By Mike Semel, President, Semel Consulting, ASCII Group Member Since 2012
There is a huge disconnect between compliance and IT security, which I see every day while conducting compliance and security assessments.
If you focus on compliance, you can create binders full of documentation but not be secure. If you focus on security, then compliance is just a simple exercise in documenting your security efforts in accordance with regulations.
In 2014 the FBI sent a warning to the healthcare industry that its data was not secure:
The biggest vulnerability was the perception of IT healthcare professionals’ beliefs that their current perimeter defenses and compliance strategies were working when clearly the data states otherwise.
Many of the assessments we conduct are for healthcare organizations of all types and sizes — doctors, clinics, hospitals, and health plans — that have to comply with HIPAA. Organizations usually focus on compliance and show us reams of paper — policies, procedures, and training records. In many cases these were purchased as a compliance-in-a-box kit, and the policies still have the original blank spots where they were supposed to insert their organization name. Many that have completed their documentation have not carried it through into actions. Some blindly answer hundreds of questions in compliance assessment tools, or tell consultants that the security described in their policies and procedures is really in place. They believe it themselves. We show them that they are always wrong to some degree.
Please log in or register below to read the full article.