With the implementation of stricter regulatory compliance criteria, especially in industries such as healthcare, it is becoming increasingly difficult for many companies to ensure that they are compliant. For businesses and organizations that manage personal health information (PHI), government-issued identification numbers, such as Social Security Numbers in the U.S., credit card numbers and other types of protected personal data, the risks are very high. With these new regulations, the loss of confidential personal information can materialize into compliance infractions, lawsuits, identity theft, and criminal penalties for corporate officials.
Using the U.S. healthcare industry as an example, passage of the American Reinvestment and Recovery Act of 2009 (ARRA) and the Patient Affordable Care and Protection Act signals that the U.S. government’s vision is to move the majority of Americans towards the use of electronic health records (EHRs) within the next few years. Already, security is at the forefront of the conversation. Regulations developed by the Health and Human Services (HHS) Office for Civil Rights require healthcare providers and other entities covered by HIPAA (the Health Insurance Portability and Accountability Act) to promptly notify affected individuals of a breach. In addition, the HHS secretary and the media must also be notified in cases where a breach affects more than 500 individuals. Failure to comply with new regulations carries serious consequences for healthcare providers, including criminal sanctions, civil sanctions, and financial fines. The guidelines on violations include up to $1.5 million in penalties for breaches.
There are other regulations driving information protection and control in the U.S. Other compliance scenarios that organizations must consider include:
- The Health Insurance Portability and Accountability Act of 1996 requires that all patient healthcare information be protected when electronically stored, maintained, or transmitted to ensure privacy and confidentiality. It also mandates that each user be uniquely identified before being granted access to confidential information. It specifies that access to PHI be restricted to only those individuals who need access as part of their role.
- The Sarbanes-Oxley Act of 2002 (SOX) requires public companies to validate the accuracy and integrity of their financial management. SOX requires that businesses document and assess their internal controls and also control access to financial systems. Section 404 covers internal control activities during the creation of financial reports and identifies compliance risks that can be addressed by identity and access management (IAM) solutions.
- The Gramm-Leach-Bliley Act mandates privacy and the protection of customer records maintained by financial institutions. These include access controls on customer information systems, encryption of electronic customer information, procedures to ensure that system modifications do not affect security, and monitoring systems to detect actual attacks or intrusions.
- The Payment Card Industry (PCI) Data Security Standard contains 12 requirements grouped into six areas: build and maintain a secure network, protect cardholders, maintain a vulnerability management program, implement strong access control measures, monitor and test networks, and maintain an information security policy.
These U.S. examples are illustrative of the broader discussions occurring in many nations on security and privacy in our increasingly digital world. Having said that, companies must employ Governance, Risk and Compliance (GRC) capabilities to monitor and track the status of assets and processes that are covered under regulatory compliance programs. The GRC tools available today provide for a single dashboard view of compliance status for company-wide assets. In addition, service providers like Dell Services can jointly manage alerting and remediation responses to assets should they become non-compliant. The customer can log on to the dashboard at any time to see how they are measuring up.