So just where have I been for the past two months? My job includes managing the cybersecurity and compliance program for an Electronic Health Record (GEHRIMED) company, Geriatric Practice Management. For the past two months I was heavily involved in our annual SSAE-16 SOC 1 Type 2 external audit (covers HIPAA, Penetration testing, etc.). I am very happy to report that we passed with flying colors, or in Auditor speak, “No exceptions noted.”
I thought I would pass some along valuable lessons learned in hopes that you might find some piece of knowledge which you can incorporate into your program at your business.
The Basics: These are the building blocks of any successful security and compliance program.
- Complete buy in by the decision makers in your organization.
- Robust Policies and procedures.
- Proficient tracking mechanisms to prove that scheduled events that are supposed to happen actually occurred. We use the Atlassian Jira system with the Scheduler add-on to have all of the items our policies and procedures call out automatically created and assigned to the responsible individual for properly completing that task.
Lessons Learned: Here is what I found out this year.
- Everything changes. Your infrastructure, business processes and personnel are constantly changing. You need to keep up with all these changes.
- Policies and procedures need to be reviewed at least quarterly.
With all the changes in every area of your business, your policies and procedures must evolve also. We now review our policies and procedures monthly. - Review program changes with all key stakeholders. End users will not understand, or like, changes to the business processes or infrastructure. Having key managers/executives buy in will make adoption more successful. We met significant resistance to our new two factor authentication on our internal systems until key managers understood why.
- External Penetration and Social Engineering Testing. I have advocated, and we adhere to, using a different vendor every year for penetration testing. This year a Social Engineering component was added. While we passed, being able to see how the vendor conducted the Social Engineering component testing gave me new insights into areas where we could be vulnerable.
- Employees are people: “Trust but Verify”. It is an industry given that the weakest link in your program will be the employees. For someone who respects and likes the people I work with, this was the hardest lesson to accept. One of our employees clicked on an attachment during the Social Engineering testing. Not because they were unaware, but because they were busy doing their jobs. Our last layer of defense protected us, but it should not have gotten that far. It proved that our layers were good, but that several more layers added to our protection will make our infrastructure even better. Humbling, to say the least.
- Your program will change and grow. As your business grows and matures, so does your program. The decision makers must be kept up to date. Your program is like a growing onion, constantly adding layers. We keep our COO constantly updated and apprised of changes.
- Better employee training. Annual HIPAA training is not enough. We now have a Lunch and Learn series that will cover specific security topics every other month. If that is not enough we will make them more frequent.
I have found a useful tool that allows you to create phishing e-mails and send them to your own employees. It is free. I have already planned a series of these tests throughout 2017. Duo Insight – https://duo.com/resources/duo-insight.
Now to start work on the 2017 program. We are moving to a SOC 2 Type 2 program this year. This program will be more intense and in depth, but it is where we need to move as an organization. Time to write more policies and procedures…
Sean Smith
Geriatric Practice Management
Senior Security & Compliance Engineer