At Odds?
Christopher Paidhrin, IS security and HIPAA compliance officer for Southwest Washington Medical Center of Vancouver, is a strong believer in technical controls to enforce security and maintain regulatory compliance.

To ensure patient information remains confidential and secure, whenever a nurse or a health care provider takes patient information on their notebook the information is encrypted at logoff, or when the system times out, Paidhrin explains. And if they forget their pass phrase, the system's hard drive locks after three tries.

"We want the staff to be able to take advantage of the productivity and convenience provided by technology, but we don't want any loss incidents that other hospitals and government agencies have suffered recently," he says. "Keeping that information encrypted when it's not in use is a way to do just that."

It shows that compliance and security don't need to be at odds.

Few know this better than Edward Sarama, corporate chief security officer at Checkfree Corp. While compliance efforts have certainly added organizational layers to his security program, and increased attention from customers regarding the company's security initiatives, none of this has weakened the company's focus on risk mitigation, he says.

"We always had security questionnaires from our customers inquiring about the security we have in place, but now we get explicit questionnaires to the tune of 50-plus pages of information that we have to fill out....

Those questionnaires are backed up by more conference calls with auditing and compliance teams to further discuss the responses. "It's not much of a security burden, but requires additional resources and expenses. We already had a lot of the controls in place. So it wasn't that big a deal for management; it just was an additional expense that we had to account for," says Sarama. "It's just a part of business today. It's about keeping compliance and security controls in sync with your overall policies and efforts."

Not all companies have kept that focus, and some have fallen into the trap of focusing on regulatory compliance for compliance sake, says Brody.

"In many areas, it's become more of a compliance drill. There's a lot of emphasis on generating paper and controls that get to compliance, but not a lot of emphasis on putting the technologies in place that get you secure," he says, adding that he finds technical controls much more infallible than organizational policies and operational controls because of the human element involved in enforcement.

It's vital that security managers don't allow their organizations to lose sight of the ultimate goal.

"The desired end state should be a secure environment--and that'll get you a long way toward compliance," Freese says. "Security practitioners should always be thinking, and keeping their organization focused, on those terms."

< PREV PAGE   |   1  |   2  |   3  |   4  |   5  |   NEXT PAGE  >