Compliant does not equal protected: our false sense of security

Being compliant does not mean your organization is safe, nor does it mean that your organization is immune to repercussions at the hands of a data breach

It is no surprise that cybersecurity threats have risen to the top of the list of concerns for IT staff and even members of the C-Suite. With each new wave of breach incidents, lawmakers and regulators are exploring ways to create new compliance requirements or enhancing existing ones.

The first half of October 2015 alone is proof of this. California Gov. Jerry Brown signed three new cybersecurity bills into law setting specific encryption standards, expanding the definition of personal information and requiring breach notifications to contain certain language. And the highest European Union court struck down the safe harbor provisions shared with the United States that allowed the transfer of personal information of EU citizens over such web sites as Google and Facebook.

Asking the average person on the street what are the first cybersecurity rules that come to mind, and you will probably hear “HIPAA,” which is short for the Health Insurance Portability and Accountability Act of 1996. As one of the oldest and most clearly defined data security measures in the US, this is certainly understandable. Probably not as well known is that it took the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 to amend many HIPAA provisions and turn them into among today’s leading models of privacy regulation.

Under HIPAA/HITECH jurisdiction, organizations are now required to prove compliance in order to avoid both regulatory oversight and levied fines. More importantly, healthcare providers are now required to affirmatively and very publicly report breach incidents whenever authorized possessors of protected health information lose control of such data.

Having regulatory compliance laws in place helps hold organizations accountable and clearly places the onus on organizations to protect the sensitive data they store. So, with regulatory compliance standards in place, does this translate into healthcare organizations being better protected than those in other industries? Not necessarily.

If anything, cybercriminals seem to be more motivated than ever. According to a recent Ponemon Institute study, 91 percent of healthcare organizations have suffered at least one data breach in the past two years. How can one of the heaviest regulated industries for data breaches be such a constant and fruitful target for attack?

Fulfilling regulatory checklists may vindicate you from government-issued oversight and fines, but it does not exempt you from other recourse including business disruption, lawsuits, reputation damage, or public outrage. Compliant or non-compliant, these are all potential consequences of a data breach. It’s important to remember that being compliant does not mean your organization is safe, nor does it mean that your organization is immune to repercussions at the hands of a data breach.

The danger with this line of thinking is that for many, compliance becomes synonymous with protected. Understanding the difference will ensure that compliance is not the end-goal and organizations must extend how they protect themselves beyond these basic requirements.

Of course, regulatory compliance is an important practice and failure to comply can result in significant consequences. We’ve seen numerous cases where this form of corporate negligence has directly resulted in a data breach. A common example is the loss or misplacement of an endpoint or unencrypted data; this was the case with the high-profile Anthem case from earlier this year. While these forms of breaches occur regularly, we often ignore cases where organizations upheld compliance requirements and were still victims of attack.

Compliance is and should be treated as a baseline standard; a minimum requirement level we all need to fulfill in order to not have the book thrown at us. Regulations like HIPAA/HITECH are important and valuable measures to have in place; however, these kinds of one-size-fits-all regulations should not be treated as comprehensive guidelines. This creates a false sense of security.

[ ALSO ON CSO: Regulatory Compliance Tools ]

As cyberattacks increasingly threaten both corporate and public well-being, it’s critical that organizations be in control of their data. From proactive monitoring and reporting, to detection and response procedures, deploying a layered approach to security that extends beyond “good-enough” protection is the most effective strategy to keep sensitive information private and ultimately avoid legal and financial recourse.

Copyright © 2015 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)