HIPAA has been a hot topic lately -- certainly on all of our minds due to the HHS pilot program compliance audits
being performed this year. But HIPAA's security requirements, while high level, overlap with other mandates. How do we know whether we should invest in some sort of GRC or compliance management software product to help meet the objectives of multiple regulations without redundant work, or is simply focusing on one or two key industry frameworks an equally efficient (and potentially cheaper) approach?
It's certainly true that many compliance requirements overlap and that the security controls companies implement to meet one compliance obligation may, if properly implemented, also satisfy the requirements of other regulations. For example, a health clinic that builds a PCI DSS compliance program to protect the credit card data used for patient payments may find that it can leverage many of those same security controls to satisfy HIPAA compliance requirements to protect electronic protected health information (ePHI).
Ask the expert
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)
The key to making compliance and security programs as efficient as possible is to normalize compliance requirements. Instead of treating each regulation as a separate hurdle to overcome, spend some time mapping out the requirements of each regulation, and design security controls that meet each of them. For example, if you design a password policy that meets the myriad complex requirements of PCI DSS, you'll almost certainly find that it meets HIPAA compliance requirements as well.
Taking the time to map out the obligations at hand and cover them with a set of customized security controls will allow companies to spend less time worrying about specific mandates, and more time securing the environment. Depending upon the complexity of your environment, you may decide to purchase what's called a governance, risk and compliance (GRC) product, which helps automate this task. These products, however, are quite expensive, so you'll need to decide whether the investment is justified in your compliance environment. That's a whole separate topic of discussion, however, but it may be worth considering a GRC product if your organization complies with multiple regulations and/or standards, spends a great deal of time, money and effort on compliance, and yet still struggles to get the job done.
Dig deeper on IT Security Audits
Related Q&A from Mike Chapple, Enterprise Compliance
Should companies obtain U.S. security clearance to join the Enhanced Cybersecurity Services program? Mike Chapple offers his perspective.continue reading
Does a Web application security assessment termed 'compliance ready' seem too good to be true? Learn its role in an enterprise compliance program.continue reading
Learn how hiring the right PCI DSS-compliant service providers, especially payment services providers, can reduce your compliance burden.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.