Protection of data. That’s what security boils down to and it’s what I tell clients when they ask me what they need to protect most. Competitors, criminals and other players covet your data because it can be converted into money. Like an alchemist turning lead into gold.
Much of this data you are trying to protect is sensitive or personally identifiable information (PII), like medical or financial records. So how do you protect PII and what are the ramifications if you don’t? Well, let’s roll out some common questions I get from clients and address the issues one by one.
What Are the PII Compliance Issues?
The primary compliance issue will involve data protection. There will be increased litigation of security breaches due to the ever increasing penetration of sensitive electronic information and its impact on consumers if disclosed.
With the “Consumerization” trend pushing the enterprise to integrate consumer devices (iDevices, Androids, Chromebooks, etc.) this opens up a tremendous amount of risk regarding the security and storage of sensitive information (PII). A central IT organization no longer choses and controls the hardware that is utilized to access critical enterprise information. Corporate compliance and information security will have to struggle to balance regulatory requirements on one hand with the need to provide access to critical data on the other.
Are There New/Emerging Pieces of Legislation, Including Federal That Touch on PII Protection?
There are many layers of regulatory compliance for organizations who hold sensitive electronic data. These mandates originate from federal, state and local governments. The legal and regulatory compliance area has increased tremendously over the last decade, with HIPAA, Sarbanes-Oxley, PCI DSS, HITECH and Dodd-Frank impacting almost all industries in the U.S.
On the “new/emerging” legislation front, the FDA has also proposed a new regulatory framework called MDDS or Medical Device Data System. Basically, any computing device, application, network or storage solution that is attached to a regulated medical device becomes a “medical device” and is thus subject to regulation. This would include smartphones, iDevices and tablets in general. These new regulations will create additional complexity for healthcare IT and Security staff who are attempting to gain control of an environment where physicians are attaching their own iDevices to enterprise systems. [Read more…]