HIPAA has been a hot topic lately -- certainly on all of our minds due to the HHS pilot program compliance audits being performed this year. But HIPAA's security requirements, while high level, overlap with other mandates. How do we know whether we should invest in some sort of GRC or compliance management software product to help meet the objectives of multiple regulations without redundant work, or is simply focusing on one or two key industry frameworks an equally efficient (and potentially cheaper) approach?
It's certainly true that many compliance requirements overlap and that the security controls companies implement to meet one compliance obligation may, if properly implemented, also satisfy the requirements of other regulations. For example, a health clinic that builds a PCI DSS compliance program to protect the credit card data used for patient payments may find that it can leverage many of those same security controls to satisfy HIPAA compliance requirements to protect electronic protected health information (ePHI).
Ask the expert
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)
The key to making compliance and security programs as efficient as possible is to normalize compliance requirements. Instead of treating each regulation as a separate hurdle to overcome, spend some time mapping out the requirements of each regulation, and design security controls that meet each of them. For example, if you design a password policy that meets the myriad complex requirements of PCI DSS, you'll almost certainly find that it meets HIPAA compliance requirements as well.
Taking the time to map out the obligations at hand and cover them with a set of customized security controls will allow companies to spend less time worrying about specific mandates, and more time securing the environment. Depending upon the complexity of your environment, you may decide to purchase what's called a governance, risk and compliance (GRC) product, which helps automate this task. These products, however, are quite expensive, so you'll need to decide whether the investment is justified in your compliance environment. That's a whole separate topic of discussion, however, but it may be worth considering a GRC product if your organization complies with multiple regulations and/or standards, spends a great deal of time, money and effort on compliance, and yet still struggles to get the job done.
This was first published in July 2012