Why mere compliance increases risk

The Department of Health and Human Services recently confirmed that a lack of training is a common cause of HIPAA compliance difficulties. But is that really such a surprise? Given the poor state of awareness training in many organizations, it's no wonder that HIPAA violations are actually on the rise. The fact is, to achieve formal, "letter of the law" compliance, just about any form of training will do to "check the box." But as we continue to see, bad training is, in the final analysis, practically equivalent to--or worse than--no training at all, and hence the disappointing results reported by HHS and by others who wonder why their compliance training fails.

[Pulling it all together: A special report on GRC]

It should be obvious that there is more to this "compliance thing" than simply doing the least one can do. For starters, ask yourself, in addition to being compliant, is your organization also competent to see that the spirit of the law is also fulfilled? Does your organization, in the true spirit of compliance, promote a culture that respects the interests of customers, patients, shareholders, and other constituents? Does everyone in the organization see themselves as responsible for the security of protected information, whether it is health information, credit card data, or the many other forms of personal information collected today? Do your executives actively model the importance of privacy and security? Do they seek out and identify potential gaps? If the answer to any of these questions is "no," then not only does your organization lack the requisite privacy competence--and this may come as a surprise--it may not actually even be in compliance. Here, then, are four clues that your "compliance" status may, in fact, be putting your organization--and your customers--in serious jeopardy:

1. You believe the minimum mandatory training will shield your organization from liability.

Just ask any number of HIPAA-compliant organizations who found out the hard way. Too many organizations, while having all their HIPAA papers in order, have still been found to be legally negligent--even though a level of training was provided that satisfied the minimum regulatory requirement! Why? Because the behavior HIPAA seeks to regulate was not changed. Consequently, organizations have been found liable for breaching a standard of care that in turn resulted in the inappropriate disclosure of health information. In other words, because the spirit of the law was ignored, the training was ineffective, and a liability resulted. A growing body of case law clearly demonstrates that satisfying the letter of the law alone just won't cut it.

2. You believe that the objective is regulatory compliance.

Simply being compliant does not translate to a safe and secure organization. Not by a long shot. And if you're only motivated by avoiding the penalties for compliance violations, you've really missed the point. Regulatory fines are actually a drop in the bucket compared with the true costs of a breach, which also include loss of trust, customers, opportunity, and more. Besides, achieving compliance is only the first step in safeguarding your organization--and your customers. What the law is ultimately seeking is a culture of security-aware behavior.

[Five security missteps made in the name of compliance]

3. You believe that checking the box will improve your overall risk profile

The truth is that a check-the-box approach to compliance actually leaves your organization with a very poor risk profile. Because it breeds a false sense of security ("We're compliant!"), it also courts disaster. More important, the increased risk that inevitably follows "complacent compliance" endangers not only the security of your information and the privacy of your customers, but your brand's greatest asset--your hard-earned trust-worthy reputation.

4. You don't believe that training above the minimum standard will make any difference.

Take two organizations: one that gives awareness training the short shrift and another that takes it seriously. Which would you consider more trustworthy: the company that gave its people an annual 30-minute PowerPoint or the one that tied the training to the culture and corporate values of the organization and reinforced it throughout the year with habit-forming reminders? As a CEO, would you deliberately and consciously set out to test the theory that there's no difference between the two positions? Yet, chances are, unless you've instituted formal awareness training in your organization, that's exactly what you are doing.

In the end, complying with the letter of the law while neglecting its spirit--and the strategic benefits it provides--is precisely the attitude that can leave your organization exposed, destroy customer trust, consume precious capital, and tarnish your brand. Conversely, just a small investment in true behavior-changing training and reinforcement will pay huge dividends in fortifying the security of your organization--and protect your customers in the ways the laws actually require.

John Schroeter is Director of Marketing at MediaPro, a provider of security awareness training solutions. Tom Pendergast, Ph.D., is Director of Product Strategy and Instructional Design at MediaPro.

Join the CSO newsletter!

Error: Please check your email address.

Tags security

More about Department of Health

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John Schroeter and Tom Pendergast

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts