Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

HIPAA, SOX & PCI: The Coming Compliance Crisis In IT Security
Threaded  |  Newest First  |  Oldest First
User Rank: Apprentice
1/21/2014 | 6:01:45 PM

The company I work for went from Private to public and back to private again. Those public years we had to comply with SOX and it was a pain. We were audited every quarter although I think the dropped the IT stuff to twice a year. Now we are private again and no more SOX! I will say that SOX did make us look at our controls and helped us in that regard. SOX is no longer looking at us but the controls stay in place.
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
1/22/2014 | 11:19:56 AM
Are you saying that you've got the best of both worlds, Paul? No worries about regulators bearing down but a good set of processes and controls in place? Curious to know if you think your risk management posture has deterioriated at all now that you're not subject to those rigorous regs?  Tell us what's still working and what's falling short... 
Gary Scott
Gary Scott,
User Rank: Strategist
1/21/2014 | 11:29:47 PM
HIPAA & GLBA Data Destruction Compliance
We are an IT recycling and data destruction company.  With the new HIPAA and HITECH regulations, most of our new business comes from onsite hard drive destruction whereas before it was IT recycling.

Organizations and data centers are now seeing value in the NAID Certification and onsite data destruction.

Drew Conry-Murray
Drew Conry-Murray,
User Rank: Ninja
1/22/2014 | 9:01:32 AM
Does Compliance Help or Hurt
Hi Andy,

Do you think compliance mandates, on the whole, are useful? On the one hand, compliance requirements can provide some security structure for companies, but on the other hand, organizations may focus more on checking boxes and satisfying auiditors instead of managing risk. I'm curious to get your take on this.
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
1/22/2014 | 9:21:06 AM
Re: Does Compliance Help or Hurt
That's a great question, ACM, and I'm looking forward to hearing Andy's and other community members response. IMO compliance regulations are a necessary evil. True, they can be overly complex and time consuming, not to mention a hefty cost for an organization. I also do not doubt that there are ways to game the system in a check-box audit. But if used effectively -- as a best practices tool to manage risk and protect an organization's data privacy and security --they will deter and detect serious abuse and damage. 

If I'm missing something, please let me know in the comments!
Andy Daudelin
Andy Daudelin,
User Rank: Apprentice
1/22/2014 | 12:09:31 PM
Re: Does Compliance Help or Hurt
Drew - It's not an either/or situation. Today's businesses are challenged with adhering to regulatory compliance requirements and managing risk while meeting business objectives. As you mentioned, compliance requirements can help companies develop useable frameworks and policies. But you can pass an audit and still be vulnerable to an attack. Compliance will remain an unavoidable component to enterprise security, yet checking the boxes is not enough. Companies also need real-time monitoring and security operations for effective incident prevention, detection, and response.
User Rank: Apprentice
1/22/2014 | 10:21:10 AM
HIPPA Compliant
First of all, great article. People in the enterprise industry need to know how at risk they are and what new guidelines they need to follow under the HIPAA act and you laid that out perfectly. 
User Rank: Apprentice
1/22/2014 | 1:25:52 PM
Hipaa Compliance Solutions
Yes, HIPAA can be a pain in the ass, but it is critical to our medical system and keeping data secure. There are lots of network systems that are set-up for HIPAA, and can handle HIPAA, SOX and PCI changes without much of a problem.

The real issues I think are going to crop up in BYOD policy. There, the solution are more difficult, and have a very wide range of possabilities.

A good example is that we have a BYOD policy that limits mobile data transfers to that of a HIPAA compliant text and file transfer app (TigerText) that we install on all our staff's phones. It is through this policy and app that we are able to keep our staff patient data communication secure and compliant, without making it a burned of very costly.

A good example of a BYOD policy is here:

Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
1/23/2014 | 11:54:50 AM
Re: Hipaa Compliance Solutions -- BYOD
Thanks for posting that example policy ecobb951. I'm curious to know how your staff has reacted to the requirements? Are you getting any pushback? Is it hard to enforce?
User Rank: Apprentice
1/23/2014 | 6:10:42 PM
Re: Hipaa Compliance Solutions -- BYOD
The best way to deal with any pushback on a BYOD policy or any policy or security change is through education. It was not enough to change or implement a BYOD policy. Once that was done, we then had to deal with the compliance reality - just because you have a policy, doesn't mean people will follow it.

The Key to a successful BYOD policy is education. We had to do a 15 minute training with all the staff to explain the policy, and why we need it, as well as explain the relationship with our own HIPAA compliance. Once the training was done, we saw a dramatic rise in compliance to the BYOD policy and this was measured by the dramatic increase in the use of the HIPAA compliant messaging app (TigerText) that was built into our policy.

Can't stress how important the training of staff is to the success of a BYOD policy, or any policy.
Also, if you are looking for a good 'train the trainer' program to help set-up a successful BYOD policy training program, I suggest contacting PrepMasters.com

Concerning enforcement, we have our trainers do training updates and testing to make sure the policy is known and used. She also does random checks in the workspace.
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
1/24/2014 | 8:06:35 AM
Re: Hipaa Compliance Solutions -- BYOD
There is a lot of talk about the effectiveness (or lack of effeciiveness ) of user education, but you hit the nail on the head when you tie it tightly together with a policy like BYOD. I also really like your approach to training the user, training the trainer, and random checks to keep users vigilant. Thanks for sharing!

I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The 10 Most Impactful Types of Vulnerabilities for Enterprises Today
Managing system vulnerabilities is one of the old est - and most frustrating - security challenges that enterprise defenders face. Every software application and hardware device ships with intrinsic flaws - flaws that, if critical enough, attackers can exploit from anywhere in the world. It's crucial that defenders take stock of what areas of the tech stack have the most emerging, and critical, vulnerabilities they must manage. It's not just zero day vulnerabilities. Consider that CISA's Known Exploited Vulnerabilities (KEV) catalog lists vulnerabilitlies in widely used applications that are "actively exploited," and most of them are flaws that were discovered several years ago and have been fixed. There are also emerging vulnerabilities in 5G networks, cloud infrastructure, Edge applications, and firmwares to consider.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-03-27
In Delta Electronics InfraSuite Device Master versions prior to 1.0.5, an attacker could use URL decoding to retrieve system files, credentials, and bypass authentication resulting in privilege escalation.
PUBLISHED: 2023-03-27
In Delta Electronics InfraSuite Device Master versions prior to 1.0.5, an attacker could use Lua scripts, which could allow an attacker to remotely execute arbitrary code.
PUBLISHED: 2023-03-27
Delta Electronics InfraSuite Device Master versions prior to 1.0.5 contains an improper access control vulnerability in which an attacker can use the Device-Gateway service and bypass authorization, which could result in privilege escalation.
PUBLISHED: 2023-03-27
Delta Electronics InfraSuite Device Master versions prior to 1.0.5 are affected by a deserialization vulnerability targeting the Device-DataCollect service, which could allow deserialization of requests prior to authentication, resulting in remote code execution.
PUBLISHED: 2023-03-27
Heap-based Buffer Overflow in GitHub repository gpac/gpac prior to 2.4.0.