Seat belt laws can’t guarantee you won’t get hurt in a car accident, even if you comply. Neither can a driver’s license in good standing with the DMV. Likewise, compliance with HIPAA, Meaningful Use and other federal regulations can’t ensure the patient data under your care is secure.
Take Target, for example. The retail giant made the news in December 2013, for a major security breach affecting credit card numbers, expiration dates and security codes for 40 million customers and other personal information for up to 70 million people. Prior to the breach, Target was PCI compliant, having aced an audit for the Payment Card Industry standards just a couple of months before all hell broke loose. For cybersecurity experts, Target’s data breach reflects the reality that compliance can’t guarantee security — not even close.
So what’s the difference?
Below is a snapshot of how compliance and security stack up:
Don’t hospitals have both compliance and security covered? Actually, no. Having performed more than 20,000 risk assessments on medical devices containing patient data, we’ve witnessed countless security and compliance oversights with a real potential to take down a provider’s operations, finances, and delivery of care. But that shouldn’t come as a surprise. HIPAA violations affecting 500 or more records are up 138 percent since 2012, says the U.S. Department of Health and Human Services.
So where’s the disconnect?
There’s much to say here, but let’s start with the misperception that security beyond basic compliance is a luxury, not a need. Although you’ll be hard pressed to find someone who openly admits to that mindset, you’ll find evidence for it in the form of insufficient security resources or a slew of higher-priority initiatives.
Perhaps the main reason is the issue of invisibility: when security works well, nothing bad happens (which is exactly the outcome you want). But then, because nothing happens, security is viewed as a needless expense. Until, of course, something does happen, like it did for Target.
So where to start?
What does it look like to go from just implementing minimum deterrence elements so you can check off compliance requirements, to being adequately secure? Below are characteristics of effective, risk-based security:
Wherever you are in the security spectrum, there are only three possible ways you can respond to risk:
As you examine your current attitude and efforts, which security approach best describes yours?
We understand you have challenges — lots of them. Common obstacles include limited resources, both financial and human; a lack of knowledge about where to start and what level of security is appropriate; and a false sense of security that may come with compliance.
You’ll be ahead of the curve just realizing that following the letter of the law alone will not achieve security. Rather, both compliance and security can be achieved together by continually assessing threats and vulnerabilities, and implementing practices to minimize or eliminate those threats.
© 2018, TechNation Magazine. Site designed by MD Publishing, Inc.