HIPAA has been a hot topic lately -- certainly on all of our minds due to the HHS pilot program compliance audits being performed this year. But HIPAA's security requirements, while high level, overlap with other mandates. How do we know whether we should invest in some sort of GRC or compliance management software product to help meet the objectives of multiple regulations without redundant work, or is simply focusing on one or two...
key industry frameworks an equally efficient (and potentially cheaper) approach?
It's certainly true that many compliance requirements overlap and that the security controls companies implement to meet one compliance obligation may, if properly implemented, also satisfy the requirements of other regulations. For example, a health clinic that builds a PCI DSS compliance program to protect the credit card data used for patient payments may find that it can leverage many of those same security controls to satisfy HIPAA compliance requirements to protect electronic protected health information (ePHI).
Ask the expert
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)
The key to making compliance and security programs as efficient as possible is to normalize compliance requirements. Instead of treating each regulation as a separate hurdle to overcome, spend some time mapping out the requirements of each regulation, and design security controls that meet each of them. For example, if you design a password policy that meets the myriad complex requirements of PCI DSS, you'll almost certainly find that it meets HIPAA compliance requirements as well.
Taking the time to map out the obligations at hand and cover them with a set of customized security controls will allow companies to spend less time worrying about specific mandates, and more time securing the environment. Depending upon the complexity of your environment, you may decide to purchase what's called a governance, risk and compliance (GRC) product, which helps automate this task. These products, however, are quite expensive, so you'll need to decide whether the investment is justified in your compliance environment. That's a whole separate topic of discussion, however, but it may be worth considering a GRC product if your organization complies with multiple regulations and/or standards, spends a great deal of time, money and effort on compliance, and yet still struggles to get the job done.
Dig deeper on IT Security Audits
Related Q&A from Mike Chapple, Enterprise Compliance
Social media compliance is not typically considered a big issue for companies, but expert Mike Chapple explains why it should be.continue reading
Metadata tagging is not just for security. Expert Mike Chapple explains how tagging tools can be used to achieve PCI DSS compliance.continue reading
Before using the HIPAA-compliant cloud services from Google, there are some things companies need to know, according to expert Mike Chapple.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.