Virtual CISO

Agenda

• Information Security Program Overview
• Security in the Cloud
• Healthcare in the Cloud
• Sample Information Security Timeline
• vCISO Services
• Sample Budget

Information Security Overview

• Information Security Program is a documented set of organization’s security policies, procedures, guidelines, and standards.
• The security program provides a roadmap for effective security management and practices.
• Breaches affect large numbers of diverse organizations, including the healthcare industry, and can result in significant fines and penalties.
• Effectively maintained and adaptable programs mitigate potential risks and quickly manage incidents or exposures.*

* average cost of a breach is $255 per compromised record.

Security in the Cloud

• As more and more companies run natively in the cloud, we need to understand the complexity and responsibility with that approach. 
• AWS has explicitly stated that they are responsible for the security of the cloud, meaning they are responsible for the data centers, hardware, network, servers, power, connectivity, and some of the managed services they provide. 
• At the same time, AWS states that the customer is responsible for the security in the cloud, meaning that the information flow, customer networks, ports, encryption, data, and server access is the responsibility of the customer. Just being in the cloud does not automatically mean you are secure. 
• Many companies realize that and, therefore, request compliant frameworks and certificates to provide assurance of the security operations in the cloud environment before signing business associate agreements or contracts.

Healthcare in the Cloud

• The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was enacted into federal law to protect sensitive patient health information from being disclosed without the patient’s consent. It was later enhanced by HITECH in 2009 to promote secure exchange of EHR. It applies to companies who handle medical information electronically and so is a requirement for [Company].
• The Health Information Trust Alliance (HITRUST) created the Common Security Framework (CSF) to address security, privacy, and regulatory compliance. While this is not a requirement, HITRUST is a modern security standard in healthcare and many customers or partners request HITRUST compliance in order to close contracts or start interoperability initiatives. Thus, [Company] will need to pursue HITRUST certification if any customers require this to be in place. One advantage of HITRUST is that this framework includes HIPAA assessment, among others. In other words, HIPAA is a set of regulations and HITRUST is how to achieve compliance to them.
• Systems and Organizations Controls 2 (SOC2) is designed for SaaS companies and [Company] can be considered a SaaS provider with the patient portal app and so some of the providers that partner with [Company] may request a SOC 2 compliance in addition to HITRUST and HIPAA. SOC 2 is a reporting framework, meaning that it documents all systems, processes, and procedures the company is doing, quarterly, throughout the year, and provides a report that states that the company is doing what it says (in policies and procedures) it is doing. This is not a requirement for [Company] but may be needed to have a contract with some entities.
• There are many other compliance requirements that depend on the geographical location of patients, such as GDPR for the European markets or CCPA for California specific market and these can be addressed separately.