Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

HIPAA, SOX & PCI: The Coming Compliance Crisis In IT Security
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
1/24/2014 | 8:06:35 AM
Re: Hipaa Compliance Solutions -- BYOD
There is a lot of talk about the effectiveness (or lack of effeciiveness ) of user education, but you hit the nail on the head when you tie it tightly together with a policy like BYOD. I also really like your approach to training the user, training the trainer, and random checks to keep users vigilant. Thanks for sharing!
User Rank: Apprentice
1/23/2014 | 6:10:42 PM
Re: Hipaa Compliance Solutions -- BYOD
The best way to deal with any pushback on a BYOD policy or any policy or security change is through education. It was not enough to change or implement a BYOD policy. Once that was done, we then had to deal with the compliance reality - just because you have a policy, doesn't mean people will follow it.

The Key to a successful BYOD policy is education. We had to do a 15 minute training with all the staff to explain the policy, and why we need it, as well as explain the relationship with our own HIPAA compliance. Once the training was done, we saw a dramatic rise in compliance to the BYOD policy and this was measured by the dramatic increase in the use of the HIPAA compliant messaging app (TigerText) that was built into our policy.

Can't stress how important the training of staff is to the success of a BYOD policy, or any policy.
Also, if you are looking for a good 'train the trainer' program to help set-up a successful BYOD policy training program, I suggest contacting PrepMasters.com

Concerning enforcement, we have our trainers do training updates and testing to make sure the policy is known and used. She also does random checks in the workspace.
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
1/23/2014 | 11:54:50 AM
Re: Hipaa Compliance Solutions -- BYOD
Thanks for posting that example policy ecobb951. I'm curious to know how your staff has reacted to the requirements? Are you getting any pushback? Is it hard to enforce?
User Rank: Apprentice
1/22/2014 | 1:25:52 PM
Hipaa Compliance Solutions
Yes, HIPAA can be a pain in the ass, but it is critical to our medical system and keeping data secure. There are lots of network systems that are set-up for HIPAA, and can handle HIPAA, SOX and PCI changes without much of a problem.

The real issues I think are going to crop up in BYOD policy. There, the solution are more difficult, and have a very wide range of possabilities.

A good example is that we have a BYOD policy that limits mobile data transfers to that of a HIPAA compliant text and file transfer app (TigerText) that we install on all our staff's phones. It is through this policy and app that we are able to keep our staff patient data communication secure and compliant, without making it a burned of very costly.

A good example of a BYOD policy is here:

Andy Daudelin
Andy Daudelin,
User Rank: Apprentice
1/22/2014 | 12:09:31 PM
Re: Does Compliance Help or Hurt
Drew - It's not an either/or situation. Today's businesses are challenged with adhering to regulatory compliance requirements and managing risk while meeting business objectives. As you mentioned, compliance requirements can help companies develop useable frameworks and policies. But you can pass an audit and still be vulnerable to an attack. Compliance will remain an unavoidable component to enterprise security, yet checking the boxes is not enough. Companies also need real-time monitoring and security operations for effective incident prevention, detection, and response.
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
1/22/2014 | 11:19:56 AM
Are you saying that you've got the best of both worlds, Paul? No worries about regulators bearing down but a good set of processes and controls in place? Curious to know if you think your risk management posture has deterioriated at all now that you're not subject to those rigorous regs?  Tell us what's still working and what's falling short... 
User Rank: Apprentice
1/22/2014 | 10:21:10 AM
HIPPA Compliant
First of all, great article. People in the enterprise industry need to know how at risk they are and what new guidelines they need to follow under the HIPAA act and you laid that out perfectly. 
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
1/22/2014 | 9:21:06 AM
Re: Does Compliance Help or Hurt
That's a great question, ACM, and I'm looking forward to hearing Andy's and other community members response. IMO compliance regulations are a necessary evil. True, they can be overly complex and time consuming, not to mention a hefty cost for an organization. I also do not doubt that there are ways to game the system in a check-box audit. But if used effectively -- as a best practices tool to manage risk and protect an organization's data privacy and security --they will deter and detect serious abuse and damage. 

If I'm missing something, please let me know in the comments!
Drew Conry-Murray
Drew Conry-Murray,
User Rank: Ninja
1/22/2014 | 9:01:32 AM
Does Compliance Help or Hurt
Hi Andy,

Do you think compliance mandates, on the whole, are useful? On the one hand, compliance requirements can provide some security structure for companies, but on the other hand, organizations may focus more on checking boxes and satisfying auiditors instead of managing risk. I'm curious to get your take on this.
Gary Scott
Gary Scott,
User Rank: Strategist
1/21/2014 | 11:29:47 PM
HIPAA & GLBA Data Destruction Compliance
We are an IT recycling and data destruction company.  With the new HIPAA and HITECH regulations, most of our new business comes from onsite hard drive destruction whereas before it was IT recycling.

Organizations and data centers are now seeing value in the NAID Certification and onsite data destruction.

Page 1 / 2   >   >>

I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The Promise and Reality of Cloud Security
Cloud security has been part of the cybersecurity conversation for years but has been on the sidelines for most enterprises. The shift to remote work during the COVID-19 pandemic and digital transformation projects have moved cloud infrastructure front-and-center as enterprises address the associated security risks. This report - a compilation of cutting-edge Black Hat research, in-depth Omdia analysis, and comprehensive Dark Reading reporting - explores how cloud security is rapidly evolving.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-02-03
OpenSSH server (sshd) 9.1 introduced a double-free vulnerability during options.kex_algorithms handling. This is fixed in OpenSSH 9.2. The double free can be triggered by an unauthenticated attacker in the default configuration; however, the vulnerability discoverer reports that "exploiting thi...
PUBLISHED: 2023-02-03
sprintf in the GNU C Library (glibc) 2.37 has a buffer overflow (out-of-bounds write) in some situations with a correct buffer size. This is unrelated to CWE-676. It may write beyond the bounds of the destination buffer when attempting to write a padded, thousands-separated string representation of ...
PUBLISHED: 2023-02-03
An issue in NoMachine before v8.2.3 allows attackers to execute arbitrary commands via a crafted .nxs file.
PUBLISHED: 2023-02-03
vBulletin before 5.6.9 PL1 allows an unauthenticated remote attacker to execute arbitrary code via a crafted HTTP request that triggers deserialization. This occurs because verify_serialized checks that a value is serialized by calling unserialize and then checking for errors. The fixed versions are...
PUBLISHED: 2023-02-03
All versions prior to Delta Electronic’s CNCSoft version 1.01.34 (running ScreenEditor versions 1.01.5 and prior) are vulnerable to a stack-based buffer overflow, which could allow an attacker to remotely execute arbitrary code.