Compliance isn't security, but companies still pretend it is, according to survey

It has become a cliche in information security: Compliance is not security.

But there is still an unsettling amount of denial out there, based on a recent study from HIMSS Analytics and Kroll Advisory Solutions.

According to the 2012 "HIMSS Analytics Report: Security of Patient Data," increasingly strict regulation and increased compliance from providers haven't slowed an increase in breaches over the past six years.

Yet, respondents to the survey, which included CIOs, compliance officers and HIMs, expressed confidence that they are better prepared for attempted data theft -- in spite of evidence to the contrary -- because they are in better compliance with regulations like the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009.

This is the third of Kroll's biannual survey of healthcare providers nationwide.

Along with numerous other security experts, Brian Lapidus, senior vice president for Kroll Advisory Solutions, says being in compliance with policy prescriptions is not the same as actually protecting personal health information (PHI).

The results of that are predictable. The number of organizations reporting breaches went from 13 percent in 2008 to 19 percent in 2010 to 27 percent in the past year.

The financial risks of PHI breaches are expanding as well. Not only are there the expenses of cleaning up a data loss, but attorneys nationwide are watching a number of class-action suits in California, where a law that provides for $1,000 in damages per patient, per breach, has prompted a flurry of class-action lawsuits against healthcare corporations where the potential liability is as much as $4.5 billion.

The survey findings one why compliance is not enough are familiar to security professionals as well. First is that human error, not policies, systems or organizational flaws, pose the greatest risk for a data breach.

Sarah Flanagan, a partner at the California-based law firm Pillsbury Winthrop Shaw Pittman LLP, one of the firms defending healthcare corporations against the class-action suits, says, "when you analyze privacy breaches, you find frequently that they are caused by human error -- a (single) human, rather than the organization."

This, despite that most companies drill security policies into their employees -- don't take home laptops or thumb drives; don't have confidential information on your screen when you're doing some work at a local coffee shop; don't even leave your desk at work with confidential information on the screen. Another predictable finding is that the exploding use of mobile devices increases the risk of breaches. All experts agree that the more accessible data is to more parties, the greater the risk of breaches.

Flanagan says there is a natural tension between expecting information to be remotely accessible while at the same time expecting 100 percent security. "I don't know if people appreciate that tension," she says.

But, the survey did some organizational flaws as well, specifically in confusion over who is really responsible for data security. The respondents' answers ranged through CIO, CSO, CEO, HIM and chief compliance officer.

Still, no matter who is in charge, security depends on accountability at all levels. It is the dozens, hundreds, perhaps thousands of employees who have to understand that there will be consequences for security policy lapses. If there are consequences for a lapse, even if it does not result in a breach, that will make bad events less likely.

"It's all part of putting teeth into compliance," Flanagan says.

Read more about data privacy in CSOonline's Data Privacy section.

Join the CSO newsletter!

Error: Please check your email address.

More about KrollLPPillsburyTechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts