BLOG
Unraveling the Cybersecurity Assessment Maze: Meditology's Guide to Making the Right Choice
Published On March 1, 2024
by Alan DeVaughan
CIS, CISA, CPGs, CMS, CLIA, DURSA, HHS, GDPR, HIC-P, HIPAA, HITRUST, NIST, PCI, SEC, SCF, SOC, SOX, SRA, TECFA, FERPA, CMMC, MITRE, OCR
As the cybersecurity expert at your organization, the number of acronyms that daily cross your radar can be overwhelming. How do you cut through the acronyms, the conflicting regulatory requirements, and the differing opinions on which industry standard best meets the needs of your organization?
Start by asking yourself three crucial questions:
- Is your organization conducting a security risk assessment at least once a year?
- How mature is your internal information security management program?
- Do you have any contractual obligations to perform a specific assessment or obtain a certain certification?
Let's dive deeper into each of these.
Annual Risk Assessments
The first step in the right direction is conducting an annual security risk assessment. This assessment helps you identify potential risks and threats to your organization, assess their impact and likelihood, and evaluate possible mitigating controls/processes. It's essential regardless of the industry you operate in - healthcare, finance, non-profit, manufacturing, or service.
Almost any framework, certification, or other assessment requires you to annually assess your potential risks and threats. In addition, you should determine if the residual risks (i.e., the risks after accounting for mitigating controls) are acceptable and meet the organization’s objectives. There should be a remediation plan to reduce the risks to an acceptable level. In most frameworks, the remediation plan is the key area as your organization should show continual assessment of risks as the threat landscape changes.
A security risk assessment will help you meet requirements for a SOC 2 examination (CC3 – Risk Assessment and CC9 – Risk Mitigation), HITRUST certification (domain 17 – Risk Management), or HIPAA gap analysis (§164.308(a)).
Information Security Program Maturity
The maturity of your information security program plays a pivotal role in determining the appropriate assessment. As your program matures, you will be better equipped to meet certification requirements. Whether you are a small, medium, or large organization, proper scoping is vital. Start small and then expand your scope as your confidence and capabilities grow.
An important starting point for an assessment or certification is determining what part of your environment (e.g. applications, locations, or systems) needs to have a third-party assessment or certification. Scoping is critical for any assessment and proper scope limitations can improve your chances of a successful project. Once you know the scope, you can determine what type of assessment would be best.
If you are a small organization, or don’t have internal information security, internal audit, or information technology resources to support an assessment or certification effort, start with something small. Choose a key service offering, customer-facing application, or environment for which an assessment or certification would be beneficial.
If you are a medium or large organization, or if you have the internal resources to support this type of project, you still have the same scoping questions. However, you can include more systems, or a larger part of your organization within the assessment scope. In addition, you can determine how much assistance your internal team can provide to support the external assessing organization. Some external assessments such as HITRUST and SOC 2 allow for the use of internal resources to support the external assessor’s efforts.
Even if you are a medium or large organization, I recommend you start small if this will be your first assessment or certification effort. It is much easier to expand a successful small assessment or certification project than it is to try and cover your entire organization or complex environment the first time through.
Contractual Obligations
Contractual obligations can steer your decision towards a particular assessment or certification. Make sure you thoroughly understand what is required by consulting with legal counsel. Be aware that some assessments are not certifications, so ensure your contracts reflect this accurately. An organization can’t be “HIPAA Certified” or “SOC 2 Certified” so having that as a contractual obligation presents a challenge.
For example, if you are required to be “HITRUST Certified”, does that mean an e1, i1, or r2 certification? The level of effort varies greatly amongst those three types of HITRUST certifications. SOC 2 examinations are similar as there are Type 1 (point in time) and Type 2 (over a period of time) options.
You can have a SOC 2 Type 2 examination performed and provide your customer the examination report, but this isn’t a formal certification of a system or application. Similarly, you can have a HIPAA gap assessment performed using the OCR’s audit protocol and provide your customer with a summary of the assessment results.
Once you understand any specific contractual obligation, you can then work towards obtaining that assessment or certification.
Choosing An Appropriate Assessment
Assuming you don't have any specific contractual obligation and you conduct annual security risk assessments, let's explore two major options prevalent in the U.S. - SOC 2 examinations and HITRUST certifications.
HITRUST is a comprehensive, scalable, and certifiable security framework addressing regulatory compliance and risk management.
SOC 2 is an examination report on controls at a service organization relevant to security, availability, processing integrity, confidentiality, or privacy and is industry agnostic.
Ranking them from the lowest to highest level of effort would look something like this: HITRUST e1 < SOC 2 Type 2 < HITRUST i1 < HITRUST r2.
But remember, the lower effort doesn't necessarily mean it's the best for your organization. Choose what aligns best with your organization's needs. The HITRUST CSF is very prescriptive, and you must include all the controls and follow their procedures for implementation. You have more flexibility to choose controls within the SOC 2 framework if those controls meet the applicable trust services criteria.
Final Thoughts
Choosing the right assessment or certification can seem overwhelming, but with proper planning and guidance, it doesn't have to be. At Meditology, we have years of experience navigating these waters. Let us help you chart the best course for your organization's cybersecurity journey.
Don't let the cybersecurity assessment maze keep you up at night. Connect with the experts at Meditology, and let's find the right path together.
Meditology Services is a leading provider of risk management, cybersecurity, and regulatory compliance consulting services that is exclusively focused on serving the healthcare community. More than a provider of services, Meditology is a strategic partner committed to providing our clients actionable solutions to achieve their most pressing objectives. With experience serving healthcare organizations ranging in size, structure, and operational complexity, we uniquely understand the challenges our clients face every day and dedicate ourselves to helping solve them.
For more information on third-party attestations demonstrate that your organization has implemented effective controls to safeguard the security and privacy of sensitive data, see our sister company, CORL.
About the Author
Alan DeVaughan is an experienced compliance and information security senior manager specializing in assisting organizations with SOC 2 readiness assessments and examinations for over 10 years. In addition to leading Meditology’s SOC 2 and security risk assessments service lines, he serves as a consultant team leader focused on advising healthcare clients of varying size and complexity in areas of IT, privacy, security, and compliance. Alan has in-depth knowledge of security technology frameworks such as NIST, HITRUST, SOC 1 / SOC 2, HIPAA, and FFIEC. With a background in network administration, he has over 25 years’ experience in information technology consulting for a wide variety of organizations and industries.