HIPAA has been a hot topic lately -- certainly on all of our minds due to the HHS pilot program compliance audits...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
being performed this year. But HIPAA's security requirements, while high level, overlap with other mandates. How do we know whether we should invest in some sort of GRC or compliance management software product to help meet the objectives of multiple regulations without redundant work, or is simply focusing on one or two key industry frameworks an equally efficient (and potentially cheaper) approach?
It's certainly true that many compliance requirements overlap and that the security controls companies implement to meet one compliance obligation may, if properly implemented, also satisfy the requirements of other regulations. For example, a health clinic that builds a PCI DSS compliance program to protect the credit card data used for patient payments may find that it can leverage many of those same security controls to satisfy HIPAA compliance requirements to protect electronic protected health information (ePHI).
Ask the expert
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)
The key to making compliance and security programs as efficient as possible is to normalize compliance requirements. Instead of treating each regulation as a separate hurdle to overcome, spend some time mapping out the requirements of each regulation, and design security controls that meet each of them. For example, if you design a password policy that meets the myriad complex requirements of PCI DSS, you'll almost certainly find that it meets HIPAA compliance requirements as well.
Taking the time to map out the obligations at hand and cover them with a set of customized security controls will allow companies to spend less time worrying about specific mandates, and more time securing the environment. Depending upon the complexity of your environment, you may decide to purchase what's called a governance, risk and compliance (GRC) product, which helps automate this task. These products, however, are quite expensive, so you'll need to decide whether the investment is justified in your compliance environment. That's a whole separate topic of discussion, however, but it may be worth considering a GRC product if your organization complies with multiple regulations and/or standards, spends a great deal of time, money and effort on compliance, and yet still struggles to get the job done.
Dig Deeper on IT Security Audits
Related Q&A from Mike Chapple
Encrypting data going to the cloud is a security best practice, but does it add extra challenges for regulators that might need to access the data? ...continue reading
Merchants that sell at off-site venues need to take extra care to follow PCI compliance standards. Expert Mike Chapple discusses how organizations ...continue reading
The FTC's order for PCI DSS compliance assessments is odd since PCI isn't a government regulation. Expert Mike Chapple explains the motivation ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.