Managing HIPAA Risk with Duty of Care Risk Analysis (DoCRA)

A brief Q&A synopsis from Health Care Law Today podcast featuring Foley Partner Jen Rathburn interviewing Terry Kurzynski, founder of HALOCK Security Labs. Jen has been practicing for almost 20 years in data privacy and security. Terry has over 25 years of experience in the cybersecurity arena and also serves as a board member on the DoCRA Council. The full podcast can be found here.

What is Duty of Risk Analysis (DoCRA)?
DoCRA provides principles and practices for analyzing risks that addresses the interests of all parties potentially affected by those risks. It balances an organization’s mission, objectives, and obligations to help manage risk and develop reasonable safeguards. The DoCRA Standard has been incorporated into the Center for Internet Security Risk Assessment Method, CIS RAM, and has prevailed with judges and regulators.

How did this method develop?
The Office of Management and Budget (OMB) interprets Executive Order 12866 as risk assessment being required in all federal regulations. We noticed immediately that HIPAA Security Rule requires a risk assessment as well. During my time doing litigation support, it became very clear judges were concerned more about risk, the hand rule, and negligence. It was a poignant measure to consider.

So this is why judges ask about duty of care? When it comes to data breaches, the idea of negligence comes into play – was a threat foreseeable? The harm? What was the extent of harm and the burden of a control if you have been able to reduce a risk to an acceptable level? Has the business practiced their duty of care for all who could be impacted? This is a new dynamic information security professionals must face. In litigation, we discovered a disconnect between all parties. The industry needed a way to connect all interested parties through a risk assessment. 

What the judge wants to know is, why didn’t you have that particular control in place. Duty of Care Risk Analysis, is necessary to show that you analyzed the risk, you prioritized the risk. This one was even on your list, but it was deemed low probability or low impact compared to these other things that you had made and are continuing to make investments in.

Why do professionals benefit from DoCRA?
It provides a method to gain consensus of risk management from all key parties in an organization – Board of Directors, C-Suite, IT team. DoCRA also helps support asset and budget priorities and investment when all parties are on the same page. Plus, it enables businesses, regulators, and litigators to speak the same language and understand impact. It has become a defensible resource within a security program.

Where can I get more information on DoCRA and how to conduct a HIPAA Risk Assessment?
Visit the DoCRA Council or The Duty of Care Risk Assessment Standard.

HALOCK is a U.S.-based information security consulting firm that is privately owned and operated out of its headquarters in Schaumburg, IL. From mid-sized to the Fortune 100, HALOCK’s clients span a variety of industries including financial services, health care, legal, education, energy, SaaS/cloud, enterprise retail and many others. HALOCK strives to be your information security consulting company and your security partner, providing both strategic and technical security offerings. HALOCK combines strong leadership, diagnostic capabilities and deep technical expertise with a proven ability to get things done. HALOCK helps clients prioritize and optimize their security investments by applying just the right amount of security to protect critical business assets while satisfying compliance requirements, social responsibility, and corporate goals.

As principal authors of CIS Risk Assessment Method (RAM) and board members of The Duty of Care Risk Analysis (DoCRA) Council, HALOCK offers the unique insight to help organizations define their acceptable level of risk and establish “duty of care” for cybersecurity. Through this risk assessment method, businesses can evaluate cyber risk that is clear to legal authorities, regulators, executives, lay people, and security practitioners.