Compliant Doesn’t Mean Protected

Compliant Doesn't Mean ProtectedA lot of companies need to comply with numerous federal, state and industry data security regulations.  You have to comply with HIPAA if you are in the healthcare industry.  If you are dealing with credit card information, you must comply with PCI-DSS.

If you are in the US, there are numerous state data breach protection and notification laws.  If you are in the EU, you have to worry about the General Data Protection Regulation (GDPR).  The list goes on and on.

Many companies do the minimum necessary to be compliant with the regulations, but as is evident from the constant barrage of data breach headlines, being compliant doesn’t mean you are protected.

HIPAA regulations are a good example.  According to the HIPAA Security Rule, Covered Entities and their Business Associates need to protect the privacy and security of protected health information (PHI).  This requires appropriate Administrative, Physical, and Technical Safeguards to ensure the confidentiality, integrity, and security of PHI.

Many healthcare businesses determined that limiting access to PHI meets the requirement.  They have strict username and password authentication processes to ensure controlled access.  As we have seen from many data breaches, stealing passwords and using them to gain access to sensitive information is common.

There are suggestions of using encryption as a method to ensure privacy and security, but the final HIPAA Security Rule made the use of encryption an addressable implementation specification. That means a company can decide if encryption is a reasonable and appropriate safeguard in its risk management strategy.  If not, it must document an equivalent alternative measure, presuming that the alternative is reasonable and appropriate.

Putting end-point encryption on all desktops and laptops is a method that could meet the letter of the law.  If the device is lost or stolen, the information on the machine is protected, since the thief won’t be able to access it.  Unfortunately this doesn’t stop someone who is legitimately using the PC from accidentally or maliciously moving the data off the PC and sending it elsewhere.  Once the information is off the PC, it is vulnerable.

Recent legislation in NJ has gone a step further in mandating the use of encryption for PHI that renders personal information unreadable, undecipherable, or unusable by unauthorized persons.  This goes beyond allowing a user to access encrypted data with a password.  Its requires a more robust method to ensure that the user is validated against a directory service and that all components in the chain are secure.

Applying persistent controls to sensitive data ensures that you are always in control of the information regardless of location.  This not only provides confidentiality, integrity and access control over the data, but also allows for control over actions taken while using the data.  You can control who can edit, print, cut and paste, take a screen capture or save a local copy of files.  Since these controls follow the data itself, you can maintain control even after it leaves the boundaries of your organization.  By applying the security at the file level, you can also ensure that any copies stored in cloud services, email systems or on mobile devices are inaccessible.

Being compliant with regulations is no longer a guarantee that your sensitive information is safe.  Insider threats and the escalation and sophistication of external threats is putting all organizations at greater risk.  Don’t implement technology to satisfy compliance.  Implement it to completely block the path to your most valuable assets.

 

Photo credit Paul Inkles

Leave a Reply