Solutionary Minds - Your Information Security Blog Source

It's a known fact that information security for businesses is often "reactive" rather than being proactive. Compliance has historically been even worse. Releasing standards and regulations alone has had pretty much no effect. Firms don't take the necessary steps to achieve compliance until they, or someone from their own industry, get burned by the government and/or the industry starts penalizing organizations that don't meet the compliance requirements.

Take the case of PCI compliance - everybody was aware of credit card thefts and cybercrimes for a long time before Visa and other card brands created their own versions of card holder security program. Even after the program was in place for over three years, companies did not take it seriously until the card brands started levying fines and sanctions. Whether you hate it or love it, there is no doubt that PCI compliance has had a huge impact in raising the security baseline on all merchants accepting credit cards.

HIPAA, which technically has been in existence since 1996, did not really take hold until early 2000s. In fact, not many organizations cared to show compliance until April 2003, which was the deadline for getting fined. The problem with HIPAA though, was that it was too vague and open to interpretation of companies or 3rd party consultants offering HIPAA Audits. With the advent of HITECH in 2009, people finally feel that HIPAA got some teeth, as the updated guidelines are now more specific and the incentives and fines for meeting compliance are clearly laid out.

As for the specificity of HITECH, there still is a lot to be achieved, leading to the arrival of the HITRUST alliance in the picture. HITRUST's CSF is the only healthcare-centric security framework that can be used by organizations of all sizes. In addition to being an amazing aid for HITECH assessment, CSF can also be used for all leading industry standards like PCI, ISO, NIST, CMS, etc. They are constantly adding new state and federal regulations that can help healthcare organizations with their compliance requirements. In fact, just last week they announced the update for Massachusetts Data Protection Reg 201 CMR 17.00 for comments from the healthcare community.

One has to wonder if HITRUST can be that impetus, that final push. Will it be the PCI compliance of healthcare that will enable CISOs and security evangelists within U.S. healthcare facilities to obtain the support and commitment required from management to offer better protection to sensitive data in their control? Time will tell - and I, for one, am excited to find out.

 

---