Protection of data. That’s what security boils down to and it’s what I tell clients when they ask me what they need to protect most. Competitors, criminals and other players covet your data because it can be converted into money. Like an alchemist turning lead into gold.
Much of this data you are trying to protect is sensitive or personally identifiable information (PII), like medical or financial records. So how do you protect PII and what are the ramifications if you don’t? Well, let’s roll out some common questions I get from clients and address the issues one by one.
What Are the PII Compliance Issues?
The primary compliance issue will involve data protection. There will be increased litigation of security breaches due to the ever increasing penetration of sensitive electronic information and its impact on consumers if disclosed.
With the “Consumerization” trend pushing the enterprise to integrate consumer devices (iDevices, Androids, Chromebooks, etc.) this opens up a tremendous amount of risk regarding the security and storage of sensitive information (PII). A central IT organization no longer choses and controls the hardware that is utilized to access critical enterprise information. Corporate compliance and information security will have to struggle to balance regulatory requirements on one hand with the need to provide access to critical data on the other.
Are There New/Emerging Pieces of Legislation, Including Federal That Touch on PII Protection?
There are many layers of regulatory compliance for organizations who hold sensitive electronic data. These mandates originate from federal, state and local governments. The legal and regulatory compliance area has increased tremendously over the last decade, with HIPAA, Sarbanes-Oxley, PCI DSS, HITECH and Dodd-Frank impacting almost all industries in the U.S.
On the “new/emerging” legislation front, the FDA has also proposed a new regulatory framework called MDDS or Medical Device Data System. Basically, any computing device, application, network or storage solution that is attached to a regulated medical device becomes a “medical device” and is thus subject to regulation. This would include smartphones, iDevices and tablets in general. These new regulations will create additional complexity for healthcare IT and Security staff who are attempting to gain control of an environment where physicians are attaching their own iDevices to enterprise systems.
How About More Enforcement of Current Regulations/Mandates That Could Result in Jail/Fines?
With the advent of HIPAA and the HITECH Act, providers are ramping up their efforts to protect electronic and physical medical records. This is primarily due to the significant fines an organization can face if records are lost or stolen.
Provisions in the HITECH Act, mandating a move toward Electronic Healthcare Records (EHR), healthcare providers are adopting EHR solutions as a means to address patient data security. Most EHR providers provide a hosted or “cloud” solution so physicians do not have to locally host their EHR package, which reduces cost somewhat.
Expect enforcement of HIPAA/HITECH to ramp up significantly in the near future due to the added enforcement policies within HITECH. As an example, healthcare provider Cignet received the first penalty ($4.3 million) under HIPAA, due to HITECH regulatory enforcement. HHS OCR has recently levied penalties on other providers to continue this general trend.
Organizations who have complied with government and industry regulations are far more likely to be protected from lawsuits based on “due diligence” clauses built into many industry regulations. PCI DSS is one example of this with its “get out of jail free” or “SafeHarbor” clause. SafeHarboris determined to be in effect if the breached organization was deemed compliant with PCI regulations at the time of the breach.
What Security Technologies, Processes or Policies Can Help?
The most significant hurdle to overcome with sensitive data security (PII) is user behavior. Organizations will have to address where users can store and access sensitive data securely, what devices (iPhones, iPads, Androids, etc.) are allowed on the network and what policies are to be put in to place to enforce these mandates. Educating the enterprise in the proper way of treating sensitive data in multiple scenarios will be far more challenging than implementing new technology.
The best way to modify user behavior is effective training with simple, enforced and monitored security policies. Unfortunately organizations have cut back training activities significantly during the Great Recession and are only now slowly adding funding back. Organizational policies are also an issue. In many cases these policies are lengthy, unread and unenforced tracts that languish in the appendix of the New Employee Handbook.
The complexity of security compliance with mobile devices may be simplified with the acceptance and implementation of the Virtual Desktop Infrastructure (VDI) technology in the corporate environment. This technology has the ability to push a secure remote desktop image to a mobile device. A user logs into a specific desktop image, the network connection is encrypted and the data is stored remotely on secure corporate storage. The company gains greater control over mobile devices with the added benefit of providing a secure, standardized image for employees. This VDI solution also cuts the risk of sensitive data been lost or stolen due to the ephemeral nature of the remote desktop technology. Once the user logs out, the desktop is gone and the user is presented with the consumer mobile interface again.
I’d like to hear you take on this topic, so sound off in the comments below!