Healthcare Technology Featured Article

May 06, 2015

Compliance: It Doesn't Have to be as Painful as It Sounds


Dan Maloney

Does this sound familiar? A major retailer suffered a system breach that resulted in the loss of millions of consumers’ credit card data. A non-profit hospice had a laptop stolen which contained unencrypted records on hundreds of patients. A well-known social media platform had a breach that resulted in the loss of millions of user IDs and passwords.

You’ve heard these and similar stories many times over the past year, but do you know what they all have in common? All these companies were considered “compliant” with at least one of the common security frameworks such as the Health Insurance Portability and Accountability Act (HIPAA) or Payment Card Industry Data Security Standard (PCI-DSS).

Organizations are placing far too much emphasis on the compliance certification and not enough on the compliance process. The end goal should not be the piece of paper with a stamp of approval. Companies should be working diligently to identify and mitigate risks, which are a serious threat to the confidentiality, integrity or availability of our systems and data.

Without rubbing salt in their wounds by naming names, two of the biggest data breaches last year cost these respective companies approx. $100 million each. Smaller organizations with less data to steal will pay less, but the point is that it’s an unnecessary expense that could be avoided if organizations invested in proper risk management on the front end.

Proper risk management is an ongoing process. It doesn’t simply follow a checklist provided by an outside group. It takes into account the unique nature of each organization. While compliance programs such as HIPAA, PCI, FISMA and others are a great starting point, they can’t identify all areas of risk in an organization. Each organization must do that for itself.

Risk management will always provide far greater security than any compliance checklist ever will. If you don’t have a risk management program, start small and use the free resources such as NIST Special Publication 800-30 Guide for Conducting Risk Assessments or Special Publication 800-39 Managing Information Security Risk Organization, Mission, and Information System View available at http://csrc.nist.gov.

The True Cost of Non-Compliance

The Ponemon Institute conducted an independent study, “The True Cost of Compliance,” which revealed that the cost of non-compliance (i.e. penalties and fines) is far greater than the actual cost of being compliant. When Ponemon researchers adjusted the total cost of compliance by organizational headcount, they found that compliance cost $222 per employee, while the cost for non-compliance came to $820 per employee.

The study also found that per capita non-compliance costs appear inversely related to the frequency of internal compliance audits. In other words, the more internal audits you perform successfully, the lower your chances of failing a real compliance audit.

The cost of non-compliance goes beyond fees, penalties, and legal costs; it disrupts the normal business processes, reduces productivity and creates tremendous stress on the individuals involved (a cost that can’t be calculated).

An Audit-Ready Process

Clearly, non-compliance is not an option. But compliance auditing seems like it’s dreadful, complex and time-sucking task, taking hundreds of staff hours and creating innumerable headaches. Let’s face it: IT is becoming a regulated industry. Compliance mandates like PCI DSS affect any company processing credit cards, SOX requirements are essentially a tax for public companies and growing startups, and healthcare providers dread HIPAA audits. Financial services companies live or die by their ability to implement GLBA controls. Honoring compliance obligations without monitoring automation is a recipe for costly penalties.

Automated monitoring brings peace of mind and streamlined processes to compliance. There are solutions today that provide the benefit of a single-pane-of-glass view of corporate network infrastructure. Some products go even further, providing pre-configured rules and reports, many of which are designed specifically to make preparing for compliance audits as easy as the click of the mouse. Rather than commandeering IT resources two weeks before audit reports are due, IT managers should consider solutions that generate compliance reports automatically for the following: PCI DSS, SOX, NERC, GLBA, GPG13, FISMA, COBIT, ITIL, ISO, HIPAA and SANS Critical Controls.

A compliance monitoring solution not only helps IT staff discover new – and potentially rogue – devices on the network, it also enables a more efficient alert system. Imagine being able to view the entire network at a glance. This kind of functionality also helps isolate the root cause of security and network issues, which is of particular value in virtualized environments where problem root causes change over time.

The ROI of using automated monitoring for compliance is immediate. As an example, a financial services firm was required to produce quarterly GLBA compliance reports. It was a full-time job for three IT system administrators for three weeks per quarter. During this time, they would manually parse terabytes of logs to find all instances of specific security events such as unauthorized server access.

Once the firm implemented an automated monitoring solution, all of those events were instantly tracked, correlated and delivered as pre-configured reports and dashboards. In addition to automating GLBA compliance for security, the company also gained health-of-network visibility into server and application performance and availability.

Lower Your Risk Tolerance

Maintaining compliance with IT security mandates such as PCI, SOX and HIPAA are more important than ever before as companies seek to protect their critical data. However, as we continue to see, compliance does not necessarily equal security. Rather than simply checking off a list of compliance requirements, organizations are best served by paying attention to their specific compliance process.

By implementing an automated process for reporting and compliance, immediate ROI can be gained. Streamlining the audit process will also assist in clarifying what is worthy of the IT administrator’s attention and what is not, while providing the C-Suite with peace-of-mind the next time the auditors come knocking at their door.

About the Author: Dan Maloney is vice president of marketing and business development for AccelOps, the leader in actionable security intelligence for the modern data center. Maloney has nearly 20 years of experience in the enterprise software arena, serving as general manager and global vice president for eCommerce at SAP. Dan was at SAP for 12 years, where he held a variety of leadership roles, including global vice president of business development, focusing on selecting, structuring and enabling SAP's partnerships for cloud, mobility and traditional on-premise software. 




Edited by Dominick Sorrentino
Get stories like this delivered straight to your inbox. [Free eNews Subscription]
By TMCnet Special Guest
Dan Maloney, VP of Marketing and Business Development ,




SHARE THIS ARTICLE



FREE eNewsletter

Click here to receive your targeted Healthcare Technology Community eNewsletter.
[Subscribe Now]