Excerpts from HITRUST and Cybersecurity 2018: Part 2- Improving the Quality of Security Oversight
This blog is the second of a two-part series on Omar Khawaja’s keynote address on the topic of HITRUST at HITRUST and Cybersecurity 2018, an event hosted by Evolve IP in November. Evolve IP hosted this educational event because of our commitment to the HITRUST CSF framework and our commitment to providing clients with the ultimate cloud environment for cloud computing and cloud communications solutions. We proud to have recently been awarded HITRUST CSF certification (view the HITRUST certification press release here) affirming that all of Evolve IP’s services adhere to the strictest security standards for electronic protected health information (PHI).
Below are some excerpts from Mr. Khawaja’s HITRUST keynote address that answer the following questions:
- Why was HITRUST needed if we already have a compliance requirement like HIPAA?
- Why doesn’t a SOC II prove that an organization meets high-security standards?
- Why are security questionnaires only 50-60% accurate?
- What’s the number one security risk that you see in your service providers?
- How Does HITRUST interact with and related to other security standards?
Why was HITRUST needed if we already have a compliance requirement like HIPAA?
I could do something like HIPAA says which is “add administrative technical and physical controls”. However, YOU get to decide what constitutes administrative technical and physical controls. One person could decide that means 10 controls and another person could decide that means 1000 controls. It’s completely open to interpretation, versus the other side (with HITRUST) where it’s very explicitly prescribed with absolutely no deviations permitted. A good example is SOC II. SOC II is a reporting framework. It is not a control framework. Management gets to decide what controls you want to put into the SOC. The AICPA has some basic requirements, but I as management can decide that for us a strong password means on that is four digits. Since that’s what I decided, I can bring in a CPA firm to then attest that those controls are in place. A CPA firm isn’t necessarily going to say I’ve got good or bad security. They’re just going to say that I have the controls in place that I said I do. It’s up to me to decide what those controls are. It’s completely open to interpretation.
Why doesn’t a SOC II prove that an organization meets high-security standards?
You shouldn’t just accept any SOC II because there’s good SOC II’s and there’s not-so-good SOC II’s. There’s an organization I had the opportunity to work with who agreed with their customer that they would go and get their SOC II. But their compliance, legal, and security teams did not even know about this agreement that they made to their customer. They had to scramble. They had to go get their SOC II a year before they planned to do it. And guess how long it took them to go get their SOC II? –Just six weeks! Why? Because a SOC II is open to interpretation. I can give you a SOC II that’s garbage or I can get you a SOC II that’s awesome. In this case, all they wanted was to check in the box. They got their SOC II done in six weeks without a single qualification. The reality is that organization did not feel like it had the right controls included, so a year later they went and got their next SOC II and the controls in it were probably 10 times more effective at reducing risk than that initial report. Does that gives you an example of how good the SOC II is? Yet the reality is most of your customers out there live and die by the SOC II and they’ll accept it. But as organizations get more savvy they’re going to start to say “well wait a minute…what’s inside the SOC II? What do your control requirements look like?” If it’s based on something like the HITRUST or some other well curated and well thought out set of controls then that’s great. If not, then that’s going to be questionable. We follow the HITRUST certification because honestly that is what makes me feel good. If we had anything less than that, I really wouldn’t be able to stand in front of my customer and look him in the eye and say were doing a good job securing his information.
Every questionnaire I’ve ever seen says “do you encrypt data at rest”. If I had a flash drive that I encrypted last year, could I answer yes to that question? So how valuable is a questionnaire? It’s extremely open to interpretation. When you respond it’s very difficult to provide valuable information and accurate information. It’s not because people are necessarily being malicious or they’re being elusive. But it’s just that the questionnaire only has a certain level of efficacy and capability that it can deliver. We know from some of the reviews of self-assessment questionnaires and then subsequent comparison to the on-site assessments that the accuracy of an average questionnaire is somewhere around 50% to 60%.
So 40% to 50% of the information in the average questionnaire is incorrect, yet there is such an extreme reliance on questionnaires in the healthcare industry, and other industries as well. Yet we continue to use them and we continue to promote them and the reason is very simple: it’s because it’s easy. I could create a questionnaire and I can send it out to a hundred of my business associates. It may take me two days to do that versus if I had to go on site and painstakingly validate every single control.
There’s just one question I would want to ask my third-party or anybody to determine how good of a security program they have. I’d say “how many people do you have that are dedicated to security?” If the answer is zero, I pretty much know they probably don’t care about security. If the answer is two or three, that’s pretty good. And I’ll tell you, the gap between zero and one is huge. The moment you have one dedicated security person, the game totally changes. In terms of risk reduction, the leap from one to twenty is not nearly as much as the leap in between zero and one.