Maintaining a Compliance Program

00:00

Welcome back, you cyber a Romper Room referees. This is lecture 2.4 of implementing a HIPPA compliance program for leadership maintaining a compliance program. This discussion is how we start implementing and maintaining our security program and ultimately achieve HIPPA compliance with our health care organization. So if you're ready, lawyer was still throw the flag. Let's huddle up

00:18

and figure out who's to blame for this whole mess.

00:20

So let's get back to a hip of privacy and security game after this brief message from our sponsor.

00:26

So in today's lecture, we're gonna be compliance officer cadets in training and start making our first steps towards compliance. We're gonna look at the required versus addressable controls and criteria in the hipper rules and start living our everyday life by living and dying in the gaps were never not gonna be improving. There's always shortfalls and always weaknesses in our programs that we have to improve and fill the gaps about,

00:46

and we need to be working on it diligently every day, all day long, today and tomorrow.

00:50

What are our compliance goals and requirements and we're gonna look at some of the daily 40 yard dash prints and agile program management processes that they're gonna help us get there.

00:59

So what is the role of our compliance officer? And you might remember that it's a requirement that we have a compliance officer to be HIPPA compliant. Our compliance officer must monitor the state and federal privacy and security guidelines. And quite often, folks, the state laws could be more fierce with higher penalties and enforcement rules than federal. Our officer has to manage and communicate any changes thio

01:18

current security policy,

01:19

understand the laws were trying to adhere to and comply to. Our officer has to have soft skills like communication, be a team player, have problem solving skills, show leadership is knowledgeable and is the subject matter expert and security regulations is creative and is a people person. It is, after all, your people and your relationships that will be your strongest

01:38

and hardest to beat control for the outside threat agent,

01:42

so compliance for organization could take many forms will be diligent about adhering to the required and addressable controls called out by the hippo security and privacy rules. We will also very likely aligned voluntarily with other standards and best practices because, as we said before, We want the best controls and the best network infrastructure to deliver the world's greatest patient care

02:00

and not just be compliant to avoid being fined or breached

02:04

and have bad press by being in the news. And there are other requirements in HIPPA, like the unique identifiers rule, where our organization as an employer, entity and HIPPA transactions must maintain unique employer identification numbers, or E i n or unique national provider numbers or health plan, identifying numbers if they apply,

02:22

and unique patient identifiers or UPS.

02:23

And there is the hippo Transactions and Code set rule, which sets standards for the form and format of electronic transactions as well as their content. We will get our arms around all of these components, improve our documentation processes and procedures, and solidify and strengthen our program security maturity posture.

02:40

So when you're building your security program, you will likely adopt a security maturity model. It's not required, but I'm a strong proponent for a program to pick a maturity model, and there are a bunch of them out there and use that security maturity model with its set of characteristics and indicators to represent your past, current and future progression as a security program. Modeling is, after all, a way of measuring your maturity

03:00

If you adopt the next CSF Security maturity model, for example,

03:05

the model identifies and characterizes four tiers of the security program from Tier one Partial at the bottom, where the organization will have an ad hoc, reactive manner with very little program management around risk and no formal prioritization process for measuring and responding to the degrees of risk. So basically, all incidents were treated the same

03:23

to a very mature at the other end of the spectrum, a tear for adaptive security program

03:29

Who's the best and who's a security leader? Because they have a very mature, integrated risk management program that actually shares what it knows and learns about threats and risks remediation with other programs outside it's own and being a tear for security program. Well, that's the only maturity level we, as leaders of our security program, are gonna accept.

03:47

So there are seven key elements of an effective compliance program, and I'm gonna give you a hint. You might need to know these for your quiz. I'm thinking all seven should be tattooed on your forearms or ankle If that's your thing, we need written policies, procedures and standards of conduct. E acceptable use. We need oversight and that's you is the leader and your compliance manager. Someone has to manage this beast.

04:08

We need robust security training and education for our staff from what is Ph I to social engineering methodologies

04:14

that we need to be aware of, like telephone pretexting and phishing attacks and email phishing Clickbait tactics. We need great two way communication between all the members of our team, for management to the reporting employees. We need to be communicating status and what we as an organization are doing and where we're going.

04:29

We need to implement monitoring and auditing systems so we can account for where are pH? I is who's accessing it, what they accessed and when they accessed it. And we need to always be diligent and enforce constant discipline around our processes and procedures that surround and protect pH I. Because it's those processes and procedures.

04:46

Well, there for a reason. And if they're not used what we can't protect our Ph I and when we see gaps and behavior in our documentation or in any of these steps to success where we're going to take immediate corrective action and improve our program so we can finally achieve a maturity model of being a tear for adaptive security program because that's our goal.

05:04

So I'm not going to spend a lot of time on this one because Module three of the course, which I know will be everyone's favorite, is dedicated to actually rolling out your compliance program from start to finish. But I do wanna lay the groundwork preparing us, um, milestones. So you could be doing some homework and preparing for rolling out your program. When we get there, we have to first base line our program, which is where we are.

05:24

We will then review and analyze the gaps and where we're at versus the controls, what we need to have to satisfy the required and addressable requirements of the privacy and security rules of HIPPA

05:32

and any other standard that we're using to model our maturity. We're going to build our program and then using a maturity model to measure our current state and plan our actions to act on our plans to improve our maturity state. We will implement our remediation and improvement efforts and train our employees and business associate partners on our policies and procedures that, when followed,

05:51

will guarantee the privacy and security of our patients. PH I and e p h I.

05:57

And then we will test our programs and team members by performing self assessments, threat assessment, risk assessments and table top exercises to make sure we achieve our backup in recovery goals. If this stuff doesn't get you excited about information security, time to look into Dev ops and write code, because maybe this field isn't going to be where you're going to grow your best crops.

06:15

So what would this look like when we get to that end state? So in a nutshell, all of the work that we've done so far and all the work that we're gonna go through through Module three is to actually achieve an in state where across our entire organization, from people to technology to our buildings and their environmental systems, to our amazing patients who give us the reason to come to work every day

06:33

and who pay the bills by signing our paychecks

06:36

well, we will have created, implemented, tested and documented our policies, procedures and the management and monitoring of our organizations controls addressing the regulatory, legal risk, environmental and operational requirements of the hippest standards. That is the summit of this compliance mountain that we're trying to climb.

06:56

So, as promised, if you're ready, here's our quiz question with no extra credit because we need to have you list all seven of the key elements of an effective compliance program, because this is really need to know stuff.

07:06

Well, we need to have comprehensive written policies, procedures and standards of conduct all the way to acceptable use policies.

07:13

We need yourself. We need our compliance officer. We need people to manage this and oversee this thing to the end. We need staff training and education. What? What we mean by that is we need to train our people on what p. H. I is, how to work with it

07:26

and then also how to protect it and be on the lookout for things like phishing attacks and email, phishing attacks and social engineering things that those threat agents you're going to use

07:35

to try to get that information away from the employees. We need really good two way communication, so it's not just managers telling us, but managers need to be able to listen to us as well and that we are together a rowing the boat to try to make our program better. We need monitoring and auditing systems. Where we at today,

07:51

who's doing it, What are we doing, Where we accessing it? What are we accessing? We need those tools in place.

07:58

We need to enforce discipline around policies and procedures and methodologies because it's these policies and procedures thes controls. Well, that's how we end up being complaint. And when we're not having the discipline around enforcement, well, guess what? That's how things fall through the cracks and breach occurs and timely corrective actions to correct those things that

08:16

we'll get us back up

08:18

and to the right and doing the things that we need to to be a tear for adaptive security program, because that's our goal.

08:26

So in this lecture we heard our new compliance officer and we reviewed the many forms what we mean by compliance. We learned that there will always be holes in shortcomings between our program and the in state, and that's why it's our job to minimize risk and live in those gaps and make the gaps the smallest possible. And we reviewed and quizzed you on the seven key elements of compliance. And we looked at that in state.

08:45

What is it going to look like? A the end of our compliance championships. Whereas we a cyber a compliance champions? Yes. We're gonna be holding the trophy.

08:52

Well, maybe not. We you will be holding the trophy. I will be recovering from my ninth concussion.

08:58

So thanks for buying 50 yard line tickets for our Cyber Complaints Championship. Our next lecture will be on monitoring, logging and reporting on our compliance program. But for now, on behalf of all of us Cyber. Thank you. And we look forward to seeing you next time. And until then, we wish for you all kinds of first downs, TV timeouts, touchdowns and you guessed it. Zero

09:18

penalty flags,

09:20

especially the compliance penalty flags. Nobody wants those.