Is your Business Compliance-Savvy?
After decades of inadequate data protections, scores of regulations have been put in place to help protect the sensitive data businesses store. Industries, such as healthcare and financial services, are highly-regulated environments precisely because of the type of data they manage. Personal data is highly valuable to bad actors like hackers and other cybercriminals. We thought it would be a good time to talk about not mistakenly exposing this highly-coveted information to the wild.
Healthcare Data Compliance
Healthcare data is at the top of the risk list due to the sheer volume of data the healthcare industry generates. Moreover, due to the different types of healthcare organizations, without a unified regulatory organization to create policy, there is a greater risk of intrusions due to each organization enacting its security policy. Medical data is the most personal information an individual has and is one of the most-coveted data types cyberattackers seek.
The most well-known healthcare regulation in the United States is called the Health Insurance Portability and Accountability Act (HIPAA). Developed to keep personal health data and personally identifiable information (PII) secure, HIPAA regulation is the primary method healthcare organizations can use to maintain data security.
If you're not confident where you stand in regards to compliance, here are three tips to help with your HIPAA compliance. As technology continues to evolve, new systems are implemented to transfer health and insurance information between healthcare providers and insurers have evolved as well, and your business needs to maintain compliance. For example, despite being discontinued, many organizations are still using Windows 7. Unfortunately, if your medical organization uses Windows 7 devices, your organization is no longer HIPAA compliant.
HIPAA isn't the only regulation healthcare organizations must be conscious of, as many organizations may oversee different steps in how healthcare is applied. The Center for Medicare/Medicaid (CMS) services focuses on patient care, while the Occupational Safety and Health Administration (OSHA) focuses on workers' safety. This is just the tip of the iceberg of data a medical organization needs to navigate and agencies they must provide answers to.
With healthcare businesses being answerable to so many regulatory agencies, it can be challenging to ascertain which practices are the best practices, and which strategies work to keep sensitive information, especially patient data, from being compromised.
Data security for healthcare providers can be a tricky balancing act as organizations need to keep sensitive information available to facilitate communication and provide services to their patients while being efficient enough to keep their operational costs under control.
The business environment is continually changing and adapting to current events, causing many providers to investigate the best way to stay compliant. This examination must include evolving policies around existing standards of data protection to adhere to the recommended regulations. Doing so can create many headaches for organizations not familiar with the policy. The best way to find a solution is to work with an organization familiar with cybersecurity practices.
Financial Services Data Compliance
Besides healthcare, another highly regulated industry is the financial services industry. As the industry turns towards technology for support in a post-coronavirus world, financial organizations rely on information technology to increase productivity and security, cut costs, and manage their businesses more efficiently.
Although Congress rolled back one of the most stringent regulations: the Dodd-Frank Act, its continued reach can't be ignored. There are currently three other regulations that financial service companies need to consider: the Gramm-Leach-Bliley Act (GLBA), the Sarbanes-Oxley Act (SOx), and the Payment Card Index Data Security Standard (PCI DSS).
While some larger organizations will still need to adhere to Dodd-Frank, smaller banks and other lending institutions often hamstrung by the regulations are still governed by other policies, even while they can now operate free from Dodd-Frank's oversight. Here is how each work in regards to data security:
- GLBA - Financial services organizations need to identify, adjust, and test their data protection systems to ensure that customer information isn't misused or misallocated.
- SOx - Works to require accurate and responsible accounting and puts an onus on large businesses to increase profits' transparency.
- PCI DSS - Functions to protect cardholder data and provide strong controls, reporting, and payment card systems testing.
There are three significant regulators in the United States: the Federal Trade Commission (FTC), the Consumer Financial Protection Bureau (CFPB), and the Securities and Exchange Commission (SEC). They often step in and levy fines when it's called for, but they typically hold fast or take advisory roles in data security matters as it could be looked on as above their mandate. Their function is mostly to keep trade practices and markets fair and efficient, not protect personal information. Unless threats to that activity are directly coming from identified threat actors, the financial regulators won't take a proactive approach.
Despite the lack of proactive oversight, most financial entities typically keep their practices to a certain standard, the standards outlined by the Federal Financial Institutions Examination Council handbook or FFIEC-IT. With a dedication to keeping financial services technology the secure product it needs to be, FFIEC-IT booklets outline what is expected to maintain a compliant and secure financial services IT infrastructure. By visiting the FFIEC-IT website, you can view all the information anyone would need to know to keep their IT infrastructure, network, security practices, and reporting at a level commensurate with the expectations of financial services customers and regulators.
Planning Out Your Organization’s Security
While we focused on healthcare and financial services, all businesses are responsible for ensuring they keep their data secure. Most states require data security, including New York State, which enacted the SHIELD act in July 2019. All security standards tend to follow the same general principles. Most will talk about the need for concise reporting and constant assessment. This works in the service provider’s favor as they can outline a strategy that will work for the many types of organizational oversight they function under.
By creating a static security management plan (SMP), an organization sets up a workflow that will outline the steps everyone has to take to guide them. While a checklist on a clipboard would work, it would be more useful to utilize collaboration tools such as Google Workspace (formerly G Suite) and Office 365, which grant organizations the ability to use electronic spreadsheets to add a degree of automation and communication.This also provides the visibility to quickly translate and compile the information into any reports that you are mandated to provide regulators and allow you to take advantage of Business Intelligence.
The Security Management Plan should include:
- An organizational security mission statement
- A static hierarchy of authority with the organization’s reporting structure
- Identification of areas that need to be secured
- A general outline of individual duties and activities under the SMP
- The static documentation system that has to be used to keep things compliant
- An organizational training program or interface to keep staff up-to-date on shifts in the SMP
- A roadmap on how to incorporate liaison sites
- A top-to-bottom security organizational chart
- A copy of SMP evaluations and an improvement plan, if needed
Once you have a dedicated SMP in place, you can go about applying it to every facet of your organization. This is a time-consuming task as everything your business has to keep secure should have a line item in the spreadsheet, and is something you should consider outsourcing. Still, once it’s done, it will be much easier to ascertain where your organization is on a specific tactic, and how resources should be deployed to ensure that compliance is maintained.
A big part of staying compliant is to put in practice quality assessment tools. Sometimes your organization’s security and practices will work in concert, and sometimes they will conflict. Ensuring that your reference materials are current, consolidated into an easy-to-decipher format, and reported correctly will provide you with a much more manageable time managing the assessment and validation systems you’ll need to prove compliance to regulators.
At Directive, we are experts in designing, implementing, and supporting any business’ compliance strategies. Our technicians understand the importance of both the security and privacy of data and that it needs to be available when called for.
Call us today or complete our assessment request form. We will contact you to discuss what you need to do to stay compliant with the regulatory requirements your business falls under. Reach out to us at 607.433.2200.