The Ohio Department of Developmental Disabilities recently announced a HIPAA compliance review of the County Boards of Developmental Disabilities. In the email contacting the initial group of county boards to be reviewed, Michelle Burk of DODD describe the audit as “an evaluation of security and privacy safeguards of your systems and organization to demonstrate and document ongoing compliance.” So far only a small number of counties have been selected as “Group 1” of this review, with no clear indication when or whether more counties will be reviewed. Eagle attempted to contact Ms. Burk for more information but has not received a response as of August 14.
For this review, DODD is using 15 of the 20 CIS Controls from the Center for Internet Security, a well-respected information security standard. (They exclude controls 11, 12, 15, 18, and 20.)
“The CIS Controls™ are a prioritized set of actions that collectively form a defense-in-depth set of best practices that mitigate the most common attacks against systems and networks. The CIS Controls are developed by a community of IT experts who apply their first-hand experience as cyber defenders to create these globally accepted security best practices. The experts who develop the CIS Controls come from a wide range of sectors including retail, manufacturing, healthcare, education, government, defense, and others.” (Introduction to the CIS Controls Version 7)
The CIS Controls provide much-needed specificity to the HIPAA Security Rule Implementation Specifications. HIPAA was designed to be highly scalable so that the regulations could apply to organizations with one employee or 100,000 employees and could be interpreted based on the size, situation, and capabilities of an organization. An industry-validated control set such as the CIS Controls provides specificity and keeps up with the changing information security landscape in ways that the HIPAA regulations cannot.
To assist Boards of DD facing upcoming review, Eagle has prepared a crosswalk between the CIS Controls and the related HIPAA Security Rule Implementation Specifications. (Click here to download the crosswalk in PDF.) As you will see, not all CIS Controls have corresponding HIPAA controls, nor should the matched CIS & HIPAA controls be considered equivalents.
The HHS Office for Civil Rights (OCR), the federal agency responsible for HIPAA enforcement, asserts that the HIPAA regulations imply that thorough information security controls are required, even if does not name the security controls method that should be used. For instance, the OCR in their June 2018 Cybersecurity Newsletter stated that applying computer and application security updates is not optional.
Eagle will be providing more information on this DODD effort as it becomes available and can support Boards going through this HIPAA review by providing both assessment guidance and remediation recommendations. In the meantime, please contact us with any questions. Eagle has been providing security consulting for the Ohio county Boards of DD since the initial implementation of the HIPAA Security Rule in 2005.