Agenda
- Information Security Program Overview
- Security in the Cloud
- Healthcare in the Cloud
- Sample Information Security Timeline
- vCISO Services
- Sample Budget
Information Security Overview
- Information Security Program is a documented set of organization’s security policies, procedures, guidelines, and standards.
- The security program provides a roadmap for effective security management and practices.
- Breaches affect large numbers of diverse organizations, including the healthcare industry, and can result in significant fines and penalties.
- Effectively maintained and adaptable programs mitigate potential risks and quickly manage incidents or exposures.*
* average cost of a breach is $255 per compromised record.
Security in the Cloud
- As more and more companies run natively in the cloud, we need to understand the complexity and responsibility with that approach.
- AWS has explicitly stated that they are responsible for the security of the cloud, meaning they are responsible for the data centers, hardware, network, servers, power, connectivity, and some of the managed services they provide.
- At the same time, AWS states that the customer is responsible for the security in the cloud, meaning that the information flow, customer networks, ports, encryption, data, and server access is the responsibility of the customer. Just being in the cloud does not automatically mean you are secure.
- Many companies realize that and, therefore, request compliant frameworks and certificates to provide assurance of the security operations in the cloud environment before signing business associate agreements or contracts.
Healthcare in the Cloud
- The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was enacted into federal law to protect sensitive patient health information from being disclosed without the patient’s consent. It was later enhanced by HITECH in 2009 to promote secure exchange of EHR. It applies to companies who handle medical information electronically and so is a requirement for [Company].
- The Health Information Trust Alliance (HITRUST) created the Common Security Framework (CSF) to address security, privacy, and regulatory compliance. While this is not a requirement, HITRUST is a modern security standard in healthcare and many customers or partners request HITRUST compliance in order to close contracts or start interoperability initiatives. Thus, [Company] will need to pursue HITRUST certification if any customers require this to be in place. One advantage of HITRUST is that this framework includes HIPAA assessment, among others. In other words, HIPAA is a set of regulations and HITRUST is how to achieve compliance to them.
- Systems and Organizations Controls 2 (SOC2) is designed for SaaS companies and [Company] can be considered a SaaS provider with the patient portal app and so some of the providers that partner with [Company] may request a SOC 2 compliance in addition to HITRUST and HIPAA. SOC 2 is a reporting framework, meaning that it documents all systems, processes, and procedures the company is doing, quarterly, throughout the year, and provides a report that states that the company is doing what it says (in policies and procedures) it is doing. This is not a requirement for [Company] but may be needed to have a contract with some entities.
- There are many other compliance requirements that depend on the geographical location of patients, such as GDPR for the European markets or CCPA for California specific market and these can be addressed separately.
Sample Information Security Timeline
- Initial internal/external risk assessment, baseline – 1 month
- Understanding clients, internal resources, and resource allocation (team)
- Identify risks to the business (environment, 3rd parties)
- Review Disaster Recovery and Business Continuity plans
- Identify & improve infrastructure deficiencies – 3 months
- Account / Environment separation (Dev, Prod, Log accounts)
- Improve IAM, roles, and encryption in AWS, patch management, incident response
- Continuous environment monitoring, Guard Duty, alerts, automated actions, log reviews, etc.
- Identify compliance requirements and prepare for audit – 3-6 months
- Prepare for and execute for multiple compliance window(s)
- Policies and procedures review/update, incident response plan,
- Define guardrails for secure operations.
- Review 3rd parties / risk assessment / compliance review
- Raise security posture via continuous improvements – 6-12 months
- Implement Metrics, review/upgrade endpoint protection
- Implement regular periodic information security training for all employees and new hires
- Review policies, procedures, DR plans, Business Continuity plans
vCISO Services
Level 1
- Understanding clients, internal resources, and resource allocation (team).
- Policies and procedures review/update, incident response plan.
- Advice on improving security controls, monitoring, threat detection.
Level 2
- Implement Information Security Program
- Data Handling, Encryption, and Network Protection
- Evidence tracking and issue remediation
- Implement mandatory information security training
- Cloud Architecture Security Best Practices
Level 3
- Represent Information Security externally
- Grow, manage, and mentor your security team
- Become a dedicated full-time resource
Pricing
- Level 1 – Advising Role – $5,000/mo
- Level 2 – Includes Level 1 – $11,000/mo
- Level 3 – Includes Levels 1 and 2 – $18,000/mo
Sample Budget
Item | Timeline | Low | Projected | High | |||||
HITRUST with HIPAA | Yearly | $60,000 | $70,000 | $80,000 | |||||
SOC2 type 2 | Yearly | $45,000 | $50,000 | $55,000 | |||||
HackerOne Bounty (pentests) | Yearly | $35,000 | $40,000 | $45,000 | |||||
Snyk Pro and other Dev Tools | Yearly | $8,000 | $10,000 | $12,000 | |||||
Endpoint Security Tools, AV | Yearly | $5,000 | $7,000 | $9,000 | |||||
Security Awareness Training | Yearly | $5,000 | $8,000 | $10,000 | |||||
vCISO Services | Monthly | $60,000 | $132,000 | $216,000 | |||||
Total | Yearly | $218,000 | $317,000 | $427,000 |
Let us worry about your I.T. while you can focus on your business
Let someone else worry about your technology
We want to hear about your project. Get a free consultation and estimate.