HIPAA Omnibus Rule, PPACA challenge enterprise compliance management
31 May 2013 | SearchSecurity.com
WELLESLEY, Mass. -- For information security professionals, compliance-related tasks have often proved to be a trying yet necessary part of the job. However, Thursday at the MassBay Community College Information Security Summit, a panel of information security experts said new compliance mandates are making practitioners' jobs even harder.
One thing I've learned is you can't storm into the CIO's office with a print out of legislation and say, 'This is something we need to do.'
IT director of regulatory management and compliance, Fresenius Medical Care
During a discussion on compliance and risk management, Natalie Kmit, an IT security services consultant with Framingham, Mass.-based consultancy Towerwall Inc., said the most recent compliance game-changer is the new Health Insurance Portability and Accountability Act (HIPAA) Omnibus Rule. Released in January, the rule stipulates that as of Sept. 23, not only will more stringent requirements for "business associates" of HIPAA-compliant organizations take effect, but it will also require breach notification when a covered entity or business associate experiences an impermissible use or disclosure of protected health information.
Kmit said the HIPAA Omnibus Rule has broadened the definition of a business associate, encompassing a variety of subcontractor organizations that weren't previously included. She said this has created more work for subcontractors, as well as for the covered entities managing them.
"Many of my clients are small and midsized businesses, and so it's about finding a way to stay within budget to do what's necessary," Kmit said. "Even to understand the 563-page piece of legislation is, I would say, very challenging."
Kevin Burns, the chief information security officer for the Commonwealth of Massachusetts, said his newest compliance headache is the Patient Protection and Affordable Care Act (PPACA), commonly known as Obamacare. His organization is involved with the state's preparations for the looming Oct. 1, 2013 launch of the state-based health care exchanges, through which individuals can seek to purchase subsidized health insurance.
"We have had a number of auditors coming in to ensure our [data security] controls are in place so all that private health care data doesn't get lost," Burns said.
He said the state has already been subject to two PPACA audits, and additional audits are underway.
"There's a large challenge with trying to keep up with the timeframe of having the systems in place by Oct. 1 and making sure all our controls are robust," Burns added.
Burns also said the Payment Card Industry Data Security Standard (PCI DSS) has become a top compliance challenge for the many state agencies he supports. Since so many of them accept payment cards, he said PCI DSS compliance assessments must be conducted annually, and managing that process with a limited staff is an ongoing challenge.
"How we're saving some funds is by internally developing [our] staff" to support PCI compliance, Burns said, "and [we're] challenging the vendors that do the reviews to bring their prices down."
Beyond the complexities of complying with any particular mandate, arguably the biggest compliance-related burden is the sheer number of regulations and standards organizations now deal with. Kmit said many of her customers operate globally, and hence must comply with hundreds of laws, regulations and even cultural expectations regarding security and privacy.
"The U.S. takes a more siloed approach to regulations; there are 46 states that have their own regulations" that touch information security, Kmit said. When working with clients, she said she recommends they adopt an information security framework that's flexible enough to address multiple compliance regulations with one standardized set of controls.
Steven Beaudrot, IT director of regulatory management and compliance for Waltham, Mass.-based Fresenius Medical Care, said compliance success requires buy-in among business managers and stakeholders. However, he stressed the importance of a careful approach as opposed to using fear, uncertainty and doubt.
"One thing I've learned is you can't storm into the CIO's office with a print out of legislation and say, 'This is something we need to do,'" Beaudrot said. "You need to break it down and apply it to the organization you're in, and put it in the perspective of your customers."
Fortunately, the panelists agreed that key business stakeholders today understand the importance of enterprise compliance management much more than they generally did just a few years ago, thanks in part to the numerous high-profile security incidents that have taken place in recent years.
Burns said the recent South Carolina Department of Revenue breach got the attention of data owners in the Massachusetts state government. However, he said many officials feel torn between the need to secure data and provide citizens with better online data access.
"Constituents want faster access to data online, but want it secured," Burns said. "Those same constituents have no problems sharing login info with significant others who use those credentials to access benefits. The challenges are ridiculous, but we have to understand the dynamics of what's going on."
Despite the many challenges, Kmit said it's important to remember that compliance is an ongoing journey, not a destination.
"You're never 100% compliant on everything, or secure, but as long as you understand what you need to do and where you stand in terms of achieving those goals, and have a plan in place to move toward compliance, that makes a huge difference with auditors," Kmit said. "It's important to show that due diligence and due care."