HIT Think

Is Your Organization Ready for the Era of Cybercrime?

Register now

Cybercrime is on the rise, and the healthcare industry is the hot new target for increasingly sophisticated, intelligent hackers.

On the black markets of the Dark Web, stolen patient health records can fetch as much as $363 per record, according to data from the Ponemon Institute, which is more than any other piece of data from any other industry. This is because, unlike credit cards and other data, health records contain information that can’t be easily changed or deleted – social security numbers, birth dates and more.

As we see more high-profile attacks against healthcare organizations, our government is responding with increased regulation as a first defense. Compliance demands continue to grow, especially when it comes to protecting personal information. The pending Data Security and Breach Notification Act of 2015 would be the first federal rule requiring organizations to inform consumers that their personal information may have been compromised, and then take reasonable steps to protect personal information they maintain in electronic form.

At the state level, 47 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted legislation requiring private or government entities to notify individuals of security breaches involving personally identifiable information.

In addition, at least 32 states have introduced or are considering security breach notification bills or resolutions. Many of the bills would amend existing security breach laws, expanding the definition of personal information in cases of a security breach, and requiring businesses or government entities to implement various security measures and report breaches to attorneys general or other agencies.

Despite this, many healthcare organizations still have not established a comprehensive program to manage these regulations. Although they may have plans to address the compliance requirements that obviously apply, such as HIPAA, all too often compliance efforts can be treated as a distraction from normal business operations and get sidetracked by competing priorities.

This is not only a recipe for disastrous complications, as data breaches against healthcare organizations continue to accelerate, but it also means that these organizations are missing the tremendous business benefits of implementing a program to deal with these risks.

To keep the compliance burden and associated costs from rising, the new role of the compliance professional is intended to address these demands in a comprehensive manner. By treating compliance holistically rather than as individual projects, organizations can achieve more efficient processes and oversight governance, decrease audit and compliance costs, and optimize budget and spending allocations.

Establishing a Regulatory Compliance Program

A regulatory compliance program requires some level of central coordination. It supports gathering controls and testing information, developing a common set of control objectives, and coordinating efforts to meet multiple regulations that may have been previously addressed by individual business units - or not addressed at all.

The compliance function may be perceived as being fully responsible for meeting myriad requirements. Although it should ensure requirements are met by the organization as a whole (meaning the buck stops with them), the responsibility for actually meeting these requirements should reside with whoever owns the people, processes and technologies to which regulatory and other controls are being applied.

Often, it is the information security official, business or IT process owner that is ultimately responsible to ensure effective controls are in place, and work to mitigate and manage reasonably anticipated risks. The compliance function can provide expert advice, assistance and regulatory interpretation, coordinate with auditors, track remediation and compliance status, and provide education and reporting.

However, the centralized compliance function should not accept responsibility for the controls and requirements themselves. This is a duty of the process owner.

Some healthcare organizations may not have a dedicated compliance professional, or the position may report deep within the hierarchy, and the person in that position may lack the authority to take steps to reduce compliance complexity and costs or bring compliance activities into alignment with business objectives. However, the compliance professional can take on more authority as organizations mature and see the benefits of adopting a centralized approach.

Typically, a new or updated regulation or other requirements (such as PCI compliance) is followed by new corporate and departmental policies and procedures. Eventually, these policy and procedure documents begin to overlap, resulting in redundancies such as a HIPAA policy and a separate PCI policy that address the same controls and requirements, increasing complexity and confusion. It is more practical to create one Access Control Policy or one Password Management Policy, for example, that meets both HIPAA and PCI requirements.

Some organizations still look at compliance as a check-the-box, document-and-audit exercise. However, more mature organizations realize that they need to take a risk-based approach as a way to focus their resources on areas with the highest risks.

After organizations make this transition, then they can start expecting more demands on the reporting for compliance and risk management. The same information that is used to manage compliance risk also reveals a great deal about information risk and vice versa.

As complexity and compliance costs mount, organizations should ask whether there is a better way to address the multitude of new regulations. They’ll find the answer is to first conduct an inventory of all regulations that do apply, and then conduct a gap assessment to determine compliance status.

No organization is immune to demands for greater transparency and scrutiny of information security controls and requirements. Centralizing compliance efforts can help build and maintain an effective compliance program since new requirements will arise, best practices will evolve, and new processes and technologies will emerge.

Brian Evans is a senior managing consultant with IBM Security Services.

For reprint and licensing requests for this article, click here.