The HIPAA Security Rules require covered entities and business associates to designate an individual who will be responsible for overseeing the information security operations. The Assigned Security Responsibility (§ 164.308(a)(2) standard is the second standard of the HIPAA Security rules and requires organizations to “Identify the security official who is responsible for the development and implementation of the policies and procedures required by this subpart [the Security Rule] for the entity.” The standard requires that organizations designate a named individual. The Security Official cannot be a committee or a department. The regulations require someone to be ultimately responsible for the implementation and oversight of the security rules. This is a role that should be outsourced for many organizations, especially organizations of a certain size and complexity. Why?
- An alarming number of organizations have not designated a security officer. Despite the requirement an alarming number of organizations have not designated anyone to be the security official, at least not in writing. They may say when asked, “Oh Chuck is our security officer” but there is no evidence or proof that could be presented to an auditor. Organizations should draft a simple document naming an individual as the Security Officer. (Reach out to me directly and I will send you a template for this). I would also recommend that you have a job description on file defining the roles and responsibilities of the Security Official (Again, reach out to me directly and I will send you a template for this).
- Internal candidates lack qualifications, experience and skill. Even when organizations have designated a Security Officer, the person is often woefully ill-equipped for the job. The rules, by design, do not require particular qualifications. But a qualified Security Officer will often have an unusual combination of character traits and expertise. They should have a mastery of the regulatory requirements and, in many cases, the security framework (NIST, HITRUST, ISO, etc.) being used by the organization to define its security efforts. A security officer should have the technical expertise to implement, understand and oversee the technical controls needed to secure patients ePHI. They should have the people skills to acquire buy-in from executive leadership to implement needed controls. They should have the experience and skill to manage and influence technical staff and other workforce members in the implementation and enforcement of these controls. They should have expertise on healthcare compliance generally and lead the efforts to document compliance consistent with policies.
- Good CISO’s are hard to find. Effective Information Security Officers have a rare combination of traits. Qualified information security directors and managers are in high demand and have a combination of skills, experience and knowledge that are hard to find. So while demand is high, supply is relatively low. Experienced CISO’s will have strong expertise in the regulations governing information security such as HIPAA or FISMA, strong knowledge of information security frameworks such as the NIST Cybersecurity Framework (CSF), ISO 27001or the CIS Top 20. They will have experience in managing projects, persuading stakeholders and leading teams. They will be strategic thinkers who know how to align information security with key Operational and IT objectives (such as configuring software to both be easy to access while protection information). They will have superb communication skills from the board of directors down to company employees. They will have experience and skill building and managing information security programs. Finding information security leaders with these combinations of traits is hard to do.
- The salary requirements are out of reach. This demand and limited supply has, in the last few years led to dramatic increases in the salaries that qualified CISO’s can command. According to a study conducted by SilverBull, an Information Technology Staffing and Recruiting Firm, the median salary for Information Security Officers in healthcare is $223,000. This salary requirement is out of reach of many health care organizations which is why they often employ under-qualified personnel to fulfill the job requirement.
- The risks of inadequate or unqualified personnel filling this role are substantial. This means that many healthcare organizations are at risk of a, potentially catastrophic, compliance or breach related failure. Compliance is hard. And preventing a breach is even harder. An organization targeted for a persistent, focused attack is likely going to fail. This is true even for the most security minded organizations.
Which begs the questions: What then should we do? In other words, what is the goal or objective we should be pursuing? If a breach is hard to prevent and even likely in the case of a targeted attack, why even try? The answer will vary based on its risks, strategic commitments and resources, but there is one objective that should be a priority for all organizations, protect the information consistent with the risks associated with the loss of the information and what is “reasonable and appropriate”. Managing with these objectives in mind and in alignment with strategic priorities will allow entities to avoid a “willful neglect” charge from investigators or auditors in the event of a breach. Knowledge and skill matter. Leadership matters. Organizations should make it a priority to find an executive to lead its information security program, Contact Patronus Security today to help you find the leadership your information security program needs today.