Many organizations are faced with standards or regulations. Whether it’s the HIPAA (“Health Insurance Portability and Accounting Act”) for the health sector or the PCI-DSS (“Payment Card Industry – Data Security Standard”) for credit card transactions, etc., information security professionals are involved in the compliance process.
However, with recent regulation changes, their work may be more challenging, according to a panel of experts who recently gathered at the “Information Security Summit”.
In fact, the new Omnibus HIPAA rules are more stringent for organizations associated to other organizations which must comply with HIPAA. In addition, they will be obliged to report security breaches or disclosures concerning protected health information. The term “associates” is now broader and consequently involves more organizations and subcontractors.
Also, actions and audits will be put in place at the PPCA (“Patient Protection and Affordable Care Act”) or ObamaCare by October 1, 2013.
As for PCI-DSS standards for payment card transactions, they have become a major compliance issue for many state agencies. These standards require annual assessments, which can be challenging for organizations with limited staff.
When regulations provide more flexibility and the consequences for non-compliance (financial or other) are minor, organizations may be tempted not to set this as their priority. Hence, the government and regulatory bodies have tightened regulations. However, business stakeholders have come to comprehend that being compliant will generally improve their business’ information security and preserve the confidentiality of sensitive information. Various security incidents, having significantly affected businesses, have also aided in creating this awareness.
It is impossible for organizations to be 100% secure and compliant with all these regulations, however, they must understand what needs to be done, show the work that has been accomplished and develop an action plan to achieve compliance. These actions can make a significant difference to auditors and prove minimally due diligence.
By Patrick Paradis, Information Security Advisor