solve for the business problem and the appropriate technical solution will reveal itself.
Start with Information Governance (IG)
What’s the first step in establishing your cybersecurity program? It has nothing to do with cybersecurity.
Information Security and cybersecurity must be components of your overarching Information Governance (IG) Program, overseen by an interdisciplinary team with executive support. Treating cybersecurity as a standalone program outside of the context of your organization’s information universe will produce a narrow approach. Do you currently have an IG program?
I can hear some grumbling right now. “Jeff, when do we get to the important stuff?”
IG is the important stuff. There are no silver bullets. There are no miracle pills that will address your information security requirements. No miraculous hardware or software will magically keep your information safe unless you have the right policies in place. There is some real work to do here and the P-things are the most effective tools to pack for your InfoSec journey. You will develop these from your IG Program:
Policies Processes Procedures
What is information governance?
I like Robert Smallwood’s succinct definition of Information Governance: “security, control and optimization of information.“[x] In order to develop sound InfoSec and cybersecurity programs, you must know what you are protecting and why you are protecting it. The purpose of the IG program is to map, understand and manage your entire information universe. The map you create will serve as the foundation for your information security programs.
In a municipal government organization, an IG committee may include legal, HR, records management, IT, finance, and auditors, as well as other departments. Let’s say your municipality has a public health clinic, recorder of deeds, personnel/payroll and a sheriff. This means you have medical records, prisoner health records, recorded 911 calls, police reports, mortgage documents, confidential personnel records, payroll records, social security numbers and a lot more. The people with special knowledge about the nature and disposition of all this information must be on your committee.
In some organizations, information and security policy is developed at the whim of the CIO or IT Director. Is that IT Director expert in statutory requirements and industry best practices for all the areas mentioned above? I doubt it. This is why you need a cross-functional team to map the universe and make a comprehensive plan.
Establishing a comprehensive information security program
Once you have begun building your IG foundation and framework, your Infosec and cybersecurity requirements will be much clearer. Also, IG, Infosec, and Cybersecurity are not one-time activities. They require a process for continuous improvement like PDCA (Plan, Do, Check, Act) or DMAIC (Define, Measure, Analyze, Improve, Control). Get something in place first, and then continue to improve it. Attempting to get it perfect from the start will only result in implementation delays. This job never ends but it gets much easier once a solid foundation has been built.
Information Security Management Systems (ISMS), Frameworks and Standards
Once you have a comprehensive understanding of your information universe, develop security policies and programs for implementation and enforcement of those policies.
Use an existing framework. Designing comprehensive information security programs is more complicated than installing firewalls and anti-virus software and there is a great deal to think about.
There are many freely available information security tools in addition to standards and frameworks that require payment or membership in an organization. You can build a successful security program using only free tools, but my crystal ball is on the fritz today so I can’t see which tool is best for your organization. I wish I could tell you there is a one-stop shop, but there isn’t. You will have to evaluate your situation, do the research and make informed decisions about the best approach for your organization. Following is a brief discussion of some of them.
The National Institute of Standards and Technology (NIST) provides an enormous quantity of information and the gateway to it is available here. NIST’s Framework for Improving Critical Infrastructure Cybersecurity is available here and a new draft was release in January of 2017. Their Cybersecurity Framework Workshop starts on May 16, 2017 in Gaithersburg, MD if you would like to attend and learn more about it. You can also view a webcast with an overview of the Framework. In their words, “The core of the framework was designed to cover the entire breadth of cybersecurity . . . across cyber, physical, and personnel.“[xi]
NIST also provides three Special Publication (SP) series: SP800 deals with Computer Security, SP1800 contains Cybersecurity Practice Guides, and SP500 covers Computer Systems Technology.
SP800-53, Security and Privacy Controls for Federal Information Systems and Organizations will likely be an essential part of your planning process if you are building upon NIST.
If a division of your public sector organization provides clinical services, it might fit the definition of a covered entity (CE). If so, that division is required to comply with applicable federal regulations including the HIPAA Security Rule. The regulation provides a clear, jargon-free framework for developing information security policies and programs. While it won’t address all the requirements for a municipal cybersecurity program, it can help you build a solid foundation for your security programs. I don’t have any official data on HIPAA Security Rule compliance in municipal organizations, but my personal experience is that it is extremely low. Is your CE compliant? If not, why not bring your entire organization up to HIPAA standards?
I have worked extensively with HIPAA regulations and NIST products for nearly 2 decades and I like them a lot. If they are not a good fit for your organization, there are other resources, including the following three.
The Information Security Forum (ISF) publishes the Standard of Good Practice for Information Security, available free to ISF members.
The International Organization for Standardization (ISO) publishes the ISO/IEC 27000 family of standards for Information security management systems. ISO products are not inexpensive, but in the overall scheme of things you might find them to be a reasonable investment. Organizations can certify through accredited registrars, which can also be an expensive process.
ISACA publishes COBIT5, “the leading framework for the governance and management of enterprise IT” which provides an integrated information security framework as part of a larger IT governance framework. According to Joseph Granneman, “It is the most commonly used framework to achieve compliance with Sarbanes-Oxley rules.”[xii]
The role of vendors
Trusted vendors can be helpful in building your programs, but overreliance on vendors for security advice is a suboptimal approach. While they may be knowledgeable about many aspects of your industry, only you and your cross-functional IG team truly understand your business requirements. Their job is to “sell you stuff” but they will generally draw the line at writing policy and taking responsibility for overall information security in your organization. If there is a major breach or some other catastrophic security event in your organization that becomes public, you are the one whose picture will be in the paper.
Summary – one step at a time
Take a few simple steps to improving your cybersecurity infrastructure:
- Establish an IG committee and program.
- Discover and map your information universe.
- Establish an information security framework and security policy.
- Develop and implement your cybersecurity plan, based on the above.
- Use a cycle of continuous improvement.
This article first appeared in two parts in my CIO.COM column at:
A continuation of the subject appeared in:
References, Resources and Further Reading
Four critical challenges to state and local government cybersecurity efforts. Government Technology. July 17, 2015.
The need for greater focus on the cybersecurity challenges facing small and midsize businesses. Commissioner Luis A. Aguilar, October 19, 2015. US Securities and Exchange Commission.
How state governments are addressing cybersecurity. Brookings Institution. Gregory Dawson and Kevin C. Desouza. March 2015.
Four critical challenges to state and local government cybersecurity efforts. Government Technology. July 17, 2015.
Human error is to blame for most breaches. Cybersecuritytrend.com.
[i] The state of cybersecurity in local, state and federal government. Ponemon Institute. October 2015.
[ii] The vast majority of the government lacks clear cybersecurity plans. Brookings Institution. February 3, 2015. Kevin C. Desouza and Kena Fedorschak.
[ix] The biggest cybersecurity threats are inside your company. Harvard Business Review. Marc van Zadelhoff. September 19, 2016.
[xii] IT security frameworks and standards: Choosing the right one. Joseph Granneman, Techtarget.com. September 2013.
If you found this information useful, or would like to discuss cybersecurity in your organization in more detail, please feel free to e-mail me at firstname.lastname@example.org. I would be glad to discuss your situation.
This article first appeared in cio.com at http://www.cio.com/article/3184618/government-use-of-it/county-and-municipal-cybersecurity-part-1.html
© Copyright Jeffrey Morgan, 2017by
Free Download – County and Municipal Cybersecurity Whitepaper:
May I see your comprehensive security policy please?
Huh? What’s that?
Lack of compliance with the HIPAA security standards is common in county and municipal government agencies even though many of these organizations have covered entities (CE) under their umbrellas. For some reason, almost everyone got the memo on required compliance with HIPAA privacy rules in 2003, but many organizations missed the subsequent memo on required compliance with security rules by April of 2005.
Nearly 14 years have passed since the security rule was published, and I have no explanation for the compliance lacuna that exists today. If you are an executive, manager or provide IT services for a CE, your security policy should be as well-worn as your kids’ Harry Potter books.
If someone (i.e. an auditor) asks about your compliance program, you should be able to succinctly summarize it and immediately provide documentation of your compliance activities. If this doesn’t describe your organization, you are not alone and there is no time like to present to begin the process.
Compliance isn’t a one-time, passive event and there are routine steps you must take ensure the CIA (confidentiality, integrity and availability) of your clients’ protected health information (PHI).
Denial and disbelief
Denial and disbelief are the first two stumbling blocks I encounter when informing managers in government agencies that they are not in compliance with HIPAA. Sickening yellow clouds of realization dawn over a period of several weeks while I continue to email copies of the Code of Federal Regulations (CFR) to the relevant parties. The attorney is generally the first to comprehend the magnitude of the situation.
Holistic information security
I talk about security policies rather than HIPAA policies. Something that is also common in municipal government is a lack of information security policies based on some generally accepted standard or framework for information security. You can and should address HIPAA security requirements and your overarching organizational information security requirements together.
Form a governance committee
Developing your security policy isn’t an IT project; it is part of an Information Governance program. A cross-functional team including representation from several organizational entities must be part of the process for developing your information security policies. Here are the roles I generally request to be part of the policy development team:
1. Executive owner
4. Information technology
5. Line of business units
6. Records management
7. Risk management, privacy and information security officer roles (Many municipal governments do not employ these functional roles, but they will once they have developed their policy).
Read the regulations!
I am a big believer in always working from primary sources. I encourage you to embark upon your HIPAA journey by reading the full text of the regulations. In the table below, I have hyperlinked them for your convenience. When I write policies for clients, I work directly from the regulation with their policy or governance committee so that everyone understands the process and the final result. Even so, clients will often argue about something that is projected on the wall right in front of them. I link every client policy to the corresponding HIPAA requirement.
Primary sources for compliance – educate yourself
|HIPAA Privacy Rule||45 CFR Parts 160 and 164 Standards for Privacy of Individually Identifiable Health Information.||Final Rule – December 28, 2000|
|HIPAA Security Rule||45 CFR Parts 160, 162, 164.||Final Rule – February 2003|
|HIPAA Combined Regulation Text||HIPAA Administrative Simplification.||Unofficial version amended through March 2013 combining the privacy and security rules.|
|HITECH Act Enforcement||HITECH Act interim final rule includes penalties for non-compliance.||October 30, 2009|
|NIST Special Publication 800-53||Security and Privacy Controls for Federal Information Systems and Organizations||Revision 4, April 2013|
|Privacy Rule Resources||HHS.GOV resources|
|Guide to Privacy and Security of Electronic Health Information||Office of National Coordinator for Health Information Technology||Version 2.0 April 2015|
|NIST HIPAA Security Rule Toolkit||Downloads and tools from NIST for assessment, etc.|
|NIST Special Publication 800-66||An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule||October 2008|
|Security Risk Assessment Tool||HealthIT.Gov||Executable tool – paper copy available too.|
In a previous article on the subject, I provided a sample, high-level compliance matrix for a security policy aligned with HIPAA.
Vendors often market products as being “HIPAA compliant.” If you have read the regulations above, you now know that there is no such thing. The HIPAA security rule is technology-neutral, and any reference to compliance would be to your organization’s policy rather than to the rule itself.
Get to work!
If you are now nauseous because you realize that you are not even remotely in compliance, that’s a good thing. Use that feeling to quickly get to work to protect your organizational information assets.
© Copyright Jeffrey Morgan, 2016
This article firs appeared on CIO.COM at http://www.cio.com/article/3134484/government/may-i-see-your-comprehensive-security-policy-please.htmlby
I never sign medical release forms anymore. That’s because I read them. These forms tend to be lengthy documents which ultimately state that your medical records can be shared with just about everyone on the planet.
Don’t believe me? Here’s the first paragraph of a 2,000-word explanation of how PHI (protected health information) can be used by a nationally recognized pediatric provider:
Quality Improvement Activities: Information may be shared to improve the quality or cost of care. For example, your PHI may be reviewed by XXX XXX or outside agencies to evaluate and improve the quality of care and services we provide.
Outside agencies? Are you kidding me? Who would you sign that release?
Three can keep a secret if two of them are dead
Maybe I’m just an old-fashioned Luddite, but I prefer to be treated by a doctor rather than a corporation. A private practitioner who has a personal relationship with me is much more likely to take steps to ensure my privacy. Once those records are on a corporate network, my chances of privacy are considerably diminished. If my records are accessible to a RHIO (regional health information organization), the probability that I have medical privacy is near zero.
The problem isn’t necessarily one of policy or procedure; it’s more human behavior. Clerks and bureaucrats at Giga Health Services or the RHIO don’t know me and aren’t likely to care if my records are released to someone who shouldn’t see them. Their pockets are too deep for me to sue, and chances are that I wouldn’t ever even know whether my information was inappropriately or illegally disclosed.
Opt-out programs are a privacy abomination
Providers, CIOs, mental health directors, public health directors, and consumers should all be campaigning against the erosion of privacy that results from extensive sharing of health information. Instead, they are drinking the Kool-Aid and rolling over.
The Affordable Care Act has exacerbated the problem considerably, and I read all too much from healthcare IT industry pundits about the need for increased sharing of information and more “visibility.” This is all rationalized by dubious claims about saving lives and “improving outcomes.”
We’re all team players
In county and municipal government, it is often the case that consumers getting public or mental health treatment may also be involved with other departments, including social services, law enforcement, the court system and probation.
“We’re all on the same team, we’re all county employees. Why not show us what’s in those records?” asks the sheriff. The correct response from health officials should be “Get a subpoena, prepare to show cause, and we’ll see you in court buddy!” Unfortunately, a common response is “Sure, let’s have a look. We’re all team players here.”
I know what you’re thinking. “Those people might be criminals! They wouldn’t do that with my records.” Yes they will. Even worse, you might be saying “I have nothing to hide. I don’t care who sees the information.” Not everyone would feel the same way, and many public figures have refused to release their medical records and even their academic records.
Once we begin to get cavalier about disclosure of PHI and other personal information, we are way past the slippery slope stage. We’re already rolling down the mountain in an avalanche. Redisclosure is governed by federal and state law and the problem isn’t restricted to local government entities. State and federal law enforcement and intelligence officials are likely to be granted access to PHI and all sorts of other personal information as well, without any of the legal protections that should be in place.
What’s the role of IT in protecting privacy?
CIOs should be playing a greater role in protecting privacy, but very few IT professionals have had any training on the subject. How many IT people do you know who are familiar with 42 CFR Part 2?
There are so many questions. What happens when IT directors receive subpoenas to provide protected information? Would they fight, or comply? Would they have any idea of how to respond? And what if your SaaS vendor gets the subpoena, circumventing professionals who will know how to respond? Is that addressed in your contract? Extensive training in privacy should be part of the tool set of every IT professional, but this is not currently the case.
This article was first published on CIO.COM at:
© Copyright Jeffrey Morgan, 2016
This isn’t about partisan politics or law. It is about good, common sense IT Governance. The ongoing revelations of the Clinton e-mail scandal demonstrate a total failure of IT Governance at the highest levels of the US Government. Not only is no IT Governance in evidence, the situation has displayed astonishing hubris, casual disregard for information security, and a massive sense of entitlement of all the parties involved. Common sense, good judgement and even a basic understanding of handling sensitive information seem to be completely absent. Where were all of the tens of thousands of security professionals employed by the federal government? Who was keeping an eye on the ball while all this was going on?
Having served for four years in Army intelligence, I can assure you that had this situation been perpetrated by minions and peons in the military, the culprits would already have been behind bars facing long sentences in military prison. Were similar revelations made about highly regulated corporations required to comply with regulations such as GLBA and SOX, we would have already seen dozens of executives and managers doing perp walks and making plea deals to stay out of prison.
We can’t easily fix what goes on in Washington, but you can take steps to ensure that your organization does not suffer this kind of embarrassment. I hope you are using this as a lesson and an opportunity to review your Acceptable Use, e-mail and information security policies and procedures. Make sure that all your policies, processes, and procedures comply with best practices, applicable regulations, and common sense. And make sure your staff receives annual training on these policies and procedures.
In general, large corporate entities tend to have strict policies because of the enormous quantity of regulatory compliance issues they face. However, many municipal and county organizations have elected or appointed officials who use personal e-mail addresses for conducting official business. There is absolutely no reason for this. E-mail is a dirt cheap commodity and a strict policy on e-mail is likely to prevent embarrassment, civil litigation, or criminal indictments down the road.
Here are some tips for e-mail usage and your policies:
- Never, never send confidential information in an unencrypted e-mail. E-mail is not a secure method of transmission.
- Never put anything in an unencrypted e-mail that you wouldn’t want the entire world to see. Even if it is encrypted, the recipient may decrypt it and accidentally (or purposely) forward it to EVERYONE. This happens all the time. Moreover, if your e-mail is FOIL’ed or subpoenaed you may find yourself in an embarrassing situation.
- Everyone on your staff should be using business e-mail for business purposes, and personal e-mail for personal purposes. Don’t cooperate with bad actors by communicating about a business issue to a personal e-mail account.
- Consider an e-mail archiving solution and have it configured to comply with all applicable regulations affecting your operation.
- Consider whether or not a DLP (Data Loss Prevention) solution would make sense for your organization.
If you require assistance determining appropriate e-mail and acceptable use policies, send me an e-mail at email@example.com.
Read more about IT Governance issues at http://blog.e-volvellc.com. If you are snowed in and want to read about hubris and entitlement with a real sleaze factor, pick up a copy of Tom Wolfe’s Bonfire of the Vanities.
Copyright © Jeffrey Morgan 2016
By Jeffrey Morgan
I am always astonished by the number of organizations I encounter that are not in compliance with the HIPAA Security Rule (45 CFR Parts 160, 162 and 164). If you are running a County government, for instance, there is a high probability that one or more of your departments are covered entities and have an obligation to comply with this regulation. Human Resources, Public Health, Mental Health, Social Services the County Jail, the County Home, Probation, Courts, and Child and Adult Protective services may all be covered entities and may process, store, transmit and manage Protected Health Information (PHI). While many covered entities have complied with the Privacy Rule, my observation has been that many covered entities are not in compliance with the Security Rule. Is your organization in compliance?
According to the Department of Health and Human Services (HHS), a covered entity is one of the following:
- A Health Care Provider
- Nursing Homes
- A Health Plan
- Health Insurance Companies
- Company Health Plans
- Government Programs that pay for health care such as Medicare, Medicaid, and Military and Veterans health care programs.
- A Health Care Clearinghouse
In the list above, I have highlighted entities that are likely to exist in a municipal government operation. Do you have covered entities in your organization? If so, are you in compliance with both the Privacy and Security Rules? You can view HIPAA as an onerous compliance issue, or you can view it as an opportunity to address critical security issues in your organization. Regardless of how you feel about it, it is federal law and there may be severe consequences and penalties for failure to comply.
A Brief History
The HIPAA Security Rule was adopted in 1996 and the Final Rule was published in 2003. Compliance for most covered entities was required in 2005. After more than 30 years of dealing with organizational security and Information Security Policies for government entities I have come to the conclusion that the best way to handle HIPAA is to bring the entire organization up the HIPAA Security Rule standards. Why would I suggest this?
A Solid Foundation
The HIPAA Security Rule provides a pretty good foundation and framework for an Information Security Policy even if you are not a covered entity. There are more than 3000 County governments in the United States and more than 19,000 municipal entities. Many of them don’t have any type of Comprehensive Information Security Policy. Even if you are not managing a covered entity, you should have a solid Information Security Policy. You may not be protecting PHI, but you have plenty of other information that should be protected. In my opinion, the lack of a security policy in an organization responsible for collecting, storing, and managing large amounts of sometimes sensitive public information constitutes organizational malpractice. If you get sued for a catastrophic breach, the courts are likely to agree with this assessment.
Roles and Responsibilities
Who should be responsible for HIPAA Security Rule Compliance or Information Security Compliance in your organization? There is no easy answer to this question, but as the Executive responsible for the organization as a whole, compliance is ultimately your responsibility. At another level, Information Security is everyone’s responsibility. The law has been on the books for 20 years and compliance has been required for the last 11 years. I didn’t know is no longer an acceptable response. But, maybe you really didn’t know? You have a lot on your plate, but now is the time to fix it.
I will provide you with one possible high level look at how responsibilities might be distributed. First, someone in your organization should fill the role of an Information Security Officer. Depending on the size of your organization, this may only need to be a part time role. Nevertheless, you need a Go To person for problems, policies, issues, and questions about information Security. Because of conflicts of interest, this role should never be delegated (in my opinion) to a person on the Information Technology staff. Attorneys, or staff members with backgrounds in law enforcement, security, regulatory compliance or investigation are often good choices for this role.
Privacy Rule issues should probably be handled by individual departments based on their exposure, but there should be some organization-wide privacy policies as well. The HIPAA Security Rule covers physical security, technical and electronic security, and administrative security issues, so those roles will be filled by different, applicable departments or subject matter experts. For instance, compliance with the physical security components may be addressed by someone in your Facilities department, for instance.
As far as technical safeguards and full compliance with the Security Rule are concerned, that is a discussion for another article.
Sample Compliance Matrix
In the table below, I have included a sample compliance matrix. If you are a covered entity, or have departments that are covered entities, your Information Security Policy should contain, at a minimum, these elements.. Take a look at your policy and see if it measures up.
|HIPAA Security Rule Compliance Matrix||R/A||Reference|
|Risk Management (R)||R||III.6|
|Sanction Policy (R)||R||III.1|
|Information System Activity Review (R)||R||III.7|
|Assigned Security Responsibility ………….. 164.308(a)(2) (R)||R||III.8|
|Workforce Security 164.308(a)(3)|
|Authorization and/or Supervision (A)||A||III.9.A|
|Workforce Clearance Procedure||III.9.B|
|Termination Procedures (A)||A||III.9.C|
|Information Access Management ………….||R|
|164.308(a)(4) Isolating Health care Clearinghouse Function (R)||NA||NA|
|Access Authorization (A)||A||III.10.|
|Access Establishment and Modification (A)||A||III.10|
|Security Awareness and Training …………. 164.308(a)(5)||A||III.11.A|
|Security Reminders (A)||A||III.11.B|
|Protection from Malicious Software (A)||A||III.11.C|
|Log-in Monitoring (A)||A||III.11.D|
|Password Management (A)||A||III.11.E|
|Security Incident Procedures ……………….. 164.308(a)(6) Response and Reporting (R)||R||III.12|
|Contingency Plan 164.308(a)(7)||R||III.13|
|Data Backup Plan (R)||R||III.13.A|
|Disaster Recovery Plan (R)||R||III.13.D|
|Emergency Mode Operation Plan (R)||R||III.13.D|
|Testing and Revision Procedure (A)||A||III.13.F|
|Applications and Data Criticality Analysis (A)||A||III.13.G|
|Evaluation . 164.308(a)(8) (R)||III.14|
|Business Associate Contracts and Other Arrangement.||III.15|
|164.308(b)(1) Written Contract or Other Arrangement (R)||III.15|
|Facility Access Controls ………………………. 164.310(a)(1)||A||IV.1|
|Contingency Operations (A)||A||III.13.D|
|Facility Security Plan (A)||A||IV.1.B|
|Access Control and Validation Procedures (A)||A||IV.1.B|
|Maintenance Records (A)||A||IV.1.C|
|Workstation Use 164.310(b) (R)||R||IV.2|
|Workstation Security …………………………… 164.310(c) (R)||R||IV.3|
|Device and Media Controls …………………. 164.310(d)(1)||R||IV.4|
|Media Re-use (R)||R||IV.4.C|
|Accountability (A)||A||IV.4.A, IV.4.B|
|Data Backup and Storage (A)||A||IV.4.D|
|Technical Safeguards (see § 164.312)|
|Access Control …………………………………… 164.312(a)(1)||R||V|
|Unique User Identification (R)||R||V.1.A|
|Emergency Access Procedure (R)||R||III.18.A, V.1.B|
|Automatic Logoff (A)||A||IV.3|
|Encryption and Decryption (A)||A||V.1.D|
|Audit Controls ……………………………………. 164.312(b) (R)||R||V.2.A|
|Integrity …………………………………………….. 164.312(c)(1) Mechanism to Authenticate Electronic Protected Health Information (A)||A||V.2.B|
|Person or Entity Authentication ……………. 164.312(d) (R)||R||V.2.B|
|Transmission Security …………………………. 164.312(e)(1)||A||V.3.A|
|Integrity Controls (A)||A||V.2.B|
If you would like to discuss Information Security or HIPAA Security Rule compliance in your organization, e-mail me at firstname.lastname@example.org. I would be happy to discuss your specific case.
Copyright © Jeffrey Morgan 2016
Is your information secure?
Are your organization’s information assets absolutely secure? Do your staff and contractors assure you that everything is safe? How do they know? And how about all those paper files? Is confidential data appropriately labeled and stored in a secure, locked and monitored facility? How do you know? How would anyone even know if there was a breach?
The role of IT Staff
I have sat in meetings with IT Staff who have sworn up and down that the network is secure without any facts or data to support that assertion. What are your IT staff and contractors doing every day to ensure that your information is secure? And what about staff that maintain other types of physical instruments and records?
The role of vendors
I have also sat in many meetings with security vendors who have made outrageous and patently false statements, like “our product is HIPAA compliant.” (There is no such thing. The HIPAA Security Rule is a federal regulation that describes the framework for developing a security policy for certain types of information and organizations. HIPAA is purposely technology and vendor-neutral). Every security vendor wants you to believe that they are selling a magical product that will keep your organization secure from all the evils that result from being connected to the entire world through the Internet.
There are no magic products
The truth of the matter is that there are no products or services that will inherently ensure and maintain the confidentiality, integrity and availability (CIA) of your information. Information Security is about process, policy, procedure, and training rather than about installing products. A successful security program comes as a result of looking closely at both the macro view and the micro details and taking appropriate, thoughtful actions using a cycle of continuous improvement. Security products might be a part of your overall security strategy, but without sensible policies. procedures, and training the products themselves are unlikely to produce the desired, advertised result.
Do you have a Comprehensive Information Security Policy?
If you are larger than a Mom and Pop operation, you should have a Comprehensive Information Security Policy. If you are running a municipality or corporation with dozens or hundreds of employees, the lack of such a policy probably constitutes organizational malpractice or malfeasance at some level. Moreover, your policy shouldn’t be just a dusty book on the shelf – all your employees should have had training on and understand the policy.
You can wait for a catastrophic security event to wake your organization up, or you can take action now to prevent an embarrassing and costly revelation. For instance, if your organization is required to comply with HIPAA, the wake up call could come in the form of a multi-million dollar fine from HHS or civil litigation. Or you might end up paying ransom to buy back your data from data pirates. These risks are real and well documented.
How do I get started with a Security Policy?
There are many options for developing a comprehensive information security policy. You can purchase kits, buy books, hire consultants, etc. You can do it yourself, or contract it out, but the process will be largely the same either way. I will give you a 40,000 foot view and you can decide how to proceed. Other than time, the initial costs should not be high, but securing your information infrastructure will definitely have some impact on your budget, albeit less than the eventual cost of not addressing security. Even if this is a DIY project, outsourcing some aspects is probably appropriate unless you have staff members who have been extensively trained in information security domains and disciplines.
Make sure the right people are at the table!
This is NOT an Information Technology project. It is a critical enterprise business, policy and security project, so you want to make sure you have the appropriate stakeholders at the table. Establish a multi-disciplinary committee to participate in the process. Managers and Department Heads from different departments may provide illuminating perspectives and the group must also include rank and file members of your staff who actually do the work (AKA the minions). Staff members with security and military backgrounds may have much to contribute. People who may have had experience in highly regulated industries, such as Pharmaceutical, Insurance, Medical, Public and Mental Health, and Law Enforcement may also have much to contribute to the process. HR and Legal must be at the table. I am certain that your organization has untapped, expert resources, so find them and use them.
Inventory your Assets
Once your Information Security Committee is assembled, its time to get to work. The first step is going to be a Risk Assessment. Since you have already established your Information Security committee, begin the Risk Assessment process by cataloging and categorizing all your information resources. Information in this catalog may include paper files, network and computer files including backups, archival and historical records, microfilm, tax records, specifications, etc. There are payroll records, health insurance records, possibly protected medical information, HR information, meeting records, AR and AP records. All of these records may contain information protected by local, state or federal statute. There may be proprietary information related to manufacturing or other information such as videos, films, sound recordings that you may want or need to protect in some way. Use an interrogative process to identify, catalog, and categorize all this information. The output of this process should be a detailed document that clearly identifies all of these assets.
It may be appropriate to contract a qualified consultant for the Risk Assessment process. Why? Regardless of how intelligent and qualified the members of your staff are, they are probably immersed in your organizational culture. They may have biases and make assumptions because “we have always done it this way.” Outsiders may be able to see past the assumptions and biases that your staff members can’t
Once you have completed this process, you will almost certainly have found information that you didn’t even know you had. If you found sensitive information without any plan for protecting it, you might have trouble sleeping until your committee comes up with a plan.
Once you know what types of information for which you are responsible, ask yourself and the Subject Matter Experts on your committee what statutes apply. There are at least a handful of regulations that always apply, and there may be dozens of regulations dealing with information-specific data you have to consider. You probably also found information not protected by statute that needs to be addressed. Do your current policies cover all the information in your catalog? In a subsequent article, I will continue with the next steps for securing your information.
Thinking of your staff will not change overnight.
If you want to discuss Information Security in your organization, send me an e-mail at email@example.com.
Copyright © Jeffrey Morgan 2015by