Sponsored

Privacy & Security

Security vs. Compliance

Navigating the three common compliance misconceptions.
December 13, 2016
10:43 AM

There’s one problem that surfaces again and again, regardless of which regulatory standard (e.g., HIPAA, PCI, etc.) we discuss: failing to understand the difference between compliance and security. Sometimes organizations think they’re the same thing; sometimes they get so consumed by complicated regulations that they stop focusing on security altogether.

As we often say, compliance does not equal security — it’s merely a snapshot of how your security program meets a specific set of security requirements at a given moment in time. Many organizations deemed “compliant” have suffered significant public breaches. In many cases, C-level officers lost their jobs and the companies committed to overhauling information security practices. Others have hired or announced the elevation of the chief information security officer (CISO) position.

What these businesses continue to learn — even years later — is that to truly protect sensitive data, both security and compliance are critical. Without a smart, thorough and active security program, coupled with a solid compliance plan, you’re at significant risk of being breached. This results in expensive fines, increased audits and brand damage.

To keep your cloud environment completely protected from the criminals targeting your data every day, you must build and manage an advanced security program that goes far beyond specific sets of compliance requirements.

Let’s look at the most common mistakes organizations make when it comes to understanding these two essential components.

Security and compliance are not the same

The most common misconception? Thinking compliance and security are one and same. In fact, they play different roles, both in your internal environment and your respective clouds.

Proper cybersecurity protects your information from threats by controlling how that information is used, consumed and provided. In comparison, compliance is a demonstration — a reporting function — of how your security program meets specific security standards as laid out by regulatory organizations such as HIPAA, PCI or the Sarbanes-Oxley Act.

‘Checking the box’ is enough

Another misperception: meeting compliance regulations will cover all security needs. This “checkbox” mentality is a surefire path to inadequate protection. Why? Because compliance corresponds to a set of specific requirements that change slowly, not the daily changes in the security landscape.

Relying on merely being compliant does not keep you secure. Compliance is simply ensuring that a specific set of requirements are in place (typically only once a year). A proper security program keeps you safe. Meeting compliance requirements typically results in a minimal baseline of protection — the IT equivalent of earning a C grade.

To truly safeguard against sophisticated threats, you must elevate security and develop an overarching approach in which all the controls mesh with each other to create a cohesive, multilayered web of security. This simply isn’t something that satisfying a regulatory standard can provide.

Compliance Is not your blueprint

The third mistake is using compliance requirements as a blueprint for building a security program. Granted, some standards like PCI are fairly prescriptive. Others, like HIPAA, are much less prescriptive, asking organizations to start with a risk assessment, which drives more of a security posture.

An effective cybersecurity program should be built from the ground up and be based on the organization’s needs. Focusing on compliance first is putting the virtual cart before the horse. Compliance should be a byproduct of a solid security program, not the source of it.

Guidance on using security to be compliant

Now that critical differences between compliance and security are clear, you’ll understand why it’s just as important to make sure your cybersecurity provider is covering both sufficiently.

  • Ask questions. Not all providers deliver the same level and caliber of services; some providers supply only the bare minimum of security controls to address compliance. This means you must ask the right questions while evaluating providers.
  • Demo time. Look for an independently validated provider that conducts its own audits and can show you clear and thorough documentation that demonstrates how it can help you meet your security and compliance needs.
  • Multilayered security. If the provider’s security depends on one device or method, it only takes a single compromise for your entire environment to be at risk.
  • Honest and upfront. Finally, you want a provider that is completely transparent and can tell you exactly how your environment is being protected.

Remember, compliance does not equal security. Investing in a proper, thorough and ongoing cybersecurity strategy now will make future compliance audits easier, save money in the long term and protect your data, business and brand.

How do I make compliance easier?
Security Health Check
Security Health Check
Objectives and Challenges in Defending Healthcare Data
How to Become HITRUST CSF-Certified
How to Become HITRUST CSF-Certified
Top Five Compliance Mistakes in Healthcare IT

Additional Resources

Whitepaper cover.
HIPAA-Compliant Cloud: Avoid the 7 Deadly Sins
Whitepaper cover.
Simplifying Security for Software-as-a-Service
Six Steps to A Better Security Strategy
A Guide to HIPAA Compliance and Risk Management
Investing in Top-Down Security to Build a Compliant Business
Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.

Top Story

Cybersecurity experts John Riggi and Richard Staynings speak at the HIMSS Healthcare Cybersecurity Forum.
Majority of cyberattacks are through third-party vendors

Most Read

How AI is transforming cybersecurity, on defense and offense
Generative AI is this CISO's 'really eager intern'
HIMSSCast: Toward safer and more secure use of AI
Q&A: How redundancy enabled resilience after Crowdstrike outage
What providers need to know about migrating their EHR to the cloud
The Light Collective amplifies its call for patient data rights

Research

White Papers

More Whitepapers

Patient Engagement
Patient Engagement
Financial/Revenue Cycle Management

Webinars

More Webinars

Imaging
Interoperability
Artificial Intelligence

More Stories

Doctor looks at a desktop computer screen in a medical office
Vendor AI Roundup: Enhanced EHR offerings designed to give practices a leg up
Dennis Chornenky at UC Davis Health_PART 1_AI in healthcare concept art Photo by Just_Super/E+/Getty Images
UC Davis Health's inaugural AI chief discusses the responsibilities of the role
Greg Garcia of HSCC at the HIMSS Healthcare Cybersecurity Forum
Work like 'a beehive, an ant colony' to protect against cyber intruders
Hands use a Medtronic device on a patient's hand to aid in testing pulse oximetry quality
Medtronic dismissed from pulse oximeter lawsuit, FDA still working on guidance
Elena Branche of Druid AI on AI
Cutting through the AI hype to ensure investments have impacts
Dr. Don Rucker at 1upHealth_Physician at laptop with medical data Photo by Tippapatt/iStock/Getty Images Plus
Looking under the hood of Medicare Advantage star ratings
Clinician reviews medical notes on a tablet
OpenAI's general purpose speech recognition model is flawed, researchers say
Oracle booth at HIMSS
New Oracle EHR promises AI-enabled reinvention