Creating a Memorandum

The following is an example of a memorandum framework I created for an organization. Most of the information has been redacted to allow me to post it.

TO:  CISO

FROM: Ravel Charles

DATE:  1/13/2017

SUBJECT:  Proposed Laws/Regulations and Frameworks

Introduction/Purpose

The following provides descriptions of proposed Law/Regulation and Control Framework/Standard that our company should consider as part of its short term and long terms strategy. In addition, it will outline recommendations that our C-Level executives should take to prepare for both the positive or negative impact the the proposed compliance effort will have for the company.

Health Insurance Portability Accountability Act Privacy Rule (HIPAA)

Recognized as one of the most important Federal Law/Regulation in the healthcare industry,  the HIPAA Privacy Rule offers protection to patient specific health information records. More specifically, the HIPAA Privacy Rule governs the confidentiality and privacy of patient information. Although known as a set of standards, it does permit the enforcement of existing state laws that are more protective of patient privacy (Wager, Lee, & Glasser, 2013). It also allows for the state to pass stricter laws in the future for this very purpose.

The HIPAA Privacy Rules defines which individuals and entities should comply with these regulations. These “covered entities” are defined as health plans, health care clearinghouses, and health care providers who electronically transmit financial and administrative information. (NiH.gov, n.d.). The cost of medical care is usually covered by health plans. Health care clearinghouses usually process healthcare billing and claims. Healthcare providers are those create and close the encounters. Essentially if these entities were to share information with each other and aim towards interoperability, they can only do so under established contracts that protect the confidentiality and privacy of patient information (Wager, Lee, & Glasser, 2013). Under the Rule, this information is labeled as “protected health Information” (PHI).

HIPAA Privacy Rule is divided into five major components: Boundaries, Security, Consumer Control, Accountability and Public Responsibility (Wager, Lee, & Glasser, 2013).  In regards to PHI, these components describe not only the boundaries that health organizations have to follow, but the consequences that organization will face in regards to poor management.

National Institute of Standards and Technology (NIST)

In general, every healthcare organization must have an information security program. NIST provides helpful resources and documents to help facilitate a technical security evaluation of these health care organizations. As well, NIST identifies three types of contingency plans: continuity of operations plan, contingency plan and disaster recovery plan (Wager, Lee, & Glasser, 2013). With the increased reliance on data and technology, it is imperative that hospitals have a set of plans to follow during critical situations.

NIST 800-53, part of the Special Publication (SP) series, provide detailed security and privacy controls for federal information systems and organizations. (Special Publication 800-53 Revision 4, 2014) NIST Fellow, Ronald Ross, describes it as “a very large catalog of privacy and security controls to safeguard the enterprise from hostile cyberattacks.” (Siwicki, 2016). In general, NIST aims to reduce the complexity in creating a secure information system environment and provides a set of control framework/standards that organizations can follow. Ultimately, NIST aims to protect organizations from hostile attacks on their systems.

Summary of Recommendations

Long Term

    • Since HIPAA violations result in hefty fines that can affect an organization’s’ reputation and financial future, it is important for the healthcare organization to provide security awareness training to all existing employees. This may require a budget to train employees. However, this type of investment can save an organization a lot of money in the future .
    • Since HIPAA Privacy rules allow for the enforcement of existing state laws, I recommend that the healthcare organization be familiar with it’s own state regulations and laws, especially with the ones that deal directly with privacy and confidentiality.
    • Technology is changing rapidly and so are attack landscapes and strategies. A long term strategy for the healthcare organization, who is looking to use the NIST Framework, would be to invest in building technology that is not only secure, but also trustworthy. This will essentially help the systems better withstand attacks and better protect patient information.
    • Although many measures can be taken to protect information systems, it is important that the healthcare organization creates a disaster recovery plan and contingency plan that can help minimize the damage created by a breach. This is to address stay consistent with the NIST Framework in the long term.
  • The organization should build a security program that will be dedicated to handling all security threats and responses moving into the future. This is to address long term HIPAA compliance

Short Term

    • Technology is changing rapidly and so are attack landscapes and strategies. A short term strategy for the healthcare organization, looking to use the NIST Framework, would be to engage only with vendors that that are known to be secure (Microsoft, Oracle, etc.). Since, databases and operating systems are two examples of investments that most organizations can not control, it will be important to constantly update using the patches that are released from these vendors.
    • The healthcare organization should enforce a set of rules that all employees must follow (with risk of punishment) to lower the risk of breaches or leak of private information. This can include limiting access to resources after a certain hour, or requiring certain amount of identification at all times. These safeguards do not require employees to have security awareness in their decision making. HIPAA violations can cause major damages to an organization.
  • To ensure that current systems are secure, the healthcare organization should conduct active and passive testing on all all systems. This will be done to gather information on any vulnerabilities that may exist and to develop a full view of your threat landscape. Active testing includes penetration testing and passive testing includes scans. As mentioned above, a breach or leak of any patient information can have terrible results. This is to help stay consistent with the NIST Framework in the short-term.