What does “Compliance” mean to a Healthcare CISO?

Posted by William "Buddy" Gillespie HCISPP, ITILv3 on Thu, Apr 14, 2016

The role of the healthcare CISO has expanded exponentially since the HITECH Act of 2009.  CISOs were traditionally charged with the responsibility to maintain the IT environment consisting of applications and infrastructure.  Today they are taking on an expanded organizational role consisting of innovation, operational responsibility and compliance.  Although, the governance for compliancy consists of a village when it comes to leadership and stakeholders, CISOs still remain at the center of the universe.  A multitude of federal and state regulations are at the CISO’s doorstep and pressing on the their scope of responsibility.



Among these regulations are PCI, ICD-10, Meaningful Use and, the biggest and most daunting of all, HIPAA.  If a Healthcare Organization (HCO) fails to meet the compliancy standards required by these regulations, the results may be penalties consisting of fees, possible imprisonment and the loss of credibility. 

The “experts” all agree that the following are the largest and most challenging force vectors for the healthcare CIO to confront in order to achieve and sustain compliance:


  • Mobile Devices:
    • The sprawl of mobile devices in the Internet of Things (IoT) has created multiple and diverse conduits into the patient data.  A strong Mobile Device Management solution should be implemented along with encryption where appropriate.  CIOs are taking responsibility to map the information flow of patient data to ensure that the data is following the authorized path.
  • Rogue Applications:
    • None of the enterprise applications in healthcare can meet all the point specific needs across the HCO enterprise.  This void has spawned the sprawl of rogue applications.  These apps are often acquired without the knowledge of the CISO.  The CISO and IS are not able to provide the best controls without being a part of those 3rd party solutions.

The Cloud:

  • The use of Cloud Service Providers (CSP) in healthcare has its advantages and benefits.  Lower cost and scalability are two of the most common benefits.  However, the CISO must ensure that the CSP is HIPAA compliant and a strong Service Level Agreement is negotiated.
  • Payment Card Industry (PCI):PCI_Demo.png
  • HIPAA:
    • The number one compliancy challenge for CISOs is HIPAA.  The HITECH Act expanded the scope of HIPAA and the Omnibus bill in 2013 gave definition and guidance for the implementation of the HITECH requirements.  The Meaningful Use requirements expanded the access to the electronic medical records thus creating additional opportunities for security breaches.  The good news is that CISOs have the technical controls available in the market place to build a fortress against the onslaught of breach opportunities.  The other side of the coin the CISOs must build the case for a security budget that will allow for the acquisition and implementation of those controls.

In order to be successful and achieve the appropriate level of compliance, the CISO must advocate for a Compliance Governance within the HCO.  The CISO can be the catalyst but it will take a village of leadership and stakeholders to weather the strong currents that drive compliancy.Privacy_and_Security_ini_Healthcare.png



Want to hear more from Buddy on the role of HIPAA and compliance in healthcare? Download his free on-demand webinar Privacy and Security in Healthcare  

Tags: hipaa compliance, compliance, PCI DSS, HIPAA

Costa Rica Investigating Rigged Elections, Georgetown University Hit by Cyberattack and More in This Week's #TechTuesday Roundup

Posted by Harley Boykin - Marketing Coordinator on Tue, Apr 12, 2016

Costa Rica investigating rigged elections by political hacker, Adobe updates flash player patching active zero-day vulnerability, Georgetown University hit by cyberattack, NCT breach compromised info on 15,085 new and expectant parents, and Apple lockscreen flaw lays open contacts and photos.

Tags: #techtuesday, cyber attack, breach, security flaw

What does "Compliance" mean to you?

Posted by Ashley Sims - Marketing Manager on Thu, Apr 07, 2016

Compliance is a word that we hear a lot in our business. Broadly, it is defined as "the action or fact of complying with a wish or command." 

If that seems like a simple definition, it's because it is. It's too simple. In today's world, not only do you have to comply with the wishes of customers, vendors, and board members; you have to make sure that you are compliant with any one of several governing boards in your industry. 

HIPAA. SOX. NIST. PCI-DSS. These are just a few of the most well-known regulations that businesses have to follow, and they all create very unique challenges for organizations. 

In order to get a better handle on what "compliance" means outside of Webster's definition, we asked some of our Brent_quote.jpgfriends around the cyber-security industry to help us out and answer the seemingly simple question: "What does 'Compliance' mean to you? 

"What does compliance mean to me? In short, it’s the bare minimum standard we must meet in order to be able to demonstrate security. Compliance gives us a common language to use between regulators, auditors and security to evaluate the effectiveness of our controls."

Brent Comstock - VP, Identity & Access Management, Elavon 

"Compliance is simply defined as the ability to comply with a set of rules or requests.  As a CFO, we typically think of this as ensuring the organization has the requisite systems of internal control that adequately manage the risks that the corporation faces in multiple areas (such as legal risk, financial risk, regulation risk, IT risk, data risk, etc). Interesting to note that organizations continue to equate compliance with security with an inappropriate reliance on historical system compliance procedures leading them to mistakenly believe that their company is more secure."

Curtis Cain - CFO, Courion Corporation 

"With Information Security this goes further and it is more than just acting in accordance with regulatory conditions or requirements.  It is consistently acting with initiative, which according to Victor Hugo is “doing the right thing without being told.”  For one reason or another, some wait until they are told what is right or wrong prior to acting, but this places industries at risk, especially if they are not taking steps to proactively protect their technologies and the information housed within."

Alex Naveira, CISSP, CISA - Director, ITGA & CISO, Miami Children's Hospital 

"In order to be successful and achieve the appropriate level of compliance, the CIO must advocate for a Compliance Governance within the HCO.  The CIO can be the catalyst but it will take a village of leadership and stakeholders to weather the strong currents that drive compliancy."

William "Buddy" Gillespie, HCISPP, ITILv3 - WJGillespie HIT Consulting  

Do these definitions ring true in your business? If not, tell us what compliance means to you in the comments. 

Looking for more information on how your organization can become or remain compliant? Courion and Core Security have multiple options for maintaining compliance across all industry and government regulations. Find out more here or contact us at info@courion.com


Tags: access compliance, hipaa compliance, access risk, compliance

DIY Hacking Kits, Phishing Scams, and Ransomware in This Week's #TechTuesday Roundup

Posted by Harley Boykin - Marketing Coordinator on Tue, Apr 05, 2016
In this week's #TechTuesday: Android and iPhone do-it-yourself hacking kits are available to security experts and wannabes, scammers are phishing using fake Macy's delivery emails, more than 55 companies have fallen victim to W-2 phishing scams, another Canadian hospital is hit with ransomware, and e-Commerce platform Magento is targeted with a new type of ransomware. 

Tags: ransomware, #techtuesday, Hacking, phishing

How does Vulnerability and Access Risk Management Work?

Posted by Felicia Thomas on Thu, Mar 31, 2016
When a company wants to prevent breaches that come through vulnerabilities, it can detect them with a vulnerability scanner. These scanners will show all vulnerabilities in the iStock_000074019755_Double.jpginfrastructure, from tens to thousands, based on the size of the network. In addition, many vulnerability management solutions offer antivirus software capable of fact-finding analysis to discover undocumented malware. If it finds software behaving suspiciously—such as attempting to overwrite a system file—it will provide an alert.
Fast-acting correction to these vulnerabilities, such as adding security solutions, or educating users about social engineering, will be the difference between exposing a system to potential threats and protecting the system from those threats.
iStock_000076260879_Full.jpgAccess risk management (ARM) is the part of an IAM solution that identifies, assesses, and prioritizes risks from an access provisioning and compliance perspective. Because there are various sources from where risk comes from, utilizing access risk management helps to continuously monitor a system while providing preventative measures to manage user access and account entitlements.
Having VARM as a threat solution helps when identifying the sources of potential risk. Risk sources are more often identified and located not only in technological assets but within infrastructure and other tangible elements. It is extremely difficult for IT security personnel to be able to apply an objective and systematic observation of the state of their network without a solution in place. Utilizing VARM helps to identify not only that something is wrong, but it can support the clear
understanding of how, when and where to act on a potential threat. 

Want to learn more about Vulnerability and Access Risk Management and how it can help your organization?VARM_600x315.png Download our new eBook and learn: 


  • How Vulnerability and Access Risk Management really works
  • VARM's impact on governance and remediation 
  • Tools to remediate vulnerabilities 
  • Prioritization for reducing risk 
  • Check list for a VARM solution 

Tags: access governance, access risk, access management, vulnerability management, vulnerability risk management, vulnerability, Vulnerability and access risk management, VARM

Uber Launches Hacker Bounty Program, Google Enhances Gmail Security, and More in This Week's #TechTuesday

Posted by Harley Boykin - Marketing Coordinator on Tue, Mar 29, 2016
In this week's #TechTuesday: Uber launches hacker bounty program, Google enhances Gmail security, new ransomware created from PowerShell, wireless mice leaves billions at risk of computer hacks, and online ticket scams soar 55% in 2015. 

Tags: ransomware, #techtuesday, hack, hacker, malicicious

Preventing Cyber Attacks: A Step by Step Guide

Posted by Ashley Sims - Marketing Manager on Thu, Mar 24, 2016

Tags: cyber attack, Cyberattack, cyber threat

Stagefright Hack is Back for Android Devices, Amex Investigates Possible Data Breach, and More in This Week's #TechTuesday Roundup

Posted by Harley Boykin - Marketing Coordinator on Tue, Mar 22, 2016
In this week's #TechTuesday: Some Android phones are susceptible to the Stagefright hack, Amex investigates a possible data breach, UK online banking fraud soars 64% in 2015, Google adds HTTPS report card to transparency report, and a ransomware creator foils ransomware author's plans. 

Tags: #techtuesday, hack, data breach, onlinebanking, fraud

An Ode to Math - A Winning Formula for Your Organization

Posted by Harley Boykin - Marketing Coordinator on Thu, Mar 17, 2016

Miss yesterday’s webinar with President of Securosis, Mike Rothman? Well don’t worry, we’ve got you covered.

In this webinar, Mike Rothman:

  • Gives us a quick view into the world of the CISO
  • Takes a look backward at security
  • Shows us what the future of security looks like
  • And delivers  an ode to math and how to find the winning formula for your organization

In our ever evolving world of cyber-security, we know there will be more issues that arise and less resources to solve those issues. In this webinar, Mike explains how we can use math to try and bridge the gap by asking better questions and using analytics to get more data. More data + Math=Better Answers.

For more information on finding the winning formula for your organization. Download our webinar here and check out the Securosis blog.


Tags: Webinar, analytics, cyber security

IS Defector Reveals Identity of 22,000 Members, Hacker Picks 1-800-FLOWERS Customer Credit Card Info, and More in This Week's #TechTuesday Roundup

Posted by Harley Boykin - Marketing Coordinator on Tue, Mar 15, 2016

In this week's #TechTuesday roundup: IS defector steals USB stick revealing 22K members' identities, Rosen Hotels becomes latest chain to suffer data breach, hacker picks 1-800-FLOWERS customer credit card info, oncology clinic breached, and Clark County Water Reclamation District hit with cyberattack.


Tags: ransomware, healthcare data, #techtuesday, credit card, data breach, hacker, identity