As a company that has a cyber security and compliance focus, we get a great deal of inquires from people with questions like “What should I do about HIPAA or GLBA?”
It’s a hard question to boil down into a single statement, but if I had to it would be “Start taking your IT processes and security seriously.” HIPAA, GLBA, PCI, and Pillar 3 are all compliance standards with similar requirements for how you approach IT and security. Some, like HIPAA or GLBA have actual civil and criminal penalties attached to them for failure to properly protect client data.
Typically, business owners have no idea where to start or even if they need to follow any particular standard for compliance with these laws and recommendations. I am often told that someone who is dealing with clients’ personal and financial information doesn’t really “see a need” to spend time and money on things like Risk Assessments, a Written Information Security Program, or compliant IT service and reporting.
The only thing I can really do at that point is let them know that by law they are required to have those things, and do their due diligence to protect the safety of their clients’ data. The best analogy I can make is that operating your business without those important items in violation of the law and good sense will burn you eventually. It’s like driving without car insurance… you can do it but I wouldn’t call it a wise decision.
So what should you do to protect yourself?
Start with a risk assessment
During this process a qualified auditor should look into your internal processes for handling client data, analyzing the technology you use, and test your network and software to make sure you are meeting or exceeding your compliance requirements for protecting data.
It’s more than just looking at your computers, a good risk assessment looks at human resources policies for assigning staff access to sensitive data, reviewing protections on the network, and ensuring you have a consistent, documented approach for staying on top of adapting and updating your business for new threats and security updates. A risk assessment is also a great way to identify inefficiencies in your workflows or get recommendations for easier more secure applications to help your business grow.
Develop a written information security program
GLBA, HIPAA, and other standards require you have a written program detailing what you are doing from an overall IT perspective for things like breach / incident response, backup and disaster recovery, and security updates. A good WISP will not only spell out how you are accomplishing your compliance objectives, but also provide requirements for reporting on these processes so that you ensure you are protecting yourself continually, not just for a one time audit.
Use security and compliance reporting as a tool to keep your business running smoothly
Reporting on things like verified employee training, patch status of servers, workstations, applications, and antivirus can often provide early warning signs of trouble to come for your business. Machines that are not regularly patched, or applications that are not being updated can lead to severe issues that will cause you to lose productivity. Use those reports to make sure that your IT needs are being addressed properly, whether it is by an in house employee or an outsourced IT services vendor.
As always, you don’t have to use Vine IT to meet your needs, but you should be using someone to address these important items for you.