Because of the complexity and ambiguity of GDPR, it’s difficult for organizations to determine which requirements are absolute and which are conditional. These requirements can have a significant impact on budget, leadership, policies, and the project plan for compliance. In this webinar, KirkpatrickPrice’s Director of Regulatory Compliance, Mark Hinely, leads a discussion on mandatory versus conditional requirements, provides in-depth examples of conditional requirements, and explains the implications of treating conditional requirements as absolute.

What are GDPR’s Mandatory Requirements?

Under GDPR, there are requirements that organizations must comply with, regardless of size, the type of information they process, or where they are processing the data from. In other words, these requirements have no conditional clauses that would alter their applicability. Examples of GDPR’s absolute requirements include the following:

  • Legal basis for processing
  • Transparency
  • Security safeguards
  • Organizational and technical controls
  • Facilitating data subject rights
  • Controller-processor standards
  • International transfer mechanism

What are GDPR’s Conditional Requirements?

Contrary to GDPR’s mandatory requirements, there are conditional requirements whose applicability to organizations varies based on a number of factors. Examples of such conditional requirements include the following:

Records of processing: According to Article 30, processors and controllers must document specified content related to GDPR activities, unless:

  • An organization employs less than 250 people; and
  • Processing is occasional; or
  • Processing could not result in a risk to data subjects; or
  • Processing does not involve special categories of data or criminal convictions

Designated representative: According to Article 27, when organizations not established in the EU process personal data, those organizations must designate a representative in the EU, unless:

  • Processing is occasional;
  • Processing does not include large scale use of special categories/criminal convictions; and
  • Processing is unlikely to result in a risk to the rights and freedoms of data subjects

Data Protection Officer: According to Article 37, controllers and processors must designate a Data Protection Officer when:

  • Processing is carried out by a public authority or body;
  • The core activities require regular and systematic monitoring of data subjects on a large scale; or
  • The core activities consist of processing on a large scale

Data Protection Impact Assessment: According to Article 35(1) and 35(3), a controller must conduct a Data Protection Impact Assessment if they are:

  • Processing data that is likely to result in a high risk to the rights and freedoms of data subjects;
  • Systematically and extensively evaluating people, based on automated processing, including profiling, and it leads to decisions that have a legal or similar effect;
  • Processing special categories of data or criminal convictions on a large scale; or
  • Systematically monitoring of a publicly accessible area on a large scale

To learn more about each of these conditional requirements, download the full webinar now. For more information about how KirkpatrickPrice can assist you on your journey toward GDPR compliance, contact us today.

How to Prepare for a HITRUST CSF Assessment

If you’re managing healthcare data, it’s critical from a business and reputational standpoint to protect yourself from risk and maintain a strong relationship with your clients who are also trying to mitigate their risks. HITRUST certification is a great way to ensure this is happening.

The HITRUST Common Security Framework, or CSF, is a certifiable framework that provides organizations with a comprehensive, flexible, and efficient approach to regulatory compliance and risk management. The framework was developed to provide a solution to increasing regulatory scrutiny, increasing risk and liability associated with data breaches, inconsistent implementation of minimum controls, and the rapidly changing business, technology, and regulatory environment. It is a healthcare industry standard that was built from what works within other standards and authoritative sources, like ISO 27001/27002, HIPAA, PCI DSS, and NIST 800-53, just to name a few. It was also built on risk management principals and aligns with existing, relative controls, and requirements. It’s scalable depending on organizational, system, and regulatory factors.

As a HITRUST Authorized CSF Assessor, we recommend following six steps to prepare for a HITRUST CSF assessment.

The first step is to form relationships with HITRUST and the assessor. If you’re pursuing a Validated Assessment or working towards achieving certification, you must first develop a relationship with HITRUST directly. You also must develop a relationship with an assessor firm, such as KirkpatrickPrice. The assessor firm must be an approved firm by HITRUST. This three-way relationship will be a key component to your HITRUST CSF compliance journey.

Once you’ve formed relationships with HITRUST and the assessor, you’ll need to educate yourself on the CSF and the assessment process. The HITRUST CSF is a security and privacy framework that is the foundation of all HITRUST programs. It leverages federal and state regulations, industry standards and frameworks, and a focus on risk management to create a comprehensive standard. The framework has applicability not only in the healthcare industry, but also in the financial services, travel and hospitality, media and entertainment, telecommunications, and with start-ups. HITRUST reports that because of its continued report to improve and update the framework, the HITRUST CSF is the most widely-adopted security framework in the US healthcare industry.

Has your organization been asked to demonstrate HITRUST compliance? Are you unsure where you need to start? We’re here to help! Contact us today to learn more about our HITRUST assessment process and how we can assist you on your journey toward HITRUST certification.

What would it feel like to show up to work and discover your organization has been hit by a malware attack? Servers, phones, email, backups – they’re all down. You must put business continuity training into action, contact your clients, contact your vendors, control the news cycle, and calm the nerves of your team. Becoming a victim of a malware attack is most executives’ cybersecurity nightmare, and one that became a reality for Nuance Communications.

NotPetya and Nuance: What Happened?

In June 2017, the world experienced the destruction of NotPetya. Both the United States and the United Kingdom attributed this destructive malware attack to Russian military, specifically targeted at the Ukraine but spread worldwide. The White House stated, “It was part of the Kremlin’s ongoing effort to destabilize Ukraine and demonstrates ever more clearly Russia’s involvement in the ongoing conflict.”  The same day, the UK’s Foreign Office Minister said, “The attack showed a continued disregard for Ukrainian sovereignty. Its reckless release disrupted organizations across Europe costing hundreds of millions of pounds.”

Nuance Communications, a computer software technology corporation, fell victim to NotPetya but has been able to overcome the 5 weeks of recovery and $98 million loss. In their 10-Q filing with the SEC, Nuance explained how the NotPetya attack compromised systems used by their healthcare customers, specifically with transcription services and their imaging division. The financial hit was massive. Nuance stated, “For fiscal year 2017, we estimate that we lost approximately $68.0 million in revenues, primarily in our Healthcare segment, due to the service disruption and the reserves we established for customer refund credits. Additionally, we incurred incremental costs of approximately $24.0 million for fiscal year 2017 as a result of our remediation and restoration efforts, as well as incremental amortization expenses. Although the direct effects of the Malware Incident were remediated during fiscal year 2017, the Malware Incident had a continued effect on our results of operations in the first quarter of fiscal year 2018 and our outlook for the remainder of fiscal year 2018 and beyond reflects both the residual effects of the incident and the additional resources we will need to invest on an ongoing basis to continuously enhance information security.”

Lessons Learned from Nuance

Despite the financial hit, the publicity, and the mountain of recovery that Nuance had to climb, the organization has overcome the NotPetya attack. We see a few key areas to learn from Nuance’s mistakes and responses.

  • Vendor Compliance Management – NotPetya wasn’t targeting Nuance. Like so many other cybersecurity attacks, NotPetya’s attack vector was vendors. When one vendor is hit, any organization that they provide services to is susceptible. Nuance had a 15-year relationship with a Ukrainian vendor who fell victim to the malware attack. In A.P. Moller-Maersk’s case, the Danish shipping conglomerate reported that NotPetya was distributed to their organization through a Ukrainian accounting software called MeDoc. The consequences of NotPetya have once again proven that vendor compliance management is an absolutely integral part of any cybersecurity risk management program.
  • Business Continuity and Disaster Recovery Plans – Nuance quickly recognized the cruciality of effective and implemented Business Continuity and Disaster Recovery Plans. When their servers and systems went down, employees were left with essentially no external communication and minimal internal communication – no email, no office phones, no access to information held in the cloud, and no physical security mechanisms. Before the NotPetya attack, I bet Nuance employees never imagined they would ever have to function without email or phones, let alone without the cloud. Business Continuity and Disaster Recovery plans can save your business when something as destructive as malware strikes.
  • Leadership Engagement – When the attack hit, Nuance executives and management immediately recognized that this was not just a security issue. Every member of the organization was impacted, but leadership’s involvement in recovery was essential. Leadership was needed to execute the Business Continuity and Disaster Recovery Plan, strategically weigh options, and keep the entire company calm and motivated.
  • Response – Sharing what happened in a transparent way was key in re-building trust with clients, and you can see this in their updates to healthcare customers. Fortunately, Nuance did have the advantage of being able to report that no PHI was compromised and that the attack was declared as a security incident and not a breach. Since the malware attack, Nuance has taken their recovery and corrective actions seriously. If money talks, then Nuance’s security spending speaks volumes; $35 million of their $100 million 2018 budget was dedicated to security.

How would a cybersecurity attack impact your organization’s mission? For Nuance, they had to bear with the fact that patients were negatively impacted by this attack. How would a cybersecurity attack personally impact your job? Think of how Nuance’s CTO and CIO felt when they were informed of the NotPetya attack. Then, think of how Nuance’s CEO, CFO, legal team, healthcare division, and marketing team felt knowing they would all play a role in the NotPetya recovery. If you want to develop a better Business Continuity plan, learn more about the types of cybersecurity attacks that threaten your organization, or need to implement a vendor compliance management program, KirkpatrickPrice wants to help. Contact us today.

More Cybersecurity Resources

When Will It Happen to You? Top Cybersecurity Attacks You Could Face

Business Continuity and Disaster Recovery: How to Avoid a Crash Landing

What to Look for in a Quality Vendor

Organizations are often overwhelmed by the technical terminology and the number of requirements in the HITRUST CSF. However, while the HITRUST CSF may be daunting at first glance, the HITRUST CSF is not like any other framework. Achieving HITRUST CSF certification goes beyond showing whether or not you’re doing something, but instead it shows how well you’re doing it. In order to do this,  organizations are scored on how well they perform on each requirement statement. In this webinar, KirkpatrickPrice Lead Practitioner, Shannon Lane, discusses requirement statements, using the HITRUST CSF Maturity Model, and scoring.

What is the HITRUST CSF Maturity Model?

The HITRUST CSF Maturity Model is a scoring model based on the COBIT CMM and other similar models, and classifies organizations based on relative process maturity. With levels ranging from 1- to 5+, HITRUST’s goal is to elevate organizations from Level 2 to Level 3.

  • Level 1: A Level 1 organization is usually an early start-up type of organization that has informal processes. They have a weak definition of products and services and are the most agile because they have to do what it takes to get things done on the fly.
  • Level 2: A Level 2 organization is typically what most organizations are classified. These organizations have well-defined products and services and their projects are controlled. These organizations know what they’re doing, but don’t know why. They react to situations instead of proactively planning for them.
  • Level 3: A Level 3 organization represents HITRUST’s goal for certification. At an organization that is a Level 3, everyone understands what they’re doing and how and why they’re doing it. This organization has moved from reacting to issues to proactively planning for them. At Level 3 maturity, an organization demonstrates the most effective combination of process workflow and agility.
  • Level 4: A Level 4 organization looks for the small stuff. They are less agile because they have all of their processes in place and are actively managing success.
  • Level 5: A Level 5 organization trades agility for process management and absolute control. In this level, management has a deep understanding of the organization’s processes and operations run smoothly. While a Level 5 is almost impossible to obtain, organizations should continue to find ways to improve their balance between process and agility.

How is the HITRUST CSF Maturity Model Used?

To put it simply: the HITRUST CSF Maturity Model is used to score each of the requirement statements included in an organization’s scope. On average during a HITRUST CSF assessment, an organization might be tested on anywhere from 290 to 600 requirements. Each requirement is tested based on the maturity level of 5 areas: policy, procedure, implementation, measurement, and management. Each of these areas receives a score between 1 through 5.

In order to achieve HITRUST CSF Certification, an organization must obtain a score 3+, which is the equivalent of a 72 or higher. Because the weight of policies, procedures, and implementation is higher than measurement and management, an organization that receives a score of 5/5/5/0/0 will have obtained the desired 3+.

Becoming HITRUST CSF certified might seem daunting, but it doesn’t have to be. To learn more about how organizations can move from a Level 2 to a Level 3, how the HITRUST CSF Maturity Model is used, and how the HITRUST CSF is scored, watch the full webinar. Are you ready to embark on your HITRUST CSF certification journey? We want to help! Contact us today to speak to one of our HITRUST experts.

Fort Lauderdale, FL — Cannabis software firm BioTrackTHC, a wholly owned subsidiary of Helix TCS, Inc. (OTCQB: HLIX), is the first publicly traded seed-to-sale software company to complete a System and Organization Control 2 (SOC 2) Type I audit.  This independent audit of the company’s software system and organizational controls provides assurance that controls relevant to security and confidentiality are suitably designed in accordance with standards established by the American Institute of Certified Public Accountants.

“When a company or government municipality wants to outsource functions pertaining to operating, collecting, processing, transmitting, storing, organizing, maintaining, and disposing of information, they are often required to validate that the organization is meeting certain standards. BioTrackTHC can now provide that validation through the work of an independent and qualified auditor,” said David Terrell, Chief Technology Officer of BioTrackTHC. “SOC 2 is considered a technical audit, but it goes beyond that by requiring companies to establish and follow strict information security policies and procedures, encompassing the security, availability, processing integrity, confidentiality, and privacy of customer data.”

“In an industry that is under constant scrutiny, our government and commercial customers can find comfort and confidence knowing that our system design and our organizational controls are able to provide the level of data integrity and IT security that we have always strived for,” said Patrick Vo, President & CEO of BioTrackTHC. “Many opponents of cannabis look for opportunities to discredit our industry, so it is imperative that technology providers take steps such as these to validate our efforts.”

The recently issued report from KirkpatrickPrice, a licensed CPA firm, PCI QSA, and HITRUST CSF Assessor, opines that the controls stated in the description of BioTrackTHC’s system and organizational controls are suitably designed based on the criteria relevant to security and confidentiality.

BioTrackTHC partners with Amazon Web Services to provide government and commercial clients with world-class cloud hosted software solutions.

For more information or to schedule an interview, please contact Shawna McGregor, Grasslands, at 917-971-7852 or shawna@mygrasslands.com.

About BioTrackTHC

Bio-Tech Medical Software, Inc., through its BioTrackTHC division, develops and provides effective, cutting-edge technology solutions for the emerging medical and recreational cannabis industry. BioTrackTHC currently holds nine government contracts and operates across 32 states, Washington D.C., Puerto Rico, Australia, Canada and Jamaica. Bio-Tech Medical Software, Inc. is a wholly owned subsidiary of Helix TCS Inc. (OTCQB: HLIX). For more information, visit www.biotrack.com.  Follow us on Facebook, Twitter and LinkedIn. Sign up for the CannaPulse Newsletter for legislative changes, software updates and more.

About Helix TCS

Helix TCS, Inc. (OTCQB: HLIX) is a premier provider of integrated operating environment solutions for the legal cannabis industry.  Helix provides a proprietary software suite and partnership platform to the legal cannabis industry, helping clients manage inventory and supply costs and bespoke monitoring and transport solutions.  Helix provides clients in the legal cannabis industry high standard security operations, including transportation, armed and unarmed guarding, training, investigation, and special services.