3 Ways to Go Beyond HIPAA Compliance
- May 09, 2016
- Guest Author
Compliance isn’t enough for healthcare organizations. For years, we have equated compliance with effective vulnerability risk management. This is simply not the case. Recent highly publicized data breaches in major hospitals show that minimum compliance is not effective when protecting your data. In fact, it’s not just major healthcare organizations that get attacked, but virtually all hospitals have been victims of a cyber attack (commonly ransomware) at some point in varying degrees.
Each organization is different. Their needs and resources vary. Many compliance frameworks use a one-size-fits-all approach. This may be ideal for organizations that have the appropriate resources and experience to customize their programs to fulfill or or exceed the compliance requirements.
However, less mature organizations struggle to meet basic compliance requirements because they don’t have the experience or resources to do much more than try to appease the auditors.
This isn’t a knock on these organizations. Information security resources are hard to find, expensive, and constantly moving around. This makes it difficult for small IT organizations to hire and retain staff that is capable of properly interpreting and implementing a right-sized information security program.
They key is implementing a vulnerability risk management program that suits the needs and resources of each healthcare organization, and the result will be compliance regulatory requirements.
Realistically, an effective information security program is built incrementally over time. Some organizations take multiple quarters or even years to properly implement a robust program.
This is in direct conflict with regulatory compliance demands in the sense that compliance programs are intended to cover all aspects of an information security program from day one. This creates an incentive for decision makers to get the compliance “check mark” by minimally implementing all of the controls required to get a clean audit. This often done without ensuring they are fully effective. These leaders are often measured on how well they do in an audit, not how well they are protecting the organization.
Organizations must resist the temptation to pursue the compliance “check mark.” It is important to implement policies, standards, processes, and controls that are geared toward reducing risk and protecting the organization’s data. This can be accomplished through pragmatic implementation strategies and strong communication with auditors regarding their program maturity and progress.
Regardless of how effective and robust your vulnerability risk management program is, there is still the human factor that one needs to account for. Social engineering techniques, such as spear phishing, are still the most common point of entry into organization’s networks. With the recent outbreak of ransomware attacks, we see just how vulnerable organizations are to the mistakes of well-intentioned employees.
Compliance frameworks all require information security awareness training for employees. Many organizations train employees during on-boarding and once a year, simply to fulfill compliance requirements. With the high success rate of attacks against people, organizations must go beyond the minimal compliance requirements in order to properly protect the organization. In the case of the organization’s people, there must be constant training through multiple methods of outreach. This will not only fulfill compliance requirements, it will ensure that employees have a strong understanding of the risks they face and their role in protecting the organization.
Compliance frameworks and regulatory controls have merit. However, simply meeting compliance requirements leaves organizations at risk. Frameworks must be customized to the organization implementing the information security program. Organization leaders must take a pragmatic approach to implementing their information security program. And, organizations must recognize the most prevalent risks and implement and address them beyond the minimally required level.
To learn how you can better improve your vulnerability risk management system check out our white paper: A New Approach to Security & Compliance for Healthcare.