Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
HIPAA, SOX & PCI: The Coming Compliance Crisis In IT Security
Threaded  |  Newest First  |  Oldest First
PaulS681
PaulS681,
User Rank: Apprentice
1/21/2014 | 6:01:45 PM
SOX
 

The company I work for went from Private to public and back to private again. Those public years we had to comply with SOX and it was a pain. We were audited every quarter although I think the dropped the IT stuff to twice a year. Now we are private again and no more SOX! I will say that SOX did make us look at our controls and helped us in that regard. SOX is no longer looking at us but the controls stay in place.
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
1/22/2014 | 11:19:56 AM
Re: SOX
Are you saying that you've got the best of both worlds, Paul? No worries about regulators bearing down but a good set of processes and controls in place? Curious to know if you think your risk management posture has deterioriated at all now that you're not subject to those rigorous regs?  Tell us what's still working and what's falling short... 
Gary Scott
Gary Scott,
User Rank: Strategist
1/21/2014 | 11:29:47 PM
HIPAA & GLBA Data Destruction Compliance
We are an IT recycling and data destruction company.  With the new HIPAA and HITECH regulations, most of our new business comes from onsite hard drive destruction whereas before it was IT recycling.

Organizations and data centers are now seeing value in the NAID Certification and onsite data destruction.

 
Drew Conry-Murray
Drew Conry-Murray,
User Rank: Ninja
1/22/2014 | 9:01:32 AM
Does Compliance Help or Hurt
Hi Andy,

Do you think compliance mandates, on the whole, are useful? On the one hand, compliance requirements can provide some security structure for companies, but on the other hand, organizations may focus more on checking boxes and satisfying auiditors instead of managing risk. I'm curious to get your take on this.
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
1/22/2014 | 9:21:06 AM
Re: Does Compliance Help or Hurt
That's a great question, ACM, and I'm looking forward to hearing Andy's and other community members response. IMO compliance regulations are a necessary evil. True, they can be overly complex and time consuming, not to mention a hefty cost for an organization. I also do not doubt that there are ways to game the system in a check-box audit. But if used effectively -- as a best practices tool to manage risk and protect an organization's data privacy and security --they will deter and detect serious abuse and damage. 

If I'm missing something, please let me know in the comments!
Andy Daudelin
Andy Daudelin,
User Rank: Apprentice
1/22/2014 | 12:09:31 PM
Re: Does Compliance Help or Hurt
Drew - It's not an either/or situation. Today's businesses are challenged with adhering to regulatory compliance requirements and managing risk while meeting business objectives. As you mentioned, compliance requirements can help companies develop useable frameworks and policies. But you can pass an audit and still be vulnerable to an attack. Compliance will remain an unavoidable component to enterprise security, yet checking the boxes is not enough. Companies also need real-time monitoring and security operations for effective incident prevention, detection, and response.
Rhallowell
Rhallowell,
User Rank: Apprentice
1/22/2014 | 10:21:10 AM
HIPPA Compliant
First of all, great article. People in the enterprise industry need to know how at risk they are and what new guidelines they need to follow under the HIPAA act and you laid that out perfectly. 
ecobb951
ecobb951,
User Rank: Apprentice
1/22/2014 | 1:25:52 PM
Hipaa Compliance Solutions
Yes, HIPAA can be a pain in the ass, but it is critical to our medical system and keeping data secure. There are lots of network systems that are set-up for HIPAA, and can handle HIPAA, SOX and PCI changes without much of a problem.


The real issues I think are going to crop up in BYOD policy. There, the solution are more difficult, and have a very wide range of possabilities.

A good example is that we have a BYOD policy that limits mobile data transfers to that of a HIPAA compliant text and file transfer app (TigerText) that we install on all our staff's phones. It is through this policy and app that we are able to keep our staff patient data communication secure and compliant, without making it a burned of very costly.

A good example of a BYOD policy is here:

http://www.hipaatext.com/wp-content/uploads/2013/03/BYOD-Policy-20130213.pdf
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
1/23/2014 | 11:54:50 AM
Re: Hipaa Compliance Solutions -- BYOD
Thanks for posting that example policy ecobb951. I'm curious to know how your staff has reacted to the requirements? Are you getting any pushback? Is it hard to enforce?
ecobb951
ecobb951,
User Rank: Apprentice
1/23/2014 | 6:10:42 PM
Re: Hipaa Compliance Solutions -- BYOD
The best way to deal with any pushback on a BYOD policy or any policy or security change is through education. It was not enough to change or implement a BYOD policy. Once that was done, we then had to deal with the compliance reality - just because you have a policy, doesn't mean people will follow it.

The Key to a successful BYOD policy is education. We had to do a 15 minute training with all the staff to explain the policy, and why we need it, as well as explain the relationship with our own HIPAA compliance. Once the training was done, we saw a dramatic rise in compliance to the BYOD policy and this was measured by the dramatic increase in the use of the HIPAA compliant messaging app (TigerText) that was built into our policy.

Can't stress how important the training of staff is to the success of a BYOD policy, or any policy.
Also, if you are looking for a good 'train the trainer' program to help set-up a successful BYOD policy training program, I suggest contacting PrepMasters.com

Concerning enforcement, we have our trainers do training updates and testing to make sure the policy is known and used. She also does random checks in the workspace.
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
1/24/2014 | 8:06:35 AM
Re: Hipaa Compliance Solutions -- BYOD
There is a lot of talk about the effectiveness (or lack of effeciiveness ) of user education, but you hit the nail on the head when you tie it tightly together with a policy like BYOD. I also really like your approach to training the user, training the trainer, and random checks to keep users vigilant. Thanks for sharing!


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Creating an Effective Incident Response Plan
Security teams are realizing their organizations will experience a cyber incident at some point. An effective incident response plan that takes into account their specific requirements and has been tested is critical. This issue of Tech Insights also includes: -a look at the newly signed cyber-incident law, -how organizations can apply behavioral psychology to incident response, -and an overview of the Open Cybersecurity Schema Framework.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-4194
PUBLISHED: 2022-11-30
Use after free in Accessibility in Google Chrome prior to 108.0.5359.71 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)
CVE-2022-4195
PUBLISHED: 2022-11-30
Insufficient policy enforcement in Safe Browsing in Google Chrome prior to 108.0.5359.71 allowed a remote attacker to bypass Safe Browsing warnings via a malicious file. (Chromium security severity: Medium)
CVE-2022-4175
PUBLISHED: 2022-11-30
Use after free in Camera Capture in Google Chrome prior to 108.0.5359.71 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
CVE-2022-4176
PUBLISHED: 2022-11-30
Out of bounds write in Lacros Graphics in Google Chrome on Chrome OS and Lacros prior to 108.0.5359.71 allowed a remote attacker who convinced a user to engage in specific UI interactions to potentially exploit heap corruption via UI interactions. (Chromium security severity: High)
CVE-2022-4177
PUBLISHED: 2022-11-30
Use after free in Extensions in Google Chrome prior to 108.0.5359.71 allowed an attacker who convinced a user to install an extension to potentially exploit heap corruption via a crafted Chrome Extension and UI interaction. (Chromium security severity: High)