Earlier this month, a blog post from our very own Garry McCracken discussed how meeting industry-specific compliance regulations can interrupt a company’s security strategy.
“Compliance does not necessarily mean data security, but a focus on security in terms of risk, confidentiality, integrity and availability is likely to cover a lot of compliance. A security-led approach is better than a “check list” compliance approach. This applies not only to the payment card industry but to all sectors including government, health, education, etc.” –Garry McCracken, CISSP, Vice President, Technology.
An interesting trend ongoing in the healthcare sector is the action by state legislatures to take security standards into their own hands following devastating breaches. Earlier this year, New Jersey passed a bill mandating health insurance companies in the state to use data encryption following the theft of two unencrypted laptops causing the Blue Horizon, Blue Cross, Blue Shield breach in 2014. After the recent attack on the locally-based Anthem, Connecticut aims to follow suit.
While we hope that it won’t take a major breach in every state to push this initiative nationwide, it is certainly reassuring to see state governments recognize that compliance standards like HIPPA are outdated. Earlier this week, the U.S. Office for Civil Rights announced that healthcare providers must undergo an in-depth HIPAA compliance standards audit; unfortunately, any approvals for the proposed changes will take even longer than it does to pass a bill through a state government!
If your state hasn’t hopped on board yet, it is worth looking into the laws that exist in Nevada, Massachusetts and New Jersey that exceed compliance with specific attention to encryption. For more information on security best practices for healthcare companies, check out the WinMagic eBook, “Healthcare Providers and Patient Data Security.”