With compliance efforts the question is "Which way do we go?! And most times the signs are just this clear! Image by bob august via Flickr.
Two weeks ago, a financial services client of ours asked me “how compliant is compliant enough?”
They’ve been a good client for over 15 years. They are good people who care about their customers. They follow a disciplined approach to IT operations which provides a great foundation for their information security program.
At first, I was blown away by the comment.
How could they even consider such a question?
But the more I reflect on their comments and their situation, a new question has come to mind.
Who could blame them?
With the HITECH changes to HIPAA they unequivocally fall into the frame of HIPAA compliance. They by law are obligated to do more than they do now to secure their customer data.
They are doing a lot and doing it well, though they know they are not perfect.
Their wireless network is 100% impervious to outside invaders; they decided the risks of deploying outweighed the business risks of implementing wireless. Over 10 years of having 3rd party security assessments their technical team and technical infrastructure have consisently passed muster (ours wasn't the only firm evaluating them so the consistent findings were from multiple firms using multiple techniques and tests). A recent HIPAA Security Rule Gap Assessment Workshop that we facilitated found that from a HIPAA standpoint they were doing the vast majority of the controls in the security rule.
They are "doing" security but they don't document at a policy or procedure level what they do. Their staff is aware of security issues, but less so about privacy issues, particularly pertaining to information handling practices within the organization. In those 10 years of tests a couple of the assessors have been able to penetrate their physical security through social engineering. Security and privacy is an IT focused effort.
We believe that they are well secured against external attacks but are vulnerable to inside threats and accidents or to interuptions in their business process.
Fixing those business related issues all boils down to revenue versus expense, and they aren’t sure they can invest the time and treasure to attain perfect compliance.
And so the honest question is asked, “How compliant is compliant enough?”
Although they only ask one question, I suspect they had a few other questions they didn’t verbalize:
- If we don’t do anything will we really get in trouble?
- Will the government really enforce the law? They haven’t really yet have they?
- If we do all this extra work won’t the work cost more than the likely fines we’ll pay if we don’t do the work?
- Are our competitors doing it? Do our customers care?
In the time they’ve been wrestling with these questions they could have substantially closed the larger gaps in their program. But they are frozen by the uncertainty.
They are not the only client that is frozen by regulatory uncertainty.
Truly, with the way our government regulates information security and privacy I don’t have good answers for those questions.
Regulatory uncertainty is in and of itself a threat to privacy and security, and regulatory non-compliance is a risk that needs to be managed.
In the face of uncertain and confusing regulatory options most businesses in our experience choose to do nothing.
Regulatory uncertainty manifests itself in a number of ways:
- Uncertainty due to a lack of knowledge about the potential regulations on the part of businesses
- Uncertainty about just what various regulatory agencies are doing
- Uncertainty about just what various regulatory agencies are going to do –
- Uncertainty due to the myriad of fine line distinctions and confusion in the regulatory body
- Uncertainty because of the confusion about which regulations apply to a particular firm or type of firm
All of these types of uncertainty are born out of poor communication, difficult language, sudden course corrections as rules are morphed in the political process even after they’ve been published,
It isn’t that hard to find examples:
Red Flags (The Fair and Accurate Credit Transactions Act of 2003 known as either FACT Act or FACTA)
The Red Flags Rule requires many businesses and organizations to implement a written Identity Theft Prevention Program designed to detect the warning signs — or "red flags" — of identity theft in their day-to-day operations. It was first passed in 2003. The FTC moved the enforcement date three times. Depending on whose view you take that was because they bent to lobbying from interest groups representing doctors, lawyers and higher education institutions OR they were listening to industry and adjusting the rules to meet the feedback they were getting. From either perspective the enforcement date continued to slip.
In December 2010, the law was amended with the Red Flag Program Clarification Act of 2010 to focus the law on its original intent.
(NOTE: Did you catch that last line: “Bookmark this site and check it often for revisions that reflect changes in the law.” Often? How often? Changes? What changes? How do I plan for those changes? Are you kidding me?)
HIPAA and HITECH
HIPAA or the Health Insurance Portability and Accountability Act (HIPAA) of 1996. HIPAA has five titles covering an array of topics. Title II ironically known as Title II of HIPAA, ironically known as Administrative Simplification, primarily requires the establishment of national standards for electronic health care transactions . Administration Simplication also address the security and privacy of health data. The standards are meant to improve the efficiency and effectiveness of the nation's health care system by encouraging the widespread use of electronic data interchange in the U.S. health care system.
Based in part on the poor adoption rates of and loopholes in HIPAA, Congress passed HITECH.
HITECH the street version of the mouthful formal name Health Information Technology for Economic and Clinical Health (HITECH) Act, was enacted as part of the American Recovery and Reinvestment Act of 2009. It was signed into law in February, 2009. It primarily promotes the adoption and meaningful use of health information technologies such as Electronic Health Records (EHR). Within HITECH, Subtitle D addresses privacy and security concerns associated with the electronic transmission of health information primarily through a number of provisions that strengthen enforcement or clarify the original HIPAA rules.
Yet, uncertainty surrounding HIPAA is epic:
- Poor enforcement impacted HIPAA adoption rates so HITECH was passed to provide stronger enforcement. We have seen an increase in enforcement action as well as an increase in awareness for breach events through HITECH’s breach reporting requirements but it has not reached a tipping point that catches decisions makers’ attention in a way that motivates them to act.
- Rules that were to be out by now are not published. Rules have been published and pulled. Published dates have been moved around the calendar. We know that subcontractors are covered under the Security Rule but the rules have not been published. We know that there are mandatory audits required under HITECH but we don’t know exactly what that means.
- Rules sometimes just don’t make sense. For instance, the Security Rule is focused on ePHI or electronic Protected Health Information. Think technical infrastructure. The Privacy Rule is focused on PHI in any form. Think use, handling and behavior. A fax is not considered ePHI though in most environments today many faxes come in and outbound through unified messaging. What is compliant action in regard to action
The government has produced an alphabet soup of laws, rules and regulations FERPA, Sarbanes-Oxley or SARBOX or SOX, GLBA, all with similar stories. And there are legislative efforts to move forward with a new batch of privacy and security laws covering related topics such as national cyber security, privacy, security standards and breach notification. With the continual onslaught of breaches the political will is building to enact and execute a national law focused on information security and privacy.
So into this clear as mud uncertainty we now have political activity driven by the epidemic of breaches that is leading us to a more laws, rules and regulations, and as I would suspect more uncertainty and with it more frozen clients caught between their fear to act and their fear not to act. And doing nothing puts them and their data at risk.
So we think the question isn’t “how compliant is compliant enough” but rather “how can we position our firm to lower compliance risk in light of this uncertainty while focusing on doing the right things to protect our customer and other critical data”
We suggest the following:
- Stay focused on the basics. We recommend you start by defining a standard language for internal information security discussions. We at Jacadis like ISO 27001. The ISO 27000 series is an internationally recognized family of standards focused on turning information security, privacy and compliance into a management function. Adoption of ISO 27001 provides a framework and language from which to build top down, management to technical information security, privacy and compliance function within an organization. The framework will provide a standard way of managing security and once adopted assist in building resilience to changes in compliance standards while keeping you focused on protecting the most important information assets in your stewardship. For additional reading on ISO 27001 I suggest an IT toolbox article by Jacadis’ Jerod Brennan.
- If you don’t have someone tracking the laws that affect your company, the cost to become compliant is going to hit you like a ton of bricks. Stay on top of it. Ounce of prevention is worth a pound of compliance, er… cure.
- And while I don’t suggest you get get caught up with the what ifs and could bes as the legislative process moves forward. If you are an information intensive organization it is a good idea to have an executive level team member monitor the legislative process. You may find there is a moment that calls for your attention to get involved politically if legislation gets restrictive in a way that could impact your business.