Adam Nunn, Director, Consulting Services, Clearwater, speaks with Jiayan Chen, Partner, McDermott Will & Emery LLP, Leeann Habte, Partner, Best Best & Krieger LLP, and Ty Kayam, Corporate Counsel, Microsoft, about legal and compliance considerations related to key cybersecurity frameworks, standards, and certifications. They discuss developments related to Public Law 116-321, due diligence best practices for entities and business associates, and how organizations can show framework adoption. Jiayan, Leeann, and Ty authored an October 2021 Health Law Connections article on this subject. From AHLA’s Health Information and Technology Practice Group. Sponsored by Clearwater.
To learn more about AHLA and the educational resources available to the health law community, visit americanhealthlaw.org.
Adam Nunn, Director, Consulting Services, Clearwater, speaks with Jiayan Chen, Partner, McDermott Will & Emery LLP, Leeann Habte, Partner, Best Best & Krieger LLP, and Ty Kayam, Corporate Counsel, Microsoft, about legal and compliance considerations related to key cybersecurity frameworks, standards, and certifications. They discuss developments related to Public Law 116-321, due diligence best practices for entities and business associates, and how organizations can show framework adoption. Jiayan, Leeann, and Ty authored an October 2021 Health Law Connections article on this subject. From AHLA’s Health Information and Technology Practice Group. Sponsored by Clearwater.
To learn more about AHLA and the educational resources available to the health law community, visit americanhealthlaw.org.
Support for ALA comes from Clearwater, the leading provider of enterprise cyber risk management and HIPAA compliance software and services for healthcare organizations, including health systems, physician groups, and health. It companies, their solutions include their proprietary software as a service based platform, IRM pro, which helps organizations manage cyber risk and HIPAA compliance across the enterprise and advisory support from their deep team of information, security experts. For more information, visit Clearwater compliance.com.
Speaker 2:Hello and good day. My name is Adam nun. I'm a director with Clearwater. We are a cyber security and risk management compliance solutions company. We are exclusively focused on the healthcare industry. My team assist organizations in developing and managing their cyber security programs. We are here today to discuss the American health law association, article health, data, defense, understanding security standards, and certifications. Today we have the authors of the article. Now I'm going to ask them to introduce themselves here in a second, but we're glad to have this podcast, um, to discuss this article, uh, with that Joanne, I'm going to turn it over you for introductions.
Speaker 3:Yeah. Thanks Adam. And, uh, it's great to be with ALA and, and getting an opportunity to talk a little bit more about our article, um, and, and the topics today. So my name is Chian Chen. I'm a partner in the DC office of the law firm of McDermitt will and Emory. Um, I advise a, a range of entities in the healthcare industry, including digital health companies, providers, payers, data companies, life sciences companies on a range of data, privacy and data security matters as well as research compliance matters and various strategic and, and commercial collaborations.
Speaker 2:Okay. Thanks, Diane lean.
Speaker 4:Thank you. Um, I too, am happy to be here to have this discussion with you today. I, um, am a partner at best, best in Crager and in the Los Angeles office, best bested Quaker is now, uh, California based, but a regional firm that specializes with public entity clients. I have advised on HIPAA privacy and security for quite some time. Actually I think since, um, the in initial HIPAA rules were implemented. So my focus is primarily on working with, um, healthcare entities, health plans, providers, and digital health and medical device companies on privacy and security issues. And I focus on, um, healthcare privacy issues in California, um, law primarily.
Speaker 2:Thanks, lean. Okay, Ty.
Speaker 5:Great. Thanks Madam. And thank you for having us today. My name is Ty and I'm part of the health sciences legal team at M Microsoft. Um, here I am product council for health AI product suite. Um, I'm also involved in our global health or global health policy initiatives, and I also do a bit of technology transactions within, um, the digital health industry. Um, today all viewpoints are my own and they aren't affiliated with Microsoft or with any other organization that I'm affiliated with.
Speaker 2:Thanks, Ty. Okay. To kick off the podcast, we prepared several questions for the authors in summary, the article discusses the key cybersecurity frameworks that are available benefits of the frameworks, legal backgrounds of the frameworks and overview of security certifications and standards and security certification diligence. One, the first question that we have is related to, uh, most the most recent update that I've seen across the frameworks, which is public law, 1 16, 3 21, this BA this law, uh, basically amended the high tech act and requires HHS to consider if a covered entity or business associate implementation of recognized security practices when assessing enforcement actions for violations of the HIPAA security role, how have regulated entities been approaching this so-called safe Harbor? Have there been any developments as to how the office of civil rights has been implementing this authority?
Speaker 3:Yeah, I'm, I'm happy to start here, Adam. So when we were putting together the article last year, we, um, thought it was a, you know, really important to kind of frame the discussion with the enactment of this law, which, which I'll refer to as HR 78 98. Um, and the reason for that is, you know, it kind of provides the why here in, in many respects. So this is a law, as you mentioned, Adam, that amends the high tech act to essentially, uh, you know, provide the, uh, HHS secretary that leeway to think about and consider the fact that a HIPAA regulated entity adopted various recognized security practices in determining what enforcement activity or to what extent to take enforcement activity under the HIPAA security role. So it's enacted with the goal of encouraging HIPAA regulated entities to do what they can to safeguard protected health information and is more of a carrot rather than a stick, um, in, in its approach in facilitating the adoption of cybersecurity practices. Um, what's important to note, uh, under this law is that it leaves things a bit open ended as to what those recognized security practices will be. So there are two frameworks that are specifically called out in the law. One is the N cybersecurity framework, which we'll be discussing today as well as approaches implemented under section 4 0 5 D of the cybersecurity act. Those two frameworks per this law would constitute automatically recognize security practice, but there are, there's this catchall reference in the law as well for other programs and processes that address cybersecurity that are, uh, developed or promulgated through rule making or, or other statutory authorities. So since we published our article, which, um, which was late last year, OCR, um, did issue a request for information or RFI on this very topic. So they published it in April 6th, 2022. And one of the issues on which it solicits common is how covered entities and BAS are implementing recognized security practices. What are security practices that they've been implementing? How are they demonstrating, um, the implementation of security practices? So, um, comments on that RFI closed on June 6th, but, um, it's, you know, indicative of the fact that OCR continues to think about, um, what are the various standards or frameworks or certifications or other models that regulators should be thinking about when deciding how lenient, if at all, um, to be when assessing, um, penalties or taking other enforcement actions under the security role. So I don't know that there's a whole lot of publicly available information about how the agency has been taking into account this. Um, I wouldn't call it a safe Harbor. I think it's really more of just a, um, authority that the agency has to think, uh, you know, to consider the implementation of recognized security practices, but we are, you know, aware of the fact that they continue to assess the best way to implement it. And we'll see, you know, if they issue any additional guidance or, uh, engaging any notice and comment rule making under the statute in, in order to provide stakeholders with more certainty or more, um, you know, information around how the agency is going to be implementing this authority,
Speaker 4:I would just like to, you know, add on to that and that, you know, OSCR has long looked to nest as a, as a, as a cybersecurity framework, for example, for, for many years, it's, it's crosswalk the security standards to N so I think this formalize it, that, um, intent, um, adding of course, four, a five D, but I think that the, you know, the, the elephant of the room, the big remaining issue is going to be implementation and what constitutes adequate implementation. And, and, um, and in that case, when will, um, covered entities or business associates actually be, um, um, receiving, uh, more limited enforcement for their use of this framework, because as we know, many times entities do implement frameworks. I mean, they do adopt frameworks, but there there's, uh, a glitch and their implementation.
Speaker 3:I, I think that's right. Lee Ann. And the other thing that I would add too is, um, you know, it's, it's interesting that they issue the RFI, cause I'm sure they will receive probably a lot of comments in this regard, but there are, as we know, you know, other, uh, frameworks and certifications and standards that healthcare entities have, um, you know, also frequently adopted high trust, you know, so twos ISO, for example, ones that we talk about in the article, some of them are proprietary. And I, I think that's probably one reason why they weren't, um, you know, expressly included in the statute, um, is because, you know, N and 4 0 5 D those approaches are publicly available. Um, so I wonder if that was one consideration as well, but I imagine that regulated entities under HIPAA are probably eager, um, not only for more guidance as to how to demonstrate as you say that they've implemented those practices, but also, you know, for those that have gotten undergone high trust certification, or, um, you know, um, been assessed for compliance with, you know, the ISO 27,000 family of standards, I'm sure they would love to be able to take advantage or at least argue that, you know, they should be afforded more leniency in the event of any violation of the security rule.
Speaker 4:Right. And it may be that they would argue that in an audit resulting from a data breach, again, that they would, um, perhaps have some reduction in their burden. Um, we shall see, it will be interesting.
Speaker 3:Yep.
Speaker 2:John, you talked a little bit about, uh, a certification and standard and framework. Can we spend some time talking about the difference between those three, uh, domains of, and how organizations might be pursuing those?
Speaker 3:Yeah, so I think, um, you know, the, the, the names are somewhat self explanatory, but I do think there's a, you know, fair amount of overlap is between a framework and a standard. I, I even just sometimes see, you know, the ISO family of standards sometimes also refer to as a framework. So I don't know that there's a universal, um, you know, recognition or alignment on what distinguishes a standard from a framework. But, um, I do think that certifications are, uh, distinguishable in that regard. And as we talk about in the article, not all of the ones that we discuss or that are available and commonly used by healthcare organizations and companies are certifications, high trust is one, and ISO is another, those are, you know, um, uh, sort of standards and requirements against which organizations can be evaluated. And, you know, then they have something nice and shiny to show to customers or third parties or others to demonstrate their adherence to those standards. Um, but there are others like, you know, N um, that doesn't involve any certification or assessment aside from one that maybe that entity would do, um, on their own internally. And I think in that regard, those frameworks are more intended to be, um, you know, flexible resources that organizations can use to, uh, build the components of a robust cybersecurity, uh, program that's reflective of their size and sophistication and the risks and vulnerabilities that apply to their, their organization and their data, and kind of serves as a foundation for them to then, you know, plug and play, uh, various safeguards and controls as that organization evolves over time. Um, so don't know tie, if you have any early on any additional thoughts there,
Speaker 5:No, John you're absolutely right. That there isn't a standard definition for the three, but I think a good way to think about it is of the framework is essentially, you know, a set of standards, guidelines, practices, you name it on how to manage a security program. Um, and it talks about developing and documenting security processes when things that, that nature a standard on the other hand is, is usually published. It's a very prescriptive sophistication. Um, it can be technical in nature, and it gives you the precise criteria to, to do something. And it's designed to be more, um, like a rule or guideline to have a bit of consistency among, um, with it. And lastly certification is, you know, as you point out exactly what it means, um, you are typically certified via an audit or, you know, some sort of third party coming in and, and assessing whether you match certain criteria or meet certain criteria and you're issued a certification. Um, and, and really where it gets complicated is that, um, NIST and ISO produce standards that integrate frameworks while, you know, so, and high trust are certifications and high trust can also framework. So it it's, it makes sense that there're sort of used interchangeably, but that's, you know, uh, at least in the industry, that's the distinction between the three of them
Speaker 2:Just going, uh, I live in these frameworks every day and, and the more I do the, the more I appreciate and value four, a five D uh, because it talks about small, medium, the large organizations, and specifically what it's looking for. Um, so related to security certification, um, can you talk a little bit about the diligence process performed by covered entities or business associates or vendors?
Speaker 4:Sure. I'd be happy to jump into that. And, and certainly we can talk, talk more about the specific, the specific, the specifics of these, um, standards and, and audits and frameworks, but in terms of the due diligence performed by covered entities and business associates, what I generally see is kind of a three pronged approach. And, and I would say that this approach is not just covered entities and business associates. It's also being used now for Phi, but also PII, um, other types Offor regulated information, GDPR information. And so it's kind of expanding beyond healthcare, but first of all, there will be a security assessment. And typically that will be a questionnaire. And that questionnaire varies considerably in, in the amount of detail. I have seen security questionnaires that have been given to a vendor as part of the due diligence process. That actually include a question on each of the N um, standards and controls. And there's specifically, it's specifically aligned with N 800.53 for example, and it's many, many pages. So you might be asked for a profile of your organization, uh, description of the data you have, and you actually might be asked to go through this very lengthy questionnaire and answer every, um, and answer questions from the contracting organization. That's that's one component, a second component is that organizations may want you to conduct, um, penetration testing, um, with, for example, third party provider on an annual basis, and may ask to receive the results of that. Um, and the third part of the, um, diligence is that, uh, typically, um, organizations may also request that you provide an audit or certification of your compliance with, um, whatever rate, the regulatory requirements. Are it be, they HIPAA be it, the PCI DSS standards for, um, credit card data or whatever it may be. So, um, they may request, um, audits, um, on an annual basis, a biannual basis or whatever it may be. And I think that what we're, what I'm seeing anyway, is that because of the, you, you know, length of these questionnaires that organizations are, are really trying to move toward, um, using certifications or assessment reports that are generated by their audits to, um, address, you know, regulatory compliance,
Speaker 5:You know, different organizations have different ways of approaching it. Some like to be very across the board on how they ask for and respond to security, um, assessments, their, uh, questionnaires, um, while others take a more, you know, ad hoc as needed approach, some have elaborate teams built out other skews, you know, online portals or tools for this. Um, and there's no one model that, you know, that consistently it's usually organization dependent based on the needs of the organization.
Speaker 3:Yeah. And the other thing that I would add to is that, um, you know, especially in the customer vendor context, you sometimes have situations right where the entity that is conducting the diligence. So oftentimes the customer is gonna ask for a copy of that, you know, vendor organization's, um, you know, report or, or risk assessment. And the, the battle then becomes well, you know, vendor doesn't wanna share a copy of the whole report and then, um, you know, they, they're kind of in an impasse. And so one of the things that we oftentimes see is an approach where the vendor will, you know, agree to provide some sort of executive summary or more distilled, um, overview of the results of the assessment and perhaps a, you know, contractual commitment to remedy, you know, certain, um, you know, deficiencies or other issues that were identified the report. And there's a timeline and, you know, milestones for that. But that's just in my experience been, you know, another area where you see a lot of back and forth between the parties.
Speaker 4:That's very true. And obviously in many cases, those, um, questionnaires are shared only under an undisclosure agreement. Um, as you not Diane there's considerable discussions about how much information will be shared. Um, sometimes customers will ask to do their own penetration testing and so forth, which is, is generally something that, um, uh, covered entities or business associates reject. And, um, these requirements are typically also included in and contract terms with regards to data, which is also, you know, something that the, um, organizations will negotiate.
Speaker 5:I maybe add that sometimes the, the type of assessment could also be dependent on the technology of hand while some may lend themselves well through penetration testing or having more in depth investigation, another, you know, types of technologies or industries allowing that, or allowing numerous entities to, to do penetration testing, you know, take tours of data centers, you name it could in and of itself be, uh, a security issue. And so again, it is always dependent on the organization itself.
Speaker 2:Yeah. We've, we've come a long ways from just relying on, uh, a business associate agreement. Uh, we're doing audits to this depth, right. Um, it seems to be an ever changing, uh, process. So with, with all of the common frameworks that are available right, and, and different focus domains, um, you know, we have FDA digital health payers and providers and business associates. What are the most common frameworks that these industries choose
Speaker 5:There is, uh, him survey from, um, a couple of years ago that showed, you know, what's used predominantly within the healthcare industry, about 57% or 60% used about 26% used high trust, um, had 18%, he ISO, um, and really 16% used no framework whatsoever, um, and had their own way of approaching it. So it there's no, you know, clear delineation by type of entity and, you know, the type of certification or framework that they would use. Um, but a lot of times it's, it's dependent on, you know, the costs associated with certain certifications, for example, N is free, which is probably why, or it's, it's, you know, publicly available, uh, framework, which is why a lot of organizations, particularly smaller organizations elect that, um, some organizations that want a bit more robust structure, my use might use high trust because it incorporates, uh, some of the MIS standards, um, the ISO 27 1 standard, um, it, it builds on the HIPAA security rules. So it's a bit more comprehensive. Um, but it just depends on the needs of the, the organization. Um, and we are really for this discussion focusing on information security and data protection, but, you know, beyond that there are different frameworks, there are different standards that exist in, in healthcare industry as a whole. You could have, you know, the fire standard as an example, which is standard developed by standard development organizations. Um, the FDA in various guidance documents relating to pre-market or post-market management of cybersecurity, um, talks about how manufacturers have to develop, you know, instead of traceable, cybersecurity controls, um, the FDA also publishes a list of recognized consensus standards. Um, so there's a big world of standards and frameworks out there for organizations to consider,
Speaker 4:Uh, Leanne, anything you wanna add? Yeah, I would like to just add, I think also in the life sciences industry, you'll see, um, the ISO standards are often, um, um, um, maybe the, the standard that's followed for, for example, for a medical device company. Um, it also is often the case that D you know, depending on the nature of the company, that they may actually have to comply with several different standards. So let's say if we take a, a medical device manufacturer, they may follow the ISO standards and will present documentation of that to the FDA. If they're a business associate of certain covered entities, they're, um, going to want to have a HIPAA compliance profile. So they're going to, um, use the N standards for example. And I think that, um, with regards to high trust, you know, the, um, which is, you know, the high trust is, um, high trust is a private nonprofit organization, and it uses a common security framework, right? And this comments, the security framework was designed to align with N with HIPAA high tech with P C I D CS. I, so, as you noted in GDPR, for example, but one of the reasons that organizations, uh, and it is proprietary, and there certainly is a cost associated with using this framework. But, um, it, it does a couple of different things. It, it provides, um, different levels of assessment for the organization. It also provides the ability to report, for example, to generate reports that, um, relate to these different sets up standards with, um, kind of the same input and the same policies. Um, you know, whereas high trust is, um, there's a assessment, that's a self attestation, and there's a validation assessment, which is conducted by third parties. It again, is, is, um, I understand that high trust is also working with the, um, American Institute of certified public accountants to support SOC two reporting based on this common security framework, but all of these things, including a SOC two audit map to multiple standards. So they all mapped to nest and ISA. And so really in part, it's a question of what works for the organization and what is most, um, what, what are they required to do from a, a regulatory standpoint. And, and then what is the most efficient for the organization to do with regards to demonstrating compliance with these standards? Um, and I noted regulatory, but there's also regulatory and contract requirements. So what are they required to do? And what's most efficient for their organization with regards to demonstrating compliance with various standards?
Speaker 3:Yeah, I think, again, you, you raise a great point about the mapping, which is, um, you know, certainly helpful to the, the organizations and companies themselves, because they can, you know, as they're perhaps, you know, a younger company just starting to build out their cybersecurity program, they can compare and contrast and see, you know, common threads. And what, for example, um, you know, going through high trust would get them as compared to, you know, just doing a, so two audit or, you know, following the N cybersecurity framework. Um, and they can hopefully make a more informed decision as to, to how to go about building that cybersecurity program. And I think it's also helpful in so far as if they have followed one particular framework or set of standards, those mappings also help them understand, you know, how not to start from scratch if they do decide to implement, um, you know, a different framework in the future.
Speaker 4:Right? And there's a lot of overlap between like ISO and nest. Um, there really is considerable overlap. So, um, organizations can customize that to the, to that tick that customize the additional policies, they required the additional procedures and so forth to the extent applicable. And I also believe that you can obtain a SOC two audit and you can focus it on N standards or ISO standards as you need or desire, which will then of course, um, indicate your compliance because the audit, unlike the frameworks is really an assessment of how effectively have you implemented these controls.
Speaker 2:That's a great point. And it's a challenge that, you know, what we face on a regular basis. And it's kind of interesting in some cases with, uh, my customers, right? We may have one data set about the control status of, of, of security controls. And I've got from that one data set, one report going out for regulatory compliance purposes, another report going to a private equity partner that's focused on nest, right? Another report going to a different private equity partner focused on a different standard. I've got another report going out to a customer for their expectations, and even maybe one going to the insurer now that it's cyber security insurance policy holder. So it it's really becoming quite a spaghetti of, of mappings across the frameworks with that. The, as we know, the N cybersecurity framework is aligned for all critical infrastructure, 4 0 5 D referenced in HR, 78 98, it's part of the cyber security act of 2015, it's specific to the healthcare industry. And one of the things it does, it establishes, uh, accepted and necessary practices for small, medium and large organizations. Um, I see that, um, often my clients are looking at that. They're trying to understand what that means. It's so new. Can you provide any input on how organizations might discern at four or fived might be an acceptable target framework for baseline controls?
Speaker 3:Yeah. I'm happy to start with that and lean and Ty, please feel free to chime in, um, you know, as you noted Adam, one of the key distinguishing features of the four oh fived approach is that it is, you know, health industry specific, right. It was developed with, um, you know, the input of so many stakeholders and, and healthcare and health it and, and public health. And when you take a look at the, um, you know, uh, the, the materials that were developed pursuant to 4 0 5 D my, you know, impression is that it, it, it is designed to be sort of, um, you know, digestible and, and usable, and it's user friendly and perhaps a little bit less, I would say technical, um, than, than the N uh, cyber security framework, which, uh, is not health specific, although as Leah noted, it is, um, adopted quite frequently, uh, by healthcare organizations. Um, I do think it's very useful that the 4 0 5 D um, you know, approaches do sort of come in different flavors for small, medium and large organizations in some regard that is similar to the, the, you know, cybersecurity framework, which, you know, does have this notion of implementation tiers and, and profiles. So you can kind of, again, situate yourself within, um, those frameworks and figure out, you know, where am I currently, you know, where would I need to go to achieve a certain level of compliance with those frameworks? So I think as, uh, you know, you're assessing, for example, whether to go with 4 0 5 D or, uh, the cybersecurity framework, um, I would recommend just, you know, starting by, by looking at the two and, um, seeing what is manageable and, um, evaluating whether, you know, a certain kind of framework is gonna resonate more with, you know, the, the kinds of customers or other third parties that, uh, that you're gonna be working with. And I think, um, also finally, one thing to note is that with the net cybersecurity framework, it is, um, you know, in, in some ways gonna be, um, resonate more with entities that are maintaining, for example, data from the federal government, if they have federal contracts or awards, um, you know, that might be another reason why, uh, they would wanna go with the they missed framework instead.
Speaker 2:Well, thanks, Jan. Um, that's very helpful, especially when you're talking about interacting with, you know, the federal government entities and, or supporting those, um, and helping that line, your focus towards more of the nest standards. Um, you know, as, as part of when we look at, um, HR 7, 8, 9, 8, you know, part of the language that, that I believe it contained was about framework adoption, right. And what framework adoption means. And I know it's been, this has been discussed on other HLA podcast as well. Um, but more and more each day, you know, uh, regulators, insurers, uh, customers are more asking, what does it mean to, to adopt a framework? Um, a lot of times I see customers try to define a program charter that is aligned to a specific framework. They may establish a security oversight committee that, you know, provides, um, guidance related to their compliance with that. They may try to measure the, the current state of where they're at and define that target profile or target state. Um, they may develop strategic roadmaps that are multi-year, um, again, defined towards a specific framework and, and they do all this. And to try to towards, uh, you know, comply with framework adoption. Um, does anybody have any thoughts on what it might mean what framework adoption might mean and how, uh, organizations can show that they're pursuing adoption of the framework,
Speaker 4:I'll start out with this and, and then maybe tie or Cheyenne can add on, but, you know, when I look at framework adoption, this is adoption of, of an approach. And if you look at nest, for example, has a security framework, I believe. And it also has, um, um, standards that are established in publications, like 800.53, which set out the specific controls. So a framework is, uh, what the organization is going to align with and how it's going to approach its security and information technology, um, assessment and system. So that's maybe the guiding framework, but then when you're talking about implementing that framework, you are, are going to have to implement by means of controls. And those controls are going to have to be referenced in policies. And those policies are going to be looked at when, for example, an organization is audited. So, and when I say audited, I mean, audited by a regulatory entity. So what I've advised and, and, um, for clients who are going to potentially be facing OCR audits someday, or maybe as they implement a framework and their policies, that those policies should reference the specific controls and the framework that they're, um, have adopted. So their policies should not just be general, it security policies, but if they're implementing AIST or AIST and ISO framework, those, um, policy policies should reference this specific controls. And that I think demonstrates implementation. Obviously the policies and procedures are a further demonstration of, I mean, the procedures that implement those policies are a further demonstration. I think that, you know, another way to look at it, and I look at it kind of from the back end, when an organization is getting audited, even as a, as an attorney, more than on the front end, where, you know, an it consultant might look at this for example, but even if you have, you know, a, a single set policies, I often think it's useful if you're going to going through an audit from the office civil rights, to be able to generate a set of policies. That's organized according to the HIPAA security framework or the N guidelines. And likewise, if you're being audited under a different framework, that you're able to generate the policies in a structure that aligns with that framework. So I think those are just a couple of the, the ways that you can show that you are implement, have implemented these frameworks and they're controls and the associated controls, and that you're aligned to them. But I welcome tired. Diane, if you have some other thoughts
Speaker 3:<laugh> I was gonna, I think you kind of set us up really well for, uh, for a lawyer joke with your comment about, um, you know, presenting all the policies in a way that, you know, maps closely to, to regulatory standards. We, we like everything, you know, neatly presented on a platter. Right. And I, I, I know regulators certainly do, and I, I totally agree that, um, it's, it's certainly to the advantage of the organization to have those, those internal maps and inventories that really, um, clearly, um, distinctly, um, you know, show how their various policies and procedures align with, um, you know, the, the frameworks or the standards that they, uh, had purportedly implemented, um, nothing, you know, like that, there there's nothing else that really, you know, sort of quickly checks the box there. And then in the context of a regulatory audit, or even not an audit or an assessment by, um, by a third party, like a customer or, or a collaborator,
Speaker 4:Right, the one thing you don't want is questions. And you also know that the person who's looking at it, if you're talking about an audit by the office for civil rights, for example, is not necessarily an it, um, professional or an auditor of the type that you would find in a SOC two audit. That's very familiar with all the privacy and risk framework. So, um, at any rate, so you certainly wanna minimize any questions and be very clear with respect to those, um, the implementation of stand, the applicable standards, you know, always looking to the regulator.
Speaker 2:Okay. Um, lots of good discussion here. I thought the article was, was well written and, and covered a wide variety of frameworks and certification practices. And, um, for those of us that are in the weeds implementing always we're, we're looking for as much guidance as, as we can. Um, is there anything else anybody would like to add before we, uh, before we close out?
Speaker 3:No. Thanks for, thanks for leading a great discussion, Adam,
Speaker 5:Thank you so much for having us. It's a very, very good discussion.
Speaker 2:Thank you, Leanne. Uh, and Todd, um, we, uh, it was a, it was a great discussion. Uh, we appreciate your contributions, uh, to the article and the realm of security standards and certifications, uh, to the audience. Thank you for joining. Uh, we've enjoyed putting this together for your use. We wish you the best in your cybersecurity standards and certification journeys. Uh, thank you. And good day.
Speaker 1:Thank you for listening. If you enjoyed this episode, be sure to subscribe to ALA speaking of health law, wherever you get your podcasts to learn more about ALA and the educational resources available to the health law community, visit American health law.org.