For the last couple of newsletters, I have been writing from a fairly general level as introductions to this topic. In this newsletter, we attempt to get down to some technical details and examples of why automating your risk management and compliance is so important. We’ll even note how we are seeing AI being used within automated risk and cybersecurity compliance tools and what it’s doing on your behalf.
Now, the real question around life, the universe, and everything is: have I covered all of my bases with our cybersecurity and risk management program, and how would I know that? The answer is not “42,” to quote author Douglas Adams. The real answer is, map to a standard, do a gap analysis, true up, and continually maintain your program in real time. How do you do this? Typically, in healthcare, this process has been a hodgepodge of spreadsheets, tribal knowledge, and periodic yearly audits. The problem with this scenario is that it doesn’t work for several reasons. Spreadsheets are static, tribal knowledge isn’t accessible and walks out the door with employees, and audits are useless and outdated the day after the report is delivered.
Let’s look at a new way of doing things; how do we fix this?
One way to know if you are covering all of your cybersecurity and risk management bases is to map to a standard such as NIST, ISO, or Hitrust. Additionally, healthcare will have to overlay HIPAA requirements with this program. Many organizations do this, but only on spreadsheets and periodic audits, which yield the same problems noted above. Let’s take a NIST/HIPAA example, the control for multifactor authentication, which is mandated for highly sensitive systems containing protected health data or ePHI. A systems administrator can manually poll a system at a point in time and note that all users have multifactor authentication set for their accounts. This goes on a spreadsheet.
Over the next month, 30 traveling nurse users will be added to the electronic health record system. The organization typically does not manually poll systems for compliance on a regular basis. The next validation of adherence to the multifactor authentication rule may be during the next audit period, in six months. The compliance adherence and the risk associated with this process are unknown for long periods of time. Also, this is in the CISO’s spreadsheet. Compliance, Risk, IT, security, and HR/training may all have their own spreadsheets that should be consolidated to show an overall risk profile. Multiply this by the over 300+ risk items that NIST and HIPAA address. The time between audits is literally a black hole in knowing your risk and cybersecurity compliance. Not to mention your vulnerability exposure to breaches and not knowing what cybersecurity items are lacking or non-compliant.
Now, let’s look at the same example using automated Cybersecurity compliance and risk tools. The NIST framework, and HIPAA requirements are loaded as a framework into the tool. These tools are intelligent and today use AI to organize data and to anticipate activities. Data, policies, and documents relating to cybersecurity and risk management can be loaded into the system by the owners via a variety of communication methods. So it will be apparent what documentation the organization may be missing to meet compliance/regulatory requirements. This is all accessible and noted in a common platform, one location of the formal record. Back to the multifactor authentication example. The automated tools out of the box, have connections into a variety of systems. And, they also have the ability to connect via API calls to other specific healthcare applications to pull controls.
The tools DO NOT pull any sensitive data, thus avoiding yet another security problem for CISOs. They merely pull the controls that a system has configured and can run tests against those controls and return compliance stats. So, for the multifactor authentication example, the tool would poll the ePHI-sensitive system and run a test on users to show who has multifactor authentication turned on and which accounts don’t. Typically, the test will verify that all provisioned users are in compliance, but there are a couple of accounts that don’t have MFA turned on.
These will be Admin accounts and Service accounts. This leads to a whole other level of compliance validation around NIST and HIPAA rules around these types of accounts and how they are handled, which is also programmed into the tool. This test could be run anytime; it can be scheduled and repopulates the tool with the current real-time compliance data. These automated functions exist for most of the controls.
What Can AI Do Under the Covers in Automated Risk and Cybersecurity Compliance
- Predictive security risks – What is likely to fail?
- Automatically tie commitments, from contracts and security questionnaires to controls and risks
- Analyze contracts to ensure that commitments are in line with company controls
- Review vendor SOC2 reports and vendor assessments and identify risk areas
- Suggest mitigating controls for risks
- Predictive risk assessment to continuously assess and predict risks based on real-time data and historical trends.
- Automatically map your current controls to a compliance standard, and view the gaps; suggest controls to fill those gaps
- Create your compliance program automatically based on the type of company, your tech stack, and your data
- Generate policy documents from your controls and industry best practices
- Automatically respond to vendor assessments based on your Semantic Graph
- Suggest controls to adopt based on what your customers are asking for in security questionnaires
- Provide a Trust Assistant to answer questions about your compliance posture
- Prioritizing the most important tasks based on risk impact
What Have We Accomplished and ROI:
- We have converted to real-time risk and vulnerability management (ROI)
- Window into non-compliant items, can immediately address (not 6 months) (ROI)
- Reduced labor, security, compliance, risk employee visibility/automation (big ROI)
- Dashboards config for CISO, CIO, Risk, Compliance, and Board of Directors (more ROI)
- Trible knowledge is captured in the tool, not dependent on memory
- Audit ready, the tool provides auditors with most information they need, including history and trends over time, and reduces your team’s labor and auditor time as they can be provisioned as “read-only” users of the tool (another big ROI)
For more information about CSI Companies’ Security and AI Readiness Programs, visit our website and speak with one of our experts today!
Visit our Newsroom to learn more about how CSI Companies has expanded its offerings into Security and AI Solutions.
About the Author
Paul J. Caracciolo is the Executive Vice President of CSI Companies’ Cybersecurity, Risk, and AI Management practice. Our practice uses automated risk and Cybersecurity compliance tools to get hospitals in a posture of real-time management of their environments. Our offerings have a large impact relating to very clear ROI and cost savings in these applications. An added benefit is that we enable organizations to take a proactive approach to managing risk and security instead of being in a firefighting, reactive, and outdated periodic audit mode. Paul can be reached at pcaracciolo@csicompanies.com.
