×

In today’s connected world, cyber-attacks are increasing in impact, frequency, and complexity. Healthcare providers have become an attractive target for cyber-attacks because of the sensitive health information available on their digital networks. In this scenario, it becomes critical for healthcare organizations to up their game in maintaining data security. For the healthcare industry, the Health Insurance Portability and Accountability Act (HIPAA) is the backbone of all CyberSecurity and Privacy initiatives. The objective of HIPAA is to protect electronically protected health information (ePHI) created or maintained through the implementation of appropriate technical capabilities that include conduct or review of security Risk Analysis, implementation of necessary security updates, and correction of identified security deficiencies as part of its Risk Management process.

As the CyberSecurity landscape evolves, HIPAA can be used as the starting point for a comprehensive CyberSecurity program in place. For example, mapping HIPAA security and privacy rules to the NIST CyberSecurity Framework (CSF), and implementing the gaps can be a robust step towards achieving mature CyberSecurity.

Resource

As organizations step up for high growth by launching new businesses, products, and services, and expand into newer geographies, they also need to upgrade their internal audit and SOX compliance programs to enhance risk coverage, ensure better governance and business performance at lower costs. With increasing scrutiny and expectations from external auditors, cost, and effort, organizations need to reexamine their current internal audit and internal control management programs to see if it is scalable to support organization’s growth and changing risk profile.

Organizations are seeing a huge impact on the overall cost of compliance programs, money paid to external auditors, time spent by internal teams and the effectiveness of the program itself due to the lack of a structured approach, decentralized internal controls function and not using the right technology and tools. Organizations that have automated their manual processes and controls have matured their SOX compliance and Internal Audit programs and have been able to drive continuous improvement of business processes, and financial growth as well.

 

Stepping up the SOX Compliance Process

According to the 2016 Sarbanes-Oxley Compliance Survey by Protiviti, the estimated internal cost (excluding external audit-related fees) for an organization is an average of $1.1 million and the hours spent on SOX compliance has increased by more than 10% compared to 2015. On an average organizations had 50 entity level controls and 96 process level controls, out of which 45 - 50% are classified as key controls. For each key control, organizations spent more than 42 hours including testing or re-testing for control operating effectiveness, testing management review controls, testing data produced by the entity to execute key controls, creating and updating control documentation, and evaluating and remediating control design. As the number of hours devoted to SOX compliance increases so does the cost.

Here are some of the focus areas or practices, companies are following now to improve the process effectiveness:

  • Shifting from only managing internal controls and compliance tasks to a risk-based approach to rationalize controls. Organizations are identifying high-risk processes, adopting risk control matrix and ensuring better documentation of controls, deficiencies, and related processes
  • Increase in testing of controls with enhanced control automation and standardization
  • Managing SOX processes, risks, controls, and test details in a centralized framework with better linkages and visibility, instead of a fragmented approach
  • Revisiting control design to improve risk coverage of international, regional, and remote locations
  • Increased focus on segregation of duties analysis for systems
  • Enhanced focus on evidence and documentation ensuring greater reliance on the internal controls team, thereby reducing overall auditing effort and cost
  • Real-time tracking of management’s assessment of its internal controls, with reports and dashboards, to help auditors track the status of internal controls and tests.

Also, with increasing cyber security incidents, organizations are planning to have a relook at their IT controls, and decide on regular assessment and testing, disclosure and reporting mechanism

 

The Changing Face of Internal Audit

Internal auditors play an important role in helping organizations ensure effective compliance, manage existing and emerging risks, and improve business performance by providing timely, valuable, and meaningful risk insights. However, the board and executive management are asking internal auditors to do more and solidify their role as strategic partners.

 

Integrate HIPAA into a Standard CyberSecurity Framework:

In the healthcare space, entities regulated by the HIPAA must comply with the HIPAA Security Rule to ensure the confidentiality, integrity, and availability of electronically protected health information (ePHI) that they create, receive, maintain, or transmit. As CyberSecurity has a broad coverage and not limited to one system, any connected networks, systems, or servers can become attack vectors – even the printer, and organizations need to ensure that policies and procedures are in place for all interconnected systems, not just the EHR.

If a covered entity has an existing security program aligned to the HIPAA Security Rule, the entity can map sections of the HIPAA program to match with parts of the NIST CyberSecurity Framework and assess if it is already meeting the requirements and which of those represent new practices to incorporate into its risk management program.

 

Association between HIPAA, NIST CSF and other CyberSecurity Frameworks

There is a lot of commonality in security controls suggested by HIPPA and NIST CSF.

Organizations need to map controls between CyberSecurity frameworks and the HIPAA Security Rule and efficiently identify potential gaps in their programs. Addressing these gaps can bolster their compliance with the Security Rule and improve their ability to secure ePHI and other critical information and business processes without wasting effort and time in implementing duplicate controls.

Organizations need to put in place processes to access the business impacts and likelihoods of different risks, through a risk matrix and scoring algorithms.

Hospitals can integrate their information in one central library and achieve a Single source of truth. Risk assessments can be performed on a regular basis utilizing automation and removing human effort and error.

The following table show some of the HIPAA controls which map with NIST controls and CyberSecurity requirements.

 

Table-1Table-2table-3

 

The HIPPA crosswalk document identifies many such “mappings” between the CyberSecurity Framework and the HIPAA Security Rule. This mapping document also allows organizations to communicate activities and outcomes, internally and externally, regarding their CyberSecurity program by utilizing the CyberSecurity Framework as a common language. In today’s organizations although these requirements can be fulfilled manually, there are too many departments sending too many communications in different formats. As a result, an appropriate risk management process is buried in documents, spreadsheets & emails with a lot of challenges, that include:

 

map

An IT GRC solution enables you to operationalize the mappings provided by HHS and NIST. It can also give you mappings to the NIST SP800-53 security and privacy controls. The result is a complete controls catalog and a unified testing framework that allows you to simultaneously test against HIPAA requirements and the NIST CyberSecurity Framework (CSF) without wasting efforts in duplicate work. With all controls and control mappings available, you can focus on improving the Cyber Risk posture of your organization instead of spending time on tracking emails and spreadsheets.

With the solution's risk scoring algorithms, organizations can easily find out the business impacts and likelihoods of different risks. Hospitals can integrate their information into one central library and achieve a single source of truth. Risk assessments can be performed on a regular basis utilizing automation, eliminating human effort and error.

With role-based access organizations can achieve an enterprise-wide visibility into the Self-Assessments program, get alerts from various channels, achieve real-time intelligence on compliance issues and gain support with identification and prioritization of potential opportunities for improvements. With Advance Reporting, organizations can obtain collective information, which was previously in silos, to create insightful reports, achieve a holistic near real-time view of the organization and proactively plan their CyberSecurity efforts

Cyberattacks come quietly, cause immense damage, and leave by the time you are aware. Organizations can stay prepared through the adoption of automation tools that can predict when a cyber-attack is likely to occur by identifying gaps in the system. In today’s competitive environment, using manual processes is time- and resourceconsuming and inefficient. Also, in terms of compliance fulfillment, organizations who lack enterprise-wide visibility, waste a lot of time and effort in implementing duplicate controls caused by an overlap between NIST CyberSecurity Framework, the HIPAA Security Rule, and other security frameworks that help them safeguard health data in uncertain times.

MetricStream has developed a pre-packaged IT GRC solution focused towards the need and challenges of mid- and small-sized enterprises which help in:

• Establishing a consistent CyberSecurity Framework that supports “Test once, comply with many”

• Getting senior executives to buy-in by giving a common view of the Cyber Risk posture

• Operating on a future-proof platform that will address ever-increasing Cyber-Risk

GRC tools can help with common taxonomy and control harmonization to save a lot of time and remove human error. Organizations can gain the ability to implement control mapping in a single day. In short, GRC technology makes compliance easy and saves you from regulatory penalties and future breaches.

According to a 2016 PwC’s study “State of the Internal Audit Profession,” about 62% of stakeholders expect more value from internal auditors, including half of those who already reported experiencing significant value.

  • Business Model Changes - Mergers and acquisitions, changing regulatory requirements, new product lines, and delivery methods, partnerships etc. require new business operating and financial models as well as changes to the existing ones. While these are important to meet emerging business opportunities, auditors need to review the changes, transition plans, and validity of current control designs, scope and suggest changes. They should also assist in identification and documentation of key risks and controls to new models, check impact of regulatory compliance and reporting requirements
  • Expansion of International Operations - While expanding, organizations need to enhance the visibility and oversight of their international operations as there have been instances when subsidiaries and local business units have had compliance violations impacting the parent organization. Auditor’s need to relook at the control design, effectiveness of controls in the context of local business practices and ensure compliance with corporate policies and regulations. As the trade rules change, organizations need to ensure controls are in place to ensure compliance with export laws and regulations, sanctions compliance etc. Also, with the increasing instances of bribery and corruption, organizations need to develop and enforce relevant controls, policies, communication aspects, compliance assessments to track international business practices, international employees, and partners and avoid potential anti-bribery and corruption issues among foreign entities or business partners
  • Vendor Management Practices and Associated Risks - With increasing reliance on vendors, it is important to get a better visibility of vendor ecosystem and ensure risks are identified and mitigated. Internal auditors should ensure the effectiveness of third-party relationship management from initial screening, data collection, and documentation reviews to contract management and ongoing monitoring of third-party risk. Also, internal auditors should work with procurement and other groups to review the processes being followed and ensure appropriate controls are in place and evaluate whether risk management has sufficiently been integrated into the supply chain management
  • Increased focus on Cyber Security Issues and IT Controls– With increasing data security breaches, organizations expect internal auditors to play an important role in assessing internal processes, adoption of industry standards or framework, implementation of revised security models and suggest improvements. As the adoption of cloud increases, organizations are expecting internal auditors to look at system controls and general IT controls even closer than before and be able to provide timely assurance on the adequacy of cyber security efforts, thereby helping the audit committee oversee cyber security.

 

Role of Internal audit in enhancing SOX compliance

In most organizations, internal auditors play a significant role in implementing SOX and studies have proved that organizations derive significant benefits when auditors contribute to the SOX program.

In its survey, Protiviti quoted organization as saying that their audit committee has primary responsibility for SOX compliance and this increased from 11 percent in 2013 to 35 percent in 2016.

  • Integrating the auditing plan of the Internal Controls and IA function will help improve the internal control environment significantly.
  • The partnership between internal auditors and SOX compliance groups will help with gap analyses and rationalize controls. It will also help identify red flags, inefficiencies, redundancies and areas for improvement before they become a problem.
  • Internal auditors can offer a centralized source of information to management regarding the effectiveness of an organization’s control environment and governance process.
  • Internal auditors can ensure an approved communication and reporting mechanisms with management and other relevant parties. This will help management review the effectiveness of controls and decide if the controls need to be enhanced and take real-time remediation measures.
  • Internal auditors can add value to external audits by participating in meetings with the external auditor to assist in identifying and meeting the internal control design, documentation, and testing expectations. This will also help cut the cost of external audits.

Convergence with the internal audit function can be facilitated by including internal audit in all key management committees, requiring and enforcing timely management responses and action plans for all significant internal audit findings and creating a reporting hierarchy and culture whereby internal audit can present potential contentious issues without hesitation. Internal audit can provide internal controls and COSO training to management and serve as a subject matter expert for the organization.

 

lets-talk-img

Ready to get started?

Speak to our GRC experts Let’s talk