Blog Banner

Tag Archives: Compliance

Data Breaches: How Safe is Your Private Information?

Image of IAPP Global Privacy Summit logo and date of eventPrivacy is so important that when you do a quick Google search on “data privacy” you see that the EU, US, UK, Australia, France and Germany are all putting new laws in place or debating new privacy concerns to ensure personal data is kept safe.

It doesn’t however stop data breaches from occurring. As of February 18th, the Identify Theft Resource Center reported 93 breaches in 2014 with 1,879,313 records exposed in the US alone. On the other side of the pond, the NHS admitted that there is a risk of patient data being identified following the launch of a new central database. The high profile Target incident, as well as other breaches involving protected healthcare information (PHI), leaves you wondering how safe is your private information?

Healthcare IT Priorities: Patient Data and Meeting Regulatory Requirements

stethoscopeThe InformationWeek 2013 Healthcare IT Priorities survey showed that “more than 60% of health IT pros…cite managing digital patient data and meeting regulatory requirements among their top priorities, rating each a 5 on a 1-to-5 scale.”

The survey also highlighted that healthcare IT pros are struggling to keep pace with the change in the industry. One respondent said, “Most healthcare CIOs are supportive of the majority of the new functional requirements that are being forced on us. However, federal requirements are coming too many, too fast. … The rate of change is such that systems and changes are being implemented less than optimally.”

Another key point within the report is that “less than 15% of healthcare providers have qualified for federal subsidies based on meeting Meaningful Use requirements.” Not only are healthcare organizations struggling to keep up, but they are also losing out on incentive payments.

How can healthcare organizations keep patient data protected, meet regulatory requirements and comply with the Meaningful Use standards to receive subsidies?

SharePoint Security: Comments from the AIIM Survey

Wordle: Content Security within SharePoint In the AIIM, SharePoint Security – A Survey on Compliance with Recommendations for Improvement, author David Jones asked if respondents had any general comments to make about their compliance and information security issues. They had a lot to say. We’ve compiled and provided some commentary on eight responses that caught our attention:

1.        “Even though governance is established, compliance is faulty and monitoring is sketchy at best.”

 2.       “If you want compliance don’t use SharePoint.”

Content compliance and monitoring do not need to be faulty or sketchy. SharePoint can absolutely offer secure collaboration and compliance with the right tools in place. The points below offer a close look at some of the steps and solutions that can assist you.

3.       “After migrating content it is difficult to retroactively apply rules.”

Many will face the migration obstacle as they move to SharePoint 2010/2013 or hybrid environments. What’s important here is that organizations can take proactive steps to clean and check content against compliance both before and after migration, and regardless of where it resides. Using third party solutions, compliance and security policies can easily be applied to scan of all the content within the platform. Some policies will be based on regulatory and industry standards, while others will be custom to the requirements of a specific organization. Rules can be set-up to determine what to do when confidential or regulated content is discovered to restrict access to it and control what actions can be taken with it. This helps to ensure that all content in SharePoint, regardless of whether it is new or old, is compliant with policies. Adding additional security around sensitive content helps reduce organizational risk and the threat of breaches.

4.      “Currently taking a cautious approach until third party tools are in place.”

5.       “As with many organizations that are using SharePoint, we know/understand the current and potential risks associated with it, but are still in the process of trying to “get our hands around it” from an organization/enterprise perspective.”

SharePoint can be a mammoth task to secure; and trying to secure it without content compliance and security solutions is an impossible task. Third party solutions for automated, content-aware compliance and security for SharePoint will ensure you are reducing risk while also maximizing your collaboration investment.

6.      “Our organization lacks understanding of what’s actually in SharePoint, from a sensitive/regulated information perspective.”

The best thing about SharePoint is you can put anything in it, and the worst thing about SharePoint is you can put anything in it. Organizations need to balance an increasingly social collaborative environment while still meeting regulatory requirements. Many SharePoint sites seem to be a Wild West of unstructured content. But, there are solutions out there that can audit your site content to help you identify and secure sensitive and regulated information, helping you rein in compliance.

7.       “Committing resources to tighten and maintain proper security requires a major, visible commitment from upper management to initiate and maintain the effort and incorporate it into the corporate culture.”

There are a lot of important take-aways from this comment. There is absolutely a need to have management buy-in and engagement on implementing proper SharePoint security features, but it’s too much to cover in one blog post. The emphasis should be on making compliance and security a seamless part of corporate culture. Training takes time and relying on staff to remember all the rules opens you up to those dreaded “whoops” moments. Using solutions that monitor content for compliance issues, taking the onus off the individual is the best way to ensure policies are enforced. After all balancing the need to collaborate with the need to maintain SharePoint security is essential to reducing organizational risk. Read how policy management can impact corporate culture.

8.      “Compliance, security and record retention are must haves for us.”

This is the ultimate comment because compliance and security are must haves for all organizations using SharePoint. Effective compliance is the ability to not only have a governance strategy in place, but to also be able to manage risk by identifying issues and potential violations, and have a process in place for resolution and fine tuning. The most effective method for managing compliance and security risk in SharePoint is to protect sensitive information at the file level using automated solutions for classification, encryption and content restriction.  To better protect your organization, you should consider how automated compliance and security products can remove some of the vulnerabilities and human diligence required to maintain SharePoint content security over the longer term.

Read more findings from the report including recommendations on improving SharePoint security or find out how selecting the right content compliance and security solution will help your organization achieve the full benefits of SharePoint by reading Microsoft SharePoint Security: Evaluating a Content Security Solution.

 

Do You Know Where Your Policies Are?

Pencil image of Michael Rasmussen, author of the guest blog postWhen an organization fails to manage policies, the organization quickly becomes something it never intended.

Policies define the organization’s governance culture and objectives. With­out the guidance provided by well-writ­ten and effectively managed policies, cor­porate culture may morph and take the organization down unintended paths. Policies set the standard for ac­ceptable and unacceptable conduct by defining boundaries for the behavior of individuals, the operation of business processes, and the establishment of rela­tionships.

Let’s be clear. Policies in and of them­selves do not ensure the right corporate culture. Merely cre­ating thousands of policies is not the answer; in the case of policies often “less is more.” Even when well-written poli­cies are issued, the game isn’t over. An organization can have a wide array of policies that “sit on the shelf” or are not adhered to resulting in the organization ending up in very hot water.

In my experience, policy management processes are in disarray introducing risk in today’s complex, dynamic, and distributed business environment. The typical organization lacks a structured means of policy management with an inconsistent maze of templates and processes with policy documents that are out of date (e.g., old versions), unauthorized, and scattered across file shares, SharePoint sites, and other content management systems. Inconsistency in policy management means processes, partners, employees, and systems behave like leaves blowing in the wind. Organizations struggle with policies that are out-of-date, ineffective, and not aligned to business needs. Policy inconsistency opens the doors to liability, as an organization may be held accountable for policy that is not appropriate or complied with.

Video: Managing Compliance Risk & Security in SharePoint

Video: Managing Compliance & Security Risk in SharePointDo you know where the unstructured content in your organization is being created, shared and stored?

Are you sure that the sensitive information your business currently manages is secure and only available to the appropriate individuals?

Effective compliance is the ability to not only have a governance strategy in place, but also be able to manage risk by identifying issues and potential violations, and have a process in place for resolution and fine tuning.

Watch this six step compliance and security process that illustrates how to:

Identify Red Flag Risks

Establish the Compliance & Security Strategy

Design Policies & Deploy

Automate Content Compliance

Secure Content

Report, Remediate & Refine

Getting Your GRC House in Order

House with compliance, governance and risk written on it in puzzle piecesIn my previous blog Inevitable Failure: Managing Scattered GRC Information, I argued that success in today’s business environment requires organizations to integrate, build and support business processes with an enterprise view of governance, risk management and compliance (GRC). Without an integrated view of GRC information and processes, scattered and disconnected approaches expose the business to unanticipated risk.

Organizations are focused on improving how they manage risk and compliance. The larger and more distributed the organization, the greater the need for integrated GRC. Strategy must focus on efficiency in human and financial resources, agility to meet the demands of a dynamic environment, and effectiveness at managing risk and compliance.

Effective GRC does not begin with buying a GRC platform. Effective GRC begins with understanding context — external and internal context. GRC strategy begins with understanding the organization’s context. This means its culture, values, external business environment and internal environment. A strong understanding of context prepares the organization to understand and scope GRC. The goal is to design GRC strategy that is resilient to change and can adapt and evolve. Companies fail when they lead with a GRC technology platform purchase and then come back and ask the question — so what are we trying to accomplish in the first place?

Inevitable Failure: Managing Scattered GRC Information

Pencil image of Michael Rasmussen, author of the guest blog postBusiness risk is like the Hydra in mythology — organizations combat risk, and more risk springs up to threaten it. Executives are constantly reacting to risk, and often fail to actively manage and understand the interrelationship of risk across the enterprise. The dynamic and global nature of business is particularly challenging to risk management. As organizations expand, their processes, operations, business relationships and risk profiles grow exponentially.

In regulatory risk, organizations face expanding global legislation with rapidly increasing requirements that burden the business. Organizations face increased fines and sanctions and aggressive regulators and prosecutors around the world. Reputation, social accountability/responsibility and brand protection are also significant compliance and risk management issues.

Reactive, document-centric and manual GRC processes fail to actively manage risk and leave the organization blind to intricate risk relationships. Siloed GRC processes cannot consider the big picture; resulting in complexity, redundancy and failure. Poor visibility means there is no integrated strategy for managing risk and compliance. There is no possibility to be intelligent about risk and truly understand its impact. This results in:

  • Redundant and inefficient processes: A Band-Aid, siloed approach to risk loses an opportunity to leverage and integrate data for greater effectiveness, efficiency and agility. Building multiple GRC systems and technologies also takes time and resources resulting in inefficiencies.

Hospice of North Idaho to Pay $50K to Settle HIPAA Violations

Image of the Welcome to Idaho signThe U.S. Department of Health and Human Services (HHS) had announced that the Hospice of North Idaho has agreed to pay $50,000 to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule.

The HHS press release detailed the breach:

The HHS Office for Civil Rights (OCR) began its investigation after HONI reported to HHS that an unencrypted laptop computer containing the electronic protected health information (ePHI) of 441 patients had been stolen in June 2010.  Laptops containing ePHI are regularly used by the organization as part of their field work.  Over the course of the investigation, OCR discovered that HONI had not conducted a risk analysis to safeguard ePHI.  Further, HONI did not have in place policies or procedures to address mobile device security as required by the HIPAA Security Rule.  Since the June 2010 theft, HONI has taken extensive additional steps to improve their HIPAA Privacy and Security compliance program.

This incident represents the first settlement involving a breach of unprotected electronic protected health information (ePHI) affecting fewer than 500 individuals.

Six Content Compliance and Security Predictions for 2013

It’s tHands each holding a number to write 2013hat time of year again when analysts, journalists and companies try to predict the year ahead. I’d like to throw my opinion into the ring to offer some practical predictions for 2013 in the content compliance and security space.

1. Risk Managers Will Do More with Less

Risk managers will continue to be asked every day to do more with less to meet changing and more stringent regulatory compliance requirements; despite decreasing resources, less funding and frozen or smaller headcounts. Organizations in 2013 will need to look to content compliance solutions to provide a constant, consistent and automated method of enforcing paper policies and organizational requirements governing PHI, PII and other sensitive information including research, financials, and HR and board documents. Automating compliance helps to protect the organization from violations caused by lack of policy knowledge, “whoops” moments, and in rare cases malicious intent.

Risk and Strategy Management: Are they different?

I named this blog today after a LinkedIn discussion within the group GRC 20/20 that Michael Rasmussen of Corporate Integrity started. He started the discussion:

Risk and Strategy Management: Are they different?

In June 2012, Harvard Business Review had the article “Managing Risks: A New Framework.” Balanced scorecard guru Robert Kaplan stated the following quote below. Do you agree or disagree? I see risk professionals all the time acting as if risk is strategy management, but is it really putting the cart before the horse?

From the article:

“Managing risk is very different from managing strategy. Risk management focuses on the negative—threats and failures rather than opportunities and successes. It runs exactly counter to the “can do” culture most leadership teams try to foster when implementing strategy. And many leaders have a tendency to discount the future; they’re reluctant to spend time and money now to avoid an uncertain future problem that might occur down the road, on someone else’s watch. Moreover, mitigating risk typically involves dispersing resources and diversifying investments, just the opposite of the intense focus of a successful strategy. Managers may find it antithetical to their culture to champion processes that identify the risks to the strategies they helped to formulate.”

Many of the respondents highlighted that risk and strategy management are different, but that they do go hand-in-hand. Identifying the risks to an organization will help to define the strategy moving forward. The challenge is in ensuring the risk strategy encourages collaboration, opportunities and success. This is where I believe many organizations struggle.

Powered by WordPress