Drive a Connected GRC Program for Improved Agility, Performance, and Resilience
Power Business Performance and Resilience
Discover ConnectedGRC Solutions for Enterprise and Operational Resilience
Explore What Makes MetricStream the Right Choice for Our Customers
Discover How Our Collaborative Partnerships Drive Innovation and Success
Find Everything You Need to Build Your GRC Journey and Thrive on Risk
Learn about our mission, vision, and core values
In today’s connected world, cyber-attacks are increasing in impact, frequency, and complexity. Healthcare providers have become an attractive target for cyber-attacks because of the sensitive health information available on their digital networks. In this scenario, it becomes critical for healthcare organizations to up their game in maintaining data security. For the healthcare industry, the Health Insurance Portability and Accountability Act (HIPAA) is the backbone of all CyberSecurity and Privacy initiatives. The objective of HIPAA is to protect electronically protected health information (ePHI) created or maintained through the implementation of appropriate technical capabilities that include conduct or review of security Risk Analysis, implementation of necessary security updates, and correction of identified security deficiencies as part of its Risk Management process.
As the CyberSecurity landscape evolves, HIPAA can be used as the starting point for a comprehensive CyberSecurity program in place. For example, mapping HIPAA security and privacy rules to the NIST CyberSecurity Framework (CSF), and implementing the gaps can be a robust step towards achieving mature CyberSecurity.
As organizations step up for high growth by launching new businesses, products, and services, and expand into newer geographies, they also need to upgrade their internal audit and SOX compliance programs to enhance risk coverage, ensure better governance and business performance at lower costs. With increasing scrutiny and expectations from external auditors, cost, and effort, organizations need to reexamine their current internal audit and internal control management programs to see if it is scalable to support organization’s growth and changing risk profile.
Organizations are seeing a huge impact on the overall cost of compliance programs, money paid to external auditors, time spent by internal teams and the effectiveness of the program itself due to the lack of a structured approach, decentralized internal controls function and not using the right technology and tools. Organizations that have automated their manual processes and controls have matured their SOX compliance and Internal Audit programs and have been able to drive continuous improvement of business processes, and financial growth as well.
According to the 2016 Sarbanes-Oxley Compliance Survey by Protiviti, the estimated internal cost (excluding external audit-related fees) for an organization is an average of $1.1 million and the hours spent on SOX compliance has increased by more than 10% compared to 2015. On an average organizations had 50 entity level controls and 96 process level controls, out of which 45 - 50% are classified as key controls. For each key control, organizations spent more than 42 hours including testing or re-testing for control operating effectiveness, testing management review controls, testing data produced by the entity to execute key controls, creating and updating control documentation, and evaluating and remediating control design. As the number of hours devoted to SOX compliance increases so does the cost.
Here are some of the focus areas or practices, companies are following now to improve the process effectiveness:
Also, with increasing cyber security incidents, organizations are planning to have a relook at their IT controls, and decide on regular assessment and testing, disclosure and reporting mechanism
Internal auditors play an important role in helping organizations ensure effective compliance, manage existing and emerging risks, and improve business performance by providing timely, valuable, and meaningful risk insights. However, the board and executive management are asking internal auditors to do more and solidify their role as strategic partners.
In the healthcare space, entities regulated by the HIPAA must comply with the HIPAA Security Rule to ensure the confidentiality, integrity, and availability of electronically protected health information (ePHI) that they create, receive, maintain, or transmit. As CyberSecurity has a broad coverage and not limited to one system, any connected networks, systems, or servers can become attack vectors – even the printer, and organizations need to ensure that policies and procedures are in place for all interconnected systems, not just the EHR.
If a covered entity has an existing security program aligned to the HIPAA Security Rule, the entity can map sections of the HIPAA program to match with parts of the NIST CyberSecurity Framework and assess if it is already meeting the requirements and which of those represent new practices to incorporate into its risk management program.
There is a lot of commonality in security controls suggested by HIPPA and NIST CSF.
Organizations need to map controls between CyberSecurity frameworks and the HIPAA Security Rule and efficiently identify potential gaps in their programs. Addressing these gaps can bolster their compliance with the Security Rule and improve their ability to secure ePHI and other critical information and business processes without wasting effort and time in implementing duplicate controls.
Organizations need to put in place processes to access the business impacts and likelihoods of different risks, through a risk matrix and scoring algorithms.
Hospitals can integrate their information in one central library and achieve a Single source of truth. Risk assessments can be performed on a regular basis utilizing automation and removing human effort and error.
The following table show some of the HIPAA controls which map with NIST controls and CyberSecurity requirements.
The HIPPA crosswalk document identifies many such “mappings” between the CyberSecurity Framework and the HIPAA Security Rule. This mapping document also allows organizations to communicate activities and outcomes, internally and externally, regarding their CyberSecurity program by utilizing the CyberSecurity Framework as a common language. In today’s organizations although these requirements can be fulfilled manually, there are too many departments sending too many communications in different formats. As a result, an appropriate risk management process is buried in documents, spreadsheets & emails with a lot of challenges, that include:
An IT GRC solution enables you to operationalize the mappings provided by HHS and NIST. It can also give you mappings to the NIST SP800-53 security and privacy controls. The result is a complete controls catalog and a unified testing framework that allows you to simultaneously test against HIPAA requirements and the NIST CyberSecurity Framework (CSF) without wasting efforts in duplicate work. With all controls and control mappings available, you can focus on improving the Cyber Risk posture of your organization instead of spending time on tracking emails and spreadsheets.
With the solution's risk scoring algorithms, organizations can easily find out the business impacts and likelihoods of different risks. Hospitals can integrate their information into one central library and achieve a single source of truth. Risk assessments can be performed on a regular basis utilizing automation, eliminating human effort and error.
With role-based access organizations can achieve an enterprise-wide visibility into the Self-Assessments program, get alerts from various channels, achieve real-time intelligence on compliance issues and gain support with identification and prioritization of potential opportunities for improvements. With Advance Reporting, organizations can obtain collective information, which was previously in silos, to create insightful reports, achieve a holistic near real-time view of the organization and proactively plan their CyberSecurity efforts
Cyberattacks come quietly, cause immense damage, and leave by the time you are aware. Organizations can stay prepared through the adoption of automation tools that can predict when a cyber-attack is likely to occur by identifying gaps in the system. In today’s competitive environment, using manual processes is time- and resourceconsuming and inefficient. Also, in terms of compliance fulfillment, organizations who lack enterprise-wide visibility, waste a lot of time and effort in implementing duplicate controls caused by an overlap between NIST CyberSecurity Framework, the HIPAA Security Rule, and other security frameworks that help them safeguard health data in uncertain times.
MetricStream has developed a pre-packaged IT GRC solution focused towards the need and challenges of mid- and small-sized enterprises which help in:
• Establishing a consistent CyberSecurity Framework that supports “Test once, comply with many”
• Getting senior executives to buy-in by giving a common view of the Cyber Risk posture
• Operating on a future-proof platform that will address ever-increasing Cyber-Risk
GRC tools can help with common taxonomy and control harmonization to save a lot of time and remove human error. Organizations can gain the ability to implement control mapping in a single day. In short, GRC technology makes compliance easy and saves you from regulatory penalties and future breaches.
According to a 2016 PwC’s study “State of the Internal Audit Profession,” about 62% of stakeholders expect more value from internal auditors, including half of those who already reported experiencing significant value.
In most organizations, internal auditors play a significant role in implementing SOX and studies have proved that organizations derive significant benefits when auditors contribute to the SOX program.
In its survey, Protiviti quoted organization as saying that their audit committee has primary responsibility for SOX compliance and this increased from 11 percent in 2013 to 35 percent in 2016.
Convergence with the internal audit function can be facilitated by including internal audit in all key management committees, requiring and enforcing timely management responses and action plans for all significant internal audit findings and creating a reporting hierarchy and culture whereby internal audit can present potential contentious issues without hesitation. Internal audit can provide internal controls and COSO training to management and serve as a subject matter expert for the organization.
Subscribe for Latest Updates
Subscribe Now