Readers Write: The Evolving Role of a Security Control Assessor

The Evolving Role of a Security Control Assessor
By Angela Fitzpatrick

Angela Fitzpatrick, MSHI is VP of IT risk management for Meditology Services of Atlanta, GA.

As the cybersecurity and regulatory landscapes continue to change and escalate, healthcare organizations find themselves juggling a myriad of priorities within their security strategy. They must ensure they have adequate assurance options while dealing with the increased intertwining of cybersecurity with other functions such as procurement, compliance, and digital transformation.

In response, healthcare organizations are broadening their security operations, highlighting the need for security leaders who strategically understand the use cases for cybersecurity within the business. They are also redefining the role of security control assessors (SCAs), from merely applying standards to also understanding how standards fit into the organization’s larger cybersecurity framework.

The rising value of patient data, including protected health information (PHI) and personally identifiable information (PII), makes healthcare organizations prime targets for cyberattacks. This data is highly sought after, with black market values skyrocketing to 10 to 40 times more than credit card numbers.

According to the 2023 “Cost of a Data Breach Report” by Ponemon Institute and IBM Security, the average cost of a breach for a healthcare organization is close to $10 million, a 53% increase from 2020. This surpasses the average cost for breaches across all industries in 2023, which stands at $4.45 million.

The Health and Human Services (HHS) Office for Civil Rights (OCR) “Wall of Shame” reveals a distressing trend that aligns with these figures. From January to November 2023, nearly 500 breaches affecting 500 or more individuals were reported to the OCR, a sharp increase from the 278 reported breaches during the same period in 2022. The attacks, which affected more than 90 million individuals, were reported across 300 provider organizations, 120 business associates, and 73 health plans. The majority were hacking incidents (407), followed by unauthorized access or disclosure (80) and theft (7).

Although it’s alarming to see the escalating cost and frequency of cyberattacks, perhaps the most unsettling fact is that a mere one-third of these attacks were detected internally by security teams or tools. Even more startling is the revelation that the attackers themselves reported the majority of these breaches, accounting for 67% of the total.

The incessant cyber onslaught aimed at patient data has left healthcare organizations in a frantic search for solutions. Part of the answer lies in escalating investments in incident response (IR) planning and testing, staff training, and technologies for detecting and responding to threats. The Ponemon/IBM report identified these activities as the most efficient ways of reducing the cost impact of an attack, complemented by implementing a DevSecOps approach.

To maximize the efficiency of these investments, it’s crucial for healthcare organizations to scrutinize the pivotal role that SCAs have in pinpointing and alleviating potential vulnerabilities.

The Evolving Role of the SCA

Security control assessors meticulously examine security measures in place within an information system, employing a repertoire of assessment and testing methodologies to gauge the efficacy of administrative, operational, and technical safeguards. Their primary responsibilities include detecting vulnerabilities, proposing remedial measures, and safeguarding system integrity by pinpointing and mitigating potential paths of exploitation.

Additional SCA responsibilities encompass:

• Creating strategies for tracking and evaluating risk, compliance, and assurance operations.
• Constructing specifications to harmonize risk, compliance, and assurance endeavors with security prerequisites.
• Organizing and executing reviews of security authorization.
• Assessing interfaces for potential vulnerabilities.

In addition, SCAs are tasked with validating application software, network, and system security implementations. They meticulously document deviations from the prescribed security standards and, crucially, propose appropriate rectifying measures.

In the current era, the role of an SCA has evolved beyond traditional responsibilities into that of a guide who appreciates the unique complexities and limitations inherent to an organization, and charts an achievable path towards enhanced cybersecurity. This pragmatic approach strikes a balance between stringent security protocols and the practicality of implementation. Assessors deploy a tailored strategy for each organization, aligning with its specific hurdles, assets, and cybersecurity objectives. They assist in evaluating various attestation alternatives and guide organizations in pursuing attestations in an incremental manner, thus strengthening cybersecurity over time.

In the healthcare domain, the significance of the SCA’s role is heightened due to their ability to align assurances with regulatory stipulations such as HIPAA. As the landscape of regulatory requirements shifts, SCAs must stay at the forefront of changes. They must transcend the boundaries of occasional involvement and adopt the mantle of a persistent catalyst for progress, fostering an environment of perpetual learning and advancement.

Moreover, as the domain of cybersecurity expands its interdisciplinary reach, SCAs assume the mantle of navigating the humanistic and cultural facets of the certification and attestation process and its subsequent repercussions on the organization’s everyday operational realities. In the end, proficient SCAs conduct assessments and actively participate in remediation planning and implementation, steering clear of a mere evaluate-and-depart modus operandi.

Impact on Attestation

An SCA has the potential to significantly influence a healthcare organization’s success in attaining attestation by minimizing challenges and resistance. By comprehending the full context and nuances of an organization’s cybersecurity stance, the SCA is best equipped to navigate it along the attestation pathway. This reduces impediments and facilitates a more streamlined and achievable certification process.

In the current cybersecurity landscape, the SCA’s role is to boost the chances of attestation success by adopting a mentorship stance and investing time in gaining a deep understanding of their organization’s specific context. This focused approach equips assessors to offer actionable and customized guidance, thereby enhancing the organization’s prospects of achieving successful attestation.

The metamorphosed role of the SCA underscores the importance of cooperation and participation among all interested parties. Serving as a connecting link, SCAs promote improved dialogue and comprehension, ensuring that everyone is synchronized in their objectives and anticipations. This simplifies the procedure, cultivates confidence, and fortifies alliances, which are essential for enduring cybersecurity partnerships.

Ultimately, SCAs play a pivotal role in fostering sustainable progress and substantial expansion in the realm of cybersecurity.

By establishing an effective alliance, healthcare organizations can utilize the expertise of SCAs to critically evaluate and guide the maturation of in-house programs. With a strategic orientation, this collaboration can instigate enduring change and promote lasting advancements.