Sponsored

Privacy & Security

How do I make compliance easier?

A smarter approach to PCI & HIPAA compliance.
December 20, 2016
12:05 PM

By Kurt Hagerman, CISO, Armor

Compliance can be complicated. The requirements. The controls. The audits. The effort. There are so many components to consider and manage. Often, one of the first items on a company’s wish list is a request to make compliance easier.

So, why do so many organizations make compliance more expensive and complicated than it needs to be — all on their own? Let me explain.

Coordinate your efforts — across all departments
Often, in their eagerness to make sure the most knowledgeable staff members are handling compliance, organizations will assign different departments to oversee various aspects of the compliance project.

For example, the IT department may handle PCI DSS compliance, while HR oversees HIPAA. Sarbanes-Oxley Act (SOX) or other financial regulations may be managed by the finance or accounting departments. This sounds like a logical arrangement to the organization, as these departments have team members with the expertise and daily responsibilities to implement the right processes.

The problem? These compliance silos don’t efficiently communicate or coordinate with each other. While regulations like HIPAA and PCI do have many differences, they also share considerable commonalities.

Remember, compliance is about security — and the same security practices that protect cardholder data can often protect healthcare and patient data. But because these departments aren’t in sync, the organization misses opportunities to streamline processes and cut expenses.

Instead, they replicate programs, buy duplicate tools and spend untold hours covering territory and collecting data that’s already been covered by someone else within the organization.

Avoid redundant compliance process
Here’s how this plays out. Accounting, IT and HR handle compliance for SOX, PCI and HIPAA, respectively. IT and HR both discover a need for file monitoring.

Naturally, both submit a request for tools, and the company spends double what is required. This dynamic goes to the next level, when the organization decides to drive their security program based on compliance, and incurs more duplicate processes, tools and software, along with unnecessary spending.

If you think this sounds like an enormous waste of time and budget, you’re right.

Take a holistic approach to compliance
The solution: organizations must step back and look at compliance across the board. By taking a holistic view of its entire security program, the organization can ensure its security and risk management controls address all specific requirements of all relevant institutions.

Not only does this help eliminate duplicate controls, spending and efforts, it combines internal audits to reuse evidence for your compliance audits.

A unique approach to compliance
An example of creating efficiencies is aligning compliance audits to a single cycle to accomplish multiple compliance reporting requirements.

We’ve found there is an extensive overlap between PCI and HIPAA alone; roughly 80 percent of our compliance controls and processes apply to both regulations. By aligning our audits, we can leverage one auditor to write two different reports; saving us time and money and also reducing the impact on our operational departments.

Has any of this sounded like something that happens in your organization? If so, you may be making compliance more complicated than needed. Get started today and look at how you can move away from silos and into an integrated and efficient compliance approach.

After all, building a strong security program and meeting compliance requirements is arduous enough. Any improvements you can make to trim costs and simplify your processes is always a good thing.

Security vs. Compliance
Security Health Check
Security Health Check
Objectives and Challenges in Defending Healthcare Data
How to Become HITRUST CSF-Certified
How to Become HITRUST CSF-Certified
Top Five Compliance Mistakes in Healthcare IT

Additional Resources

Whitepaper cover.
HIPAA-Compliant Cloud: Avoid the 7 Deadly Sins
Whitepaper cover.
Simplifying Security for Software-as-a-Service
Six Steps to A Better Security Strategy
A Guide to HIPAA Compliance and Risk Management
Investing in Top-Down Security to Build a Compliant Business
Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.

Top Story

VA building signage
House passes veterans healthcare package without RESET Act

Most Read

Particle Health files antitrust suit against Epic
Choosing a managed IT service for aged care
ASTP intros 2024 draft Federal FHIR Action Plan
CrowdStrike all but assures Capitol Hill: Never again
Korea's largest hospital bags APAC's first Stage 6 of new INFRAM
Sens. Warner & Wyden seek healthcare cybersecurity mandates in new bill

Research

White Papers

More Whitepapers

Patient Engagement
Patient Engagement
Financial/Revenue Cycle Management

Webinars

More Webinars

Imaging
Interoperability
Artificial Intelligence

More Stories

BJ Schaknowski of symplr
Too many IT systems with limited alignment impacts care quality
Doctor in scrubs using computer
Tenet to deploy AI platform across its physician network
Healthcare CIO with other healthcare executives
Health system CIOs' strategic responsibilities continue to evolve
George Pappas at Intraprise Health_Digital shield and lock Photo by da-kuk/Getty Images
Tighter cyber mandates hold New York providers to higher security standards
Clinicians look at diagnostic imaging
American College of Radiology launches AI quality registry
A doctor with glasses sits at a desk and speaks during a telehealth visit.
DEA and HHS extend virtual prescribing for controlled substances through 2025
Dr. Jay Anders at Medicomp Systems_Computer chip with stethoscope Photo by Just_Super/iStock/Getty Images Plus
Transparency and responsible AI are crucial for medical devices
George Pappas of Intraprise Health on cybersecurity
How to protect telemedicine from cyberattacks