Sponsored

Privacy & Security

How do I make compliance easier?

A smarter approach to PCI & HIPAA compliance.
December 20, 2016
12:05 PM

By Kurt Hagerman, CISO, Armor

Compliance can be complicated. The requirements. The controls. The audits. The effort. There are so many components to consider and manage. Often, one of the first items on a company’s wish list is a request to make compliance easier.

So, why do so many organizations make compliance more expensive and complicated than it needs to be — all on their own? Let me explain.

Coordinate your efforts — across all departments
Often, in their eagerness to make sure the most knowledgeable staff members are handling compliance, organizations will assign different departments to oversee various aspects of the compliance project.

For example, the IT department may handle PCI DSS compliance, while HR oversees HIPAA. Sarbanes-Oxley Act (SOX) or other financial regulations may be managed by the finance or accounting departments. This sounds like a logical arrangement to the organization, as these departments have team members with the expertise and daily responsibilities to implement the right processes.

The problem? These compliance silos don’t efficiently communicate or coordinate with each other. While regulations like HIPAA and PCI do have many differences, they also share considerable commonalities.

Remember, compliance is about security — and the same security practices that protect cardholder data can often protect healthcare and patient data. But because these departments aren’t in sync, the organization misses opportunities to streamline processes and cut expenses.

Instead, they replicate programs, buy duplicate tools and spend untold hours covering territory and collecting data that’s already been covered by someone else within the organization.

Avoid redundant compliance process
Here’s how this plays out. Accounting, IT and HR handle compliance for SOX, PCI and HIPAA, respectively. IT and HR both discover a need for file monitoring.

Naturally, both submit a request for tools, and the company spends double what is required. This dynamic goes to the next level, when the organization decides to drive their security program based on compliance, and incurs more duplicate processes, tools and software, along with unnecessary spending.

If you think this sounds like an enormous waste of time and budget, you’re right.

Take a holistic approach to compliance
The solution: organizations must step back and look at compliance across the board. By taking a holistic view of its entire security program, the organization can ensure its security and risk management controls address all specific requirements of all relevant institutions.

Not only does this help eliminate duplicate controls, spending and efforts, it combines internal audits to reuse evidence for your compliance audits.

A unique approach to compliance
An example of creating efficiencies is aligning compliance audits to a single cycle to accomplish multiple compliance reporting requirements.

We’ve found there is an extensive overlap between PCI and HIPAA alone; roughly 80 percent of our compliance controls and processes apply to both regulations. By aligning our audits, we can leverage one auditor to write two different reports; saving us time and money and also reducing the impact on our operational departments.

Has any of this sounded like something that happens in your organization? If so, you may be making compliance more complicated than needed. Get started today and look at how you can move away from silos and into an integrated and efficient compliance approach.

After all, building a strong security program and meeting compliance requirements is arduous enough. Any improvements you can make to trim costs and simplify your processes is always a good thing.

Security vs. Compliance
Security Health Check
Security Health Check
Objectives and Challenges in Defending Healthcare Data
How to Become HITRUST CSF-Certified
How to Become HITRUST CSF-Certified
Top Five Compliance Mistakes in Healthcare IT

Additional Resources

Whitepaper cover.
HIPAA-Compliant Cloud: Avoid the 7 Deadly Sins
Whitepaper cover.
Simplifying Security for Software-as-a-Service
Six Steps to A Better Security Strategy
A Guide to HIPAA Compliance and Risk Management
Investing in Top-Down Security to Build a Compliant Business
Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.

Top Story

Cybersecurity experts John Riggi and Richard Staynings speak at the HIMSS Healthcare Cybersecurity Forum.
Majority of cyberattacks are through third-party vendors

Most Read

How AI is transforming cybersecurity, on defense and offense
Generative AI is this CISO's 'really eager intern'
HIMSSCast: Toward safer and more secure use of AI
Q&A: How redundancy enabled resilience after Crowdstrike outage
What providers need to know about migrating their EHR to the cloud
The Light Collective amplifies its call for patient data rights

Research

White Papers

More Whitepapers

Patient Engagement
Patient Engagement
Financial/Revenue Cycle Management

Webinars

More Webinars

Imaging
Interoperability
Artificial Intelligence

More Stories

Doctor looks at a desktop computer screen in a medical office
Vendor AI Roundup: Enhanced EHR offerings designed to give practices a leg up
Dennis Chornenky at UC Davis Health_PART 1_AI in healthcare concept art Photo by Just_Super/E+/Getty Images
UC Davis Health's inaugural AI chief discusses the responsibilities of the role
Greg Garcia of HSCC at the HIMSS Healthcare Cybersecurity Forum
Work like 'a beehive, an ant colony' to protect against cyber intruders
Hands use a Medtronic device on a patient's hand to aid in testing pulse oximetry quality
Medtronic dismissed from pulse oximeter lawsuit, FDA still working on guidance
Elena Branche of Druid AI on AI
Cutting through the AI hype to ensure investments have impacts
Dr. Don Rucker at 1upHealth_Physician at laptop with medical data Photo by Tippapatt/iStock/Getty Images Plus
Looking under the hood of Medicare Advantage star ratings
Clinician reviews medical notes on a tablet
OpenAI's general purpose speech recognition model is flawed, researchers say
Oracle booth at HIMSS
New Oracle EHR promises AI-enabled reinvention