The Hill Group, Inc. Contact Us Site Map  
 
 
 
 

September 1, 2011

 

Smart Money's on Compliance

ISACA Now

By Scott A. Rogerson, CISA, CAPM

With “uncertainty” and “cost efficiency” continuing to be top of mind for the foreseeable future, the need for a strong compliance environment grounded in the regulation’s intent has never been more critical. In many cases, it is the ability of your compliance environment to: (1) mitigate the risk of a potential security or privacy breach occurring and (2) appropriately identify and react should one occur that allows an organization to gain the confidence necessary to make key strategic decisions.  

This is especially true in the healthcare setting, where the amount of regulation surrounding security and privacy of patient information has continued to escalate since the 1996 US Health Insurance Portability and Accountability Act (HIPAA). This regulation, paired with other incentives for reporting required quality measures, often presents a conflict for providers. They frequently must choose between investing scarce resources to quickly strengthen their current compliance environment, or selecting a solution that satisfies both current and future regulations, as well as any workforce training to utilize the systems’ full functionality.  Only through investments in their people and technology, will they be able to both increase productivity and aid in effective compliance. Without understanding the current and future ramifications for noncompliance, the ability to obtain the reporting incentives would seem to outweigh the benefit of compliance. However, when understanding the financial and reputational risk that a breach may inflict on a practice due to “willful neglect,” the analysis begins to tell a different story

.

These regulations, too, include vast amounts of uncertainty as many of the provisions adopted within HIPAA and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH) remain unclear. Simultaneously, enforcement of regulatory requirements has increased significantly and proves to become even stronger in coming years given the recent announcement by the US Department of Health and Human Services of a $9.2 million Office of Civil Rights HIPAA Audit Protocol and Program Performance initiative.

Many organizations are using this whirlwind of uncertainty to their advantage by solidifying their compliance environment and communicating a focus on trust with those whose data they maintain and prospective customers. This has proven successful in the medical device industry, for example. Vendors who go “above and beyond” in ensuring adherence to regulations, despite the unclear regulatory environment, have proven invaluable to healthcare providers who would love nothing more than to have a partner with whom to share the burden of compliance.

  

While the regulatory environment of the United States healthcare industry has frequently served as the springboard to discuss compliance decisions in times of regulatory uncertainty, similar requirements around the security and privacy of protected information can be found in many other industries and around the globe.  Those of us working in the retail or financial space where the processing of credit card information is of key importance are continually looking to predict what the next revisions of the Payment Card Industry Data Security Standards (PCI DSS) will reveal.  Those operating in Europe, especially when data transfer must occur between a member country and the United States, anxiously await guidance from the European Data Protection Authorities on their expectations and how these may impact Safe Harbor Act self-certification.  This question of “What is required to be compliant?”, one we ask ourselves frequently, becomes even more complex as we look to wade through the various country-specific regulations designed to protect citizens from harm as a result of data mismanagement. 

Evaluating your organization’s resource allocation to enhance compliance should be conducted in the same way as any capital budgeting project—by understanding the net present value generated by the project, including  potential revenue generation and cost reduction, against the resources necessary to achieve this optimal state.  Use of frameworks such as COBIT can aid in this process by providing a useful structure to ensure the full impact of your compliance options are considered. 

In many cases, the ability to be confident that your automated and manual controls will allow you to maintain trust with your customers and meet both current and future compliance obligations will provide the foundation necessary to continue innovating for what lies ahead. Doing this involves understanding not only the current requirements, but also the intention of those requirements and ensuring that all actions conducted within the organization regarding protected information consider those intentions. Focusing on these tenets allows for slight adjustments to your controls as clarity arrives, rather than a complete shift in direction, ultimately saving you resources.

  

Share/Bookmark                                                                    

                                                                                                                                                                                                                    

 

 

 

 

 

 

Copyright 2007 . • THE HILL GROUP, INC. • 2 EAST MAIN STREET • CARNEGIE , PA 15106 • TEL 412.722.1111