[BreachExchange] The Cost of Compliance – and Why Organizations Neglect It

Audrey McNeil audrey at riskbasedsecurity.com
Wed Apr 11 22:18:26 EDT 2018


http://complianceandethics.org/the-cost-of-compliance-
and-why-organizations-neglect-it/


Given how sensitive healthcare data can be, you’d expect hospitals and
similar organizations to place the utmost importance on keeping it safe. So
why does it seem like so many slack off?

Healthcare organizations know a lot about us, sometimes more than we know
about ourselves. And when that information falls into the wrong hands, it
can be devastating – it gives a criminal everything they need to commit
medical identity theft. Not surprisingly, there are some pretty strict
rules and regulations around the protection of that data, known as
Protected Health Information (PHI).

In the United States, that set of guidelines is known as HIPAA. Similar
rules exist in Australia, the United Kingdom, and the European Union. The
one thing they all share in common aside from the data they protect?

A startling number of businesses – healthcare organizations and otherwise –
are noncompliant.

That can be costly. In addition to opening up an organization to penalties
of up to $50,000 per compromised record in the event of a breach (under
HIPAA), failure to adequately protect healthcare data can also lead to even
costlier lawsuits. And that’s without even accounting for the reputational
damage.

In short, HIPAA compliance is in every organization’s best interest if they
even tangentially work with health data. So why do so many businesses
neglect it? In my experience, there are two overarching reasons.

They Lack The Resources

Healthcare IT isn’t known for being well-funded. Quite the contrary –
administrators in the health industry are often regularly forced to do more
with less, constantly trying to make ends meet with an understaffed,
under-utilized IT department. Factor in how hodgepodge the tech tends to be
in many hospitals, and it isn’t hard to see why some organizations simply
sweep HIPAA under the rug and hope no one notices.

They Simply Don’t Know Any Better

There are more ways to violate HIPAA than improper storage of healthcare
data – something many organizations don’t seem to realize. If, for example,
you’re using an email provider within your organization, you need to ensure
they’re HIPAA compliant. Unencrypted text messages are also a definite
thing to avoid, as is sharing login information between multiple users.

Even an organization’s website can cause it to run afoul of HIPAA if it
uses a web submission form that isn’t up to the regulation’s standards.

And – here’s the big one that a lot of third-party organizations especially
seem to fall behind on – training. If a healthcare organization or third
party vendor doesn’t provide regular training sessions for its employees,
they are noncompliant. And it doesn’t matter if said organization is doing
so because they aren’t aware of these regulations – ignorance of the law is
no excuse, after all.

So what can you do to reduce the cost of compliance? How can you ensure
that your organization stays within HIPAA’s regulatory guidelines, and that
you or your employees aren’t unknowingly violating it? It all starts with
proper data hygiene. Beyond that…

- Invest in an endpoint management solution that allows your IT department
to easily control and monitor systems across your organization.
- Understand that your IT department is a critical cog in your organization
– and that your staff needs funding to keep your organization compliant.
- Train your staff regularly, and ensure that any organizations you do
business with are fully-schooled in their duties under HIPAA.
- Perform regular risk assessments. Bring in an outside compliance expert
if necessary.
- Choose a HIPAA-compliant host for your web presence and hosting services.

HIPAA can be difficult to comply with, but it’s a necessity if you work
with PHI. Under the law, it doesn’t matter if you lack resources or
knowledge. Noncompliance is noncompliance – bear that in mind.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180411/d3f6b747/attachment.html>


More information about the BreachExchange mailing list