Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
HIPAA, SOX & PCI: The Coming Compliance Crisis In IT Security
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
1/24/2014 | 8:06:35 AM
Re: Hipaa Compliance Solutions -- BYOD
There is a lot of talk about the effectiveness (or lack of effeciiveness ) of user education, but you hit the nail on the head when you tie it tightly together with a policy like BYOD. I also really like your approach to training the user, training the trainer, and random checks to keep users vigilant. Thanks for sharing!
ecobb951
ecobb951,
User Rank: Apprentice
1/23/2014 | 6:10:42 PM
Re: Hipaa Compliance Solutions -- BYOD
The best way to deal with any pushback on a BYOD policy or any policy or security change is through education. It was not enough to change or implement a BYOD policy. Once that was done, we then had to deal with the compliance reality - just because you have a policy, doesn't mean people will follow it.

The Key to a successful BYOD policy is education. We had to do a 15 minute training with all the staff to explain the policy, and why we need it, as well as explain the relationship with our own HIPAA compliance. Once the training was done, we saw a dramatic rise in compliance to the BYOD policy and this was measured by the dramatic increase in the use of the HIPAA compliant messaging app (TigerText) that was built into our policy.

Can't stress how important the training of staff is to the success of a BYOD policy, or any policy.
Also, if you are looking for a good 'train the trainer' program to help set-up a successful BYOD policy training program, I suggest contacting PrepMasters.com

Concerning enforcement, we have our trainers do training updates and testing to make sure the policy is known and used. She also does random checks in the workspace.
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
1/23/2014 | 11:54:50 AM
Re: Hipaa Compliance Solutions -- BYOD
Thanks for posting that example policy ecobb951. I'm curious to know how your staff has reacted to the requirements? Are you getting any pushback? Is it hard to enforce?
ecobb951
ecobb951,
User Rank: Apprentice
1/22/2014 | 1:25:52 PM
Hipaa Compliance Solutions
Yes, HIPAA can be a pain in the ass, but it is critical to our medical system and keeping data secure. There are lots of network systems that are set-up for HIPAA, and can handle HIPAA, SOX and PCI changes without much of a problem.


The real issues I think are going to crop up in BYOD policy. There, the solution are more difficult, and have a very wide range of possabilities.

A good example is that we have a BYOD policy that limits mobile data transfers to that of a HIPAA compliant text and file transfer app (TigerText) that we install on all our staff's phones. It is through this policy and app that we are able to keep our staff patient data communication secure and compliant, without making it a burned of very costly.

A good example of a BYOD policy is here:

http://www.hipaatext.com/wp-content/uploads/2013/03/BYOD-Policy-20130213.pdf
Andy Daudelin
Andy Daudelin,
User Rank: Apprentice
1/22/2014 | 12:09:31 PM
Re: Does Compliance Help or Hurt
Drew - It's not an either/or situation. Today's businesses are challenged with adhering to regulatory compliance requirements and managing risk while meeting business objectives. As you mentioned, compliance requirements can help companies develop useable frameworks and policies. But you can pass an audit and still be vulnerable to an attack. Compliance will remain an unavoidable component to enterprise security, yet checking the boxes is not enough. Companies also need real-time monitoring and security operations for effective incident prevention, detection, and response.
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
1/22/2014 | 11:19:56 AM
Re: SOX
Are you saying that you've got the best of both worlds, Paul? No worries about regulators bearing down but a good set of processes and controls in place? Curious to know if you think your risk management posture has deterioriated at all now that you're not subject to those rigorous regs?  Tell us what's still working and what's falling short... 
Rhallowell
Rhallowell,
User Rank: Apprentice
1/22/2014 | 10:21:10 AM
HIPPA Compliant
First of all, great article. People in the enterprise industry need to know how at risk they are and what new guidelines they need to follow under the HIPAA act and you laid that out perfectly. 
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
1/22/2014 | 9:21:06 AM
Re: Does Compliance Help or Hurt
That's a great question, ACM, and I'm looking forward to hearing Andy's and other community members response. IMO compliance regulations are a necessary evil. True, they can be overly complex and time consuming, not to mention a hefty cost for an organization. I also do not doubt that there are ways to game the system in a check-box audit. But if used effectively -- as a best practices tool to manage risk and protect an organization's data privacy and security --they will deter and detect serious abuse and damage. 

If I'm missing something, please let me know in the comments!
Drew Conry-Murray
Drew Conry-Murray,
User Rank: Ninja
1/22/2014 | 9:01:32 AM
Does Compliance Help or Hurt
Hi Andy,

Do you think compliance mandates, on the whole, are useful? On the one hand, compliance requirements can provide some security structure for companies, but on the other hand, organizations may focus more on checking boxes and satisfying auiditors instead of managing risk. I'm curious to get your take on this.
Gary Scott
Gary Scott,
User Rank: Strategist
1/21/2014 | 11:29:47 PM
HIPAA & GLBA Data Destruction Compliance
We are an IT recycling and data destruction company.  With the new HIPAA and HITECH regulations, most of our new business comes from onsite hard drive destruction whereas before it was IT recycling.

Organizations and data centers are now seeing value in the NAID Certification and onsite data destruction.

 
Page 1 / 2   >   >>


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Developing and Testing an Effective Breach Response Plan
Whether or not a data breach is a disaster for the organization depends on the security team's response and that is based on how the team developed a breach response plan beforehand and if it was thoroughly tested. Inside this report, experts share how to: -understand the technical environment, -determine what types of incidents would trigger the plan, -know which stakeholders need to be notified and how to do so, -develop steps to contain the breach, collect evidence, and initiate recovery.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-2807
PUBLISHED: 2022-12-02
Algan Yazılım Prens Student Information System product has an unauthenticated SQL Injection vulnerability.
CVE-2022-2808
PUBLISHED: 2022-12-02
Algan Yazılım Prens Student Information System product has an authenticated Insecure Direct Object Reference (IDOR) vulnerability.
CVE-2022-44929
PUBLISHED: 2022-12-02
An access control issue in D-Link DVG-G5402SP GE_1.03 allows unauthenticated attackers to escalate privileges via arbitrarily editing VoIP SIB profiles.
CVE-2022-44930
PUBLISHED: 2022-12-02
D-Link DHP-W310AV 3.10EU was discovered to contain a command injection vulnerability via the System Checks function.
CVE-2022-45562
PUBLISHED: 2022-12-02
Insecure permissions in Telos Alliance Omnia MPX Node v1.0.0 to v1.4.9 allow attackers to manipulate and access system settings with backdoor account low privilege, this can lead to change hardware settings and execute arbitrary commands in vulnerable system functions that is requires high privilege...