General security

Interview: Bob Chaput, CEO of Clearwater Compliance

May 1, 2015 by Infosec

bob chaputToday’s interview will be with Bob Chaput, a nationally recognized expert within the healthcare data security and protection sector. He’s also the Founder and CEO of Clearwater Compliance helping healthcare organizations and their service providers address risk management issues including HIPAA-HITECH compliance and security requirements.

Let’s begin with this… You have a lot of acronyms listed after your name: CISSP, HCISPP, CRISC and CIPP/US. Our readers come from a variety of different backgrounds. Can you briefly tell us what each of those acronyms represents?

In general, they represent a continuing effort to stay abreast of and build expertise in privacy, security, compliance and information risk management matters. All certifications require ongoing, continuing education that serves as a great forcing function to stay in touch with the very latest.


  • CISSP = Certified Information Systems Security Professional
  • HCISPP = Health Care Information Security and Privacy Practitioner
  • CRISC = Certified in Risk and Information Security Controls
  • CIPP = Certified Information Privacy Professional

From your perspective, what was the value of obtaining those certifications?

I’m an inveterate learner. Coupled with my passion to make a difference in the Wild, Wild West of safeguarding information assets, these certifications afford me the latest, most up-to-date exposure to the ever changing threat, vulnerabilities and controls landscape.

Your company deals a lot with HIPAA compliance, and risk analysis. What is HIPAA, and why is it so important?

HIPAA translates into different requirements for different organizations. HIPAA stands for Health Insurance Portability and Accountability Act, which was originally known as the Kassebaum-Kennedy Act. It was passed into Federal Statute in 1996 with two primary missions: 1) correct an injustice related to the inability to immediately move from one group health insurance plan to another (Portability); and, 2) to simplify and automate the handling of administrative health care data such as enrollment information, eligibility information, claims data, payment information, etc (Accountability). Under the second objective, in the Title called Administrative Simplification, the Transactions and Code Sets Rule called for automation and the use of electronic document interchange (EDI), among other changes. Congress recognized that as more and more data went online, the risks to the privacy and security of this data would increase. Contemplation of these risks effectively spawned the drafting and ultimate publication of the HIPAA Privacy and Security Rules in 2000 and 2003, respectively, in the Federal Register. It is in the area of Privacy and Security and the new Breach Notification Regulation where we do much of our work.

What does HIPAA HITECH refer to?

HIPAA HITECH are often juxtaposed together to represent the fact that The Health Information Technology for Economic and Clinical Health (HITECH) Act in many respects can be describe as delivering a bundle of carrots (Electronic Health Records incentive program) and a bundle of sticks (more teeth in HIPAA). The later drove some fundamental changes to the original HIPAA privacy and security regulations including, but not limited to: 1) significantly greater enforcement; 2) orders of magnitude higher civil monetary penalties for non-compliance; and, 3) millions of more organizations becoming statutorily obligated to comply.

For an IT professional who might be interested in specifically learning about security and audit issues related to HIPAA, what would you suggest?

Of course, the smartest thing they can do is to attend our educational events, many of which are complimentary! Beyond that, I would encourage them to seek HIPAA training, which results in certifications from a reputable organization or association.

HIPAA was passed nearly 10 years ago, and companies have been increasingly investing resources to become HIPAA compliant, yet we regularly hear stories in the news of data breaches involving healthcare-related companies. Why do you think that is? Can a company be HIPAA (or HIPAA HITECH) compliant and at the same time experience major security risks?

Compliance and Security are two completely different matters. An organization can be highly compliant with any privacy or security regulation, yet only “Swiss-cheese” secure. Both compliance and security are required, yet they are two entirely different matters. A critical first step for any organization is to is to take stock of where they are today. For an assessment of compliance, we strongly recommend a rigorous audit against the regulations themselves. For an assessment of one’s security posture, we strongly recommend a bona fide, comprehensive risk analysis. I emphasize bona fide because there are lots of charlatans in the marketplace peddling risk analysis snake oil. Both compliance gap audits and risk analyses (and risk management) are explicit requirements in the HIPAA Security Rule.

So, what’s the takeaway for a corporate CISO?

First and foremost, recognize and convince your management team that the matter of safeguarding any sensitive information is not an “IT problem”, not a “compliance problem” and certainly not a “CISO problem”. The matter at hand is an increasingly more serious business risk management issue in which Boards and C-Suites must be engaged.

Second, recognize that even if you are not specifically working in healthcare industry, you may be a Business Associate serving so-called HIPAA Covered Entities, in which case you have regulatory requirements. AND, even if you not a Covered Entity or a Business Associate, you may have a self-funded Group Health Plan (GHP) administered by a 3rd party. That GHP is a HIPAA Covered Entity, by definition.

Finally, recognize and embrace the reality that an organization’s risk posture is constantly changing. This matter of privacy, security and compliance translates into a critical business requirement to establish, implement and mature your overall information risk management program. It’s a journey; not a destination.

How do you stay up to date on the latest issues related to IT security?

I speak at a lot of conference; that forces me to stay fresh and abreast. I attend industry conferences and read prolifically.

For a seasoned IT security professional who wants to continue to remain knowledgeable, with up-to-date skills, what advice would you offer?

Without a doubt all of the above! Attend local chapter events of organizations like ISC2, ISACA, IAPP and / or ISSA.

Posted: May 1, 2015
View Profile