Compliance Does Not Equal Security
The health care industry is one of the most highly regulated in the country. It seems like a new rule or regulation pops up every month or so. The only thing we see in the news more often than a health care regulation is a health care data breach. This prompts the question: If health care organizations are fully compliant, why are breaches so common?
Many organizations utilize compliance-based security. Following the guidelines for multiple regulations can easily give the illusion of security. They guidelines may help reduce risk, but they do not provide sufficient protection from targeted attacks.
Manual Processes Are Time Consuming
The problem that a lot of health care organizations face is having a huge gap between their controls and policies. This is largely due to manual processes using Excel, Word, Sharepoint, or notebooks to manage compliance. Policies are not updated easily or often enough. Often times, policies are only accessible for certain members of the organization, which can drastically slow down the policy update process.
If a new regulation comes out, the organization then has to draft the policy, approve it, and alert its staff of the new or updated policy, which may also include training. This could mean several documents or spreadsheets being passed through the multiple steps of a policy workflow. For most companies, this would prove to be much too time consuming. Replacing manual processes with a GRC solution such as Keylight, can streamline the program, allowing you to become compliant much more quickly.
Controls Are Not Enough
Another issue a lot of organizations face is relying on controls for their security. Regulatory controls are a minimum standard that companies have to meet to be compliant. All too often, we see department heads simply marking off requirements on a compliance checklist instead of being proactive.
“By simply trying to keep up with individual compliance requirements, organizations become rule followers, rather than risk leaders,” John A. Wheeler of Gartner told infosecurity magazine. “CIOs must stop being rule followers who allow compliance to dominate business decision making and become risk leaders who proactively address the most severe threats to their enterprises.”
The other major issue with relying on controls is that they only cover current published regulations, instead of handling risks in real time. A threat could manifest within your organization and cause a breach before the regulatory standards catch up, making them more reactive than proactive. Instead of focusing solely on controls, it’s important to know where your data lives and how it comes and goes. In order for a security program to be effective, it must be based on a framework that is based on the risks specific to the organization and flexible enough to adjust to the company’s growing needs.
Take a Risk-Based Approach
The best way to ensure a successful security program is to treat compliance as an individual risk within the risk management program. This makes compliance a piece of the security puzzle as opposed to a replacement for security altogether. Conduct risk assessments, then use that data to prioritize your risks based on severity and probability, and prioritize your assets based on risks. It may sound daunting, but all it really means is that leadership will now be looking at their departments in terms of what is an acceptable risk level instead of simply checking requirements off a list.
Selecting the right tool can make this switch much less of a headache. LockPath’s Keylight Solution helps organizations of all sizes comply with multiple regulations. From risk assessments to breach response plans, it manages and links all data, making reporting a much simpler task. Keylight also acts as a central repository, making policies, remediation/mitigation plans, and other documents easy to view, update, and share.
Learn about how HIPAA Compliance plays a role in protecting against cybercriminals.
Learn about Principled Performance: Why should your company pursue it?
Read about the GAO’s report on CRA oversight