ISMS Certification Does Not Equal Regulatory Compliance

Thursday, December 27, 2012

Rebecca Herold

65be44ae7088566069cc3bef454174a7

Last week I got the following question:

“By becoming ISO 27001 certified does that automatically mean we comply with HIPAA and HITECH requirements?  Are there any requirements of HIPAA/HITECH that are not required to meet ISO 27001 standards?”

This is not the first time I’ve gotten this question, and others similar. As new technology businesses, cloud services and other businesses are popping up to provide services to large regulated organizations, start-ups are increasingly looking for a way to differentiate themselves from their competitors, and also prove that they have not only effective security controls in place, but that they also meet all types of legal compliance requirements.  I completely understand their goals; I provide services to help businesses with meeting all their information security and privacy compliance requirements. And they are usually surprised at the differences between the information security standards and some of the unique compliance requirements in HIPAA, HITECH and other laws and regulations. Unfortunately many to most businesses wrongly assume that all compliance requirements can be met simply through getting an ISO/IEC 27001 information security management system (ISMS) certification, and that they don’t need to know anything about the regulations and laws themselves. This is a legally dangerous belief.

Does ISMS certification equal HIPAA compliance?

No, ISO/IEC 27001 ISMS certification does NOT mean that all HIPAA requirements are met.  While the description provided of an ISMS and ISO/IEC 27001 indicates the certification can be used to ensure compliance with laws and regulations, having an ISMS certification is not, on its own, enough to meet all HIPAA and HITECH requirements.  Here are the four primary reasons why.

1)    ISO/IEC 27001 is an information security framework, and certification applies to a clearly specified scope of the business’s systems and applications, and then determines if the appropriate ISO/IEC 27002 controls are applied within that scope.  ISO/IEC 27001/27002 provides general information security “best” practices; they are not specific to healthcare.  That established scope may also be one that is significantly smaller than what HIPAA covers.  HIPAA includes some requirements that are specific to healthcare, and it covers the full lifecycle of healthcare treatment, payment and operations (TPO) activities involving protected health information (PHI) in all forms, not just a specified group of systems and applications.

2)    ISMS certification represents a point-in-time third party assessment (that typically takes months to complete) reporting whether or not the specified scope of security controls adequately meet ISO/IEC 27001 standardsCompliance for HIPAA, HITECH and other laws and regulations, requires ongoing compliance activities.  Unlike certifications for technology solutions, because compliance with HIPAA, and all other regulations, requires ongoing activities and updates, no organization can ever be “HIPAA Compliance Certified.”  Why? Because compliance levels change as the business environment changes. An organization that is in compliance one day will quickly be out of compliance the next day as a result of installing a new system, opening a new office location, or any other type of significant change, if they do not have an effective compliance management program in place.  However, an organization *can* claim to have a compliance program that addresses all compliance requirements management on an ongoing basis, which is really, feasibly, what organizations should strive to meet. 

3)    Having an ISMS certification may be considered by regulatory compliance auditors if you are audited, but the audit will still take place, and your organization will still be evaluated according to the specifics of HIPAA, HITECH and the risk environment within your organization and the associate specific types of PHI. The key concept within the HHS/OCR HIPAA compliance audits is whether or not you are applying the prescribed HIPAA and HITECH controls as appropriate to your organization’s risks. ISMS certification is admirable, but still won’t guarantee a good audit.

4)    ISMS certification only covers information security controls. Very few of the HIPAA Privacy Rule compliance requirements are covered by an ISMS certification, so CEs would be substantially out of compliance with HIPAA if they depended only upon their ISMS certification for their compliance activities.

With these reasons in mind, obtaining an ISMS certification will be indicative of an information security  compliance program that includes a significant number security controls that are required by HIPAA/HITECH.  But those additional, very specific regulatory compliance requirements, and the need to have the requirements implemented throughout the entire enterprise for the full lifecycle of protected health information (PHI) in all forms, are what will leave an organization at significant risk if they simply obtain an ISMS certification and then do nothing beyond that accomplishment to meet all compliance requirements. 

Many businesses I’ve spoken with have indicated that they don’t want to have to know HIPAA and HITECH, and they sincerely believed…or more accurately hoped…that an ISMS certification would allow them to not even have to look at HIPAA/HITECH requirements. This is simply not true. Compliance is indeed challenging, and does requirement obtaining some knowledge of the specific requirements for each applicable law and regulation that you must follow.

What HIPAA/HITECH requirements are not covered by ISMS certification?

There are many.  I’m currently working on the 2nd edition of “The Practical Guide to HIPAA Privacy and Security Compliance.”  Since I get this question so often, I may include a chapter dedicated to this topic. For now, though, here are just a couple of HIPAA Security Rule requirements that are not explicitly part of the ISO/IEC 27002 controls used to support ISO/IEC 27001:

1)    “§ 164.308 (4)(i) (A) Isolating health care clearinghouse functions (Required). If a health care clearinghouse is part of a larger organization, the clearinghouse must implement policies and procedures that protect the electronic protected health information of the clearinghouse from unauthorized access by the larger organization.”

An ISMS certification will not cover this requirement. While it provides controls covering segregation of networks, it does not cover the complete segregation of administrative, physical and technical processes in the way that HIPAA requires.

2)    ”§ 164.316 (b)(2) (i) Time limit (Required). Retain the documentation required by paragraph (b)(1) of this section for 6 years from the date of its creation or the date when it last was in effect, whichever is later.”

ISO/IEC 27002 does include a section on retention, including the following statements:

  • “Some records may need to be securely retained to meet statutory, regulatory or contractual requirements, as well as to support essential business activities”
  • “The time period and data content for information retention may be set by national law or regulation.”

However, the specific retention time for HIPAA is not provided. The accredited ISMS auditor will likely ask about any legal requirements you have to follow. However, the auditors are typically not HIPAA/HITECH experts (but there are a few out there) and may not know what your organization needs to do to be in compliance with HIPAA/HITECH.

So, are most of the concepts that the HIPAA Security Rule and HITECH require found within ISO/IEC 27001 and ISO/IEC 27002 that would be covered within an ISMS certification? Yes. However, significant compliance requirements will not be covered, and most of the HIPAA Privacy Rule are not covered. And, as the scope of your ISMS certification gets smaller, the more it will miss covering with regard to HIPAA/HITECH requirements.

Bottom line for all organizations, from the largest to the smallest:  It is good to consider getting some type of evidence that you are doing all you can to secure information and meet all security and privacy compliance requirements.  While an ISMS certification can provide a point-in-time certification of security controls for an explicitly defined scope of business processes, and it covers a wide range of security controls that are also found in most data protection regulations, it does not cover all compliance requirements for HIPAA, HITECH, or any other law or regulation.

Additional information about ISO certifications and regulatory compliance

Here are some other articles that provide additional information about regulatory mapping:

  1. Cloud Security Alliance Information Security Regulatory Mapping (Excel spreadsheet) 
  2. Dartmouth College Information Security Controls Regulatory Mapping 
  3. HIPAA Security Rule Comparison: Background Briefing Prepared for the HIT Policy Committee Tiger Team 
  4. Compliance Helper provides an information security and privacy compliance service designed to help CEs and BAs meet all their HIPAA and HITECH compliance requirements, and then to stay in compliance on an ongoing basis, and provides the documentation to verify compliance activities.

This post was written as part of the IBM for Midsize Business (http://goo.gl/S6P7m) program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet.

Cross-posted from Privacy Professor

Possibly Related Articles:
11453
General
Information Security
Certification Compliance ISO Standards
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.