Shark Bait

Knowledge Centers

Operating Systems

Networking & Internet

Mobile & Wireless

Security

Storage

Business Intelligence

Servers & Data Center

Computerworld Reports

Industry

See your link here

C. J. Kelly

A Day in the Life of an Information Security Officer

Compliance legislation: lack of enforcement or lack of solutions?

6 comments

IT TOPICS:Security

I'd like to reference Eric Ogren's blog on the topic "Are all these compliance regulations productive?" I quote, "Even though these regulations are reasonably precise about security requirements, the lack of enforcement has led to the lack of investment."

I don't think that's why there's a lack of investment. It's not the lack of enforcement. It's the lack in vendor solutions that fully understands the business needs.

For instance, take HIPAA data. When I think about data management, I think about data in transit and data at rest, and whether or not to encrypt it; the sensitivity of that data and what type of access controls to apply. I think about network security and what network security zone sensitive data should reside within. I think about security issues through all the layers of the OSI model.

When a vendor comes to me and tells me that their,document management system, for instance, is HIPAA compliant, I ignore the claim. There is no one solution or technology that enables an organization to become compliant. I consider their boast to be false and I don't even bother to have a discussion about it.

When I evaluate a "solution", I am thinking circles around the vendor because information security is a complicated, multi-layered beast. If a vendor came in, who was very well versed in the legislation, and in the security arena, and understood what their solution actually did as a part of the total solution, I would listen. So far, I've just not been that impressed and maybe that is why compliance vendors are wondering "how little market demand there is for HIPAA and PCI compliance solutions".

I suggest they rethink their marketing strategy.

Email this

Digg this

What People Are Saying

Add new comment

Enforcement of compliance

Submitted by Anonymous on September 18, 2007 - 12:18 A.M.

Enforcement of compliance regulation is must for many organizations but implementing, establishing and maintaining of same is a tough task due to complexity and cost. Training HIPAA website provides a wonderful and valuable template suite which any organization, small or big, can use to meet their compliance requirements for HIPAA, Sarbanes Oxley (SOX), FISMA, ISO 17799 or any other regulation/standards requiring business impact analysis, risk assessment, disaster recovery planning (DRP), business continuity plan (BCP) and Testing & Revision of Plan.

Templates

Reply | Report this comment

I think enforcement is a

Submitted by Mike on July 19, 2007 - 1:41 A.M.

I think enforcement is a must for all healthcare related organizations to be HIPAA compliance and needs to take it seriously. I recently came across a regulations poster from Symantec, a very useful tool which I found over here Symantec . This poster is crosswalk between: HIPAA, ISO 17799, COBIT 4.0, Sarbanes Oxley, Payment Card Industry (PCI), GLBA, NERC standards CIP and PIPEDA (Canada). With the help of this tool organization can comply not only with HIPAA but many other different regulatory authorities listed above.

Reply | Report this comment

the amount of ginorance here

Submitted by Anonymous on June 10, 2007 - 5:51 P.M.

the amount of ginorance here is astounding and extremely sad.

HIPAA has no teeth??? Why don't you ask the two guys in federal rpison that each got 10 years...lmao

look all of you poster don't know a bloody thing about hipaa. so do the rest of us a favor and stop talking about it.

hipaa involves alot more than protecting PHI, it involes ID theft and fraud. FYI...it was written by law enforcement for that reason

also, for your information, piedmont hospital is getting audited and so will others. the fine structure can be steep, 100 dollars for a single violation for that same violation you can go up to 25K in one year. so if you have 100 violations times 25K what's the number???

hipaa is not about solely regualting PHI, it is being used to combat ID theft and is related to national secuirty.

please read on this before posting your opinions.

finally the writer that does not bother to talk to folks about hipaa compliant solutions is a tech. plain and simple with little imagination.

stay in your tech. world and believe you are a practicing lawyer.

sad...

Reply | Report this comment

Enforcement is still a huge

Submitted by Anonymous on January 19, 2007 - 12:37 P.M.

Enforcement is still a huge barrier to compliance. If I'm a CEO, it doesn't take long to figure out that even $500,000 in fines will be much less costly than a $1,000,000 solution or the added costs and disruption in business for devoting resources to ACTUALLY solving the "how to really be compliant" problem.

Anecdotally, I heard of many many health care entities budgeting for fines because it was much easier and cheaper than budgeting for compliance.

Reply | Report this comment

Hey CJ, What is the max fine

Submitted by Eric on January 19, 2007 - 11:59 A.M.

Hey CJ,

What is the max fine for being non-compliant with HIPAA? $25,000? I'm willing to bet that the total cost of deploying HIPAA-required security capabilities for a hospital exceeds that amount. Would you rather see your hospital spend money on health care or on intrusion detection systems?

That's why I believe executive and market accountability is more effective - the costs to the company or the career provide incentive to implement more robust compliance controls.

Everyday I hear vendors say "You must buy my product to be compliant with XYZ regulation", and everyday I hear an enterprise exec, like yourself, say "no I don't". The vendors know what part of the regulations their product applies to, what they don't know is how important it is to the customer's security plan.

One problem with a "must have" marketing approach is that the vendor may not be as good about qualifying accounts or listening to the prospect's real problems. I actually like companies to solve important security problems first, one of which just happens to be a compliance provision.

Compliance is a big expense partly because there is no one product or vendor that can do the job - it takes many. Expecting one product to satisfy all of the HIPAA requirements is an unreasonable expectation.

Eric

Reply | Report this comment

This is the correct approach

Submitted by Scott on January 19, 2007 - 11:46 A.M.

This is the correct approach - run, don't walk away from any vendor who purports to offer a "HIPAA compliant" solution. It doesn't exist.

I also read Eric's blog entry from yesterday, and the thing people need to keep in mind when working with a regulation like HIPAA is the term "reasonable and appropriate". That's what HIPAA requires, that you evaluate your business and then implement privacy and security safeguards that are reasonable and appropriate for your operations. As much as everybody would love to have definitive standards spelled out, the rule has to be that ambiguous in order to apply to everybody in the business from the multi-national insurance companies down to the one-man dentist operating in a rural area of Iowa.

Being compliant with HIPAA is based on risk assessment, and documenting whatever you do or don't do to protect the data. I don't see how an outside vendor can come and offer you an off-the-shelf product that will do that.

Reply | Report this comment

IObit accused of stealing from Malwarebytes

Is the Windows 7 adoption surge driven by piracy?

Spam culture, part 3: Nigeria (and 419 scams)

Los Angeles goes Google; dumps GroupWise; shuns Microsoft; ignores IBM

LIVE Nov 10, 2009 12:00 PM ET

Architecting Business Intelligence Applications for Change: The Open Solution

LIVE Nov 12, 2009 02:00 PM ET

The State of PCI DSS Compliance at Organizations Today
Download this resource today!

Managing Secure File Transfer to Save Time, Money and IT Resources
Learn how companies are using innovative technology to overcome these challenges and improve user productivity by offloading e-mail attachments and replacing FTP with...

Can Heuristic Technology Help Your Company Fight Viruses?
What is Heuristic Technology and how can it help safeguard your business against viruses? Learn more.

Security Convergence Equals Network Security Cost Savings
Listen to IBM Internet Security Systems' take on network security convergence.

Why Email Must Operate 24/7 and How to Make This Happen
Learn how to avoid an email outage by implementing a hosted email continuity solution.

Lower the Cost and Complexity of a Mobile Workforce through Automation
Download This Resource Now!

All White Papers | All Webcasts

Computerworld Reports

8 Questions To Ask About Your Intrusion-Security Solution

Computerworld Technology Briefings IT Service Management

Computerworld Briefing - Analytics: The Art and Science of Better

All Computerworld Reports

Receive the latest technology news and information.

	Computerworld Daily News (First Look and Wrap-Up)
	Computerworld Blogs Newsletter
	The Weekly Top 10

View all newsletters

* E-mail Address:

* Industry:

* Job Title:

* Company Size:

* Country:

* State:

I would like to receive offers via e-mail from Computerworld partners.

C. J. Kelly's Archive

IT Topics

Sponsored Links

Play NetApp's New Data Defense Game.

How Do You Rank as an Innovation Leader? Download Recent Study.

Play NetApp's New Data Defense Game.

Extraordinary times demand Brocade Extraordinary Networks.

No Payments for Up to 6 Months on Orders over $500.

NetScaler VPX : Harness the Power of Virtualized Web App Delivery

64-page prescriptive guide to security, compliance, and IT operations.

Streamline IT Costs. Boost Performance with WAN Optimization

Enterprise Network & Server Monitoring Software. Cross over to Traverse...

Keep your IT expertise up to date. Join the Intel Premier IT Professionals.

Crystal Reports Server: More options. Not more money.

Parallelism is not just for HPC. Create rich apps from desktop to device. Get the eval.

Tolly Performance Report "Citrix NetScaler with nCore Outperforms F5 BIG-IP"

Save up to 61% plus Free Cheesecake

Find IT jobs in the Healthcare industry on Dice.com

With the NEW KODAK i700 Series Scanners get full speed at 300dpi!

Not All QSAs Are Created Equal: What You Should Know Before You Buy

The arrival of Serial Attached SCSI (SAS) marks a new era in storage scalability

The AMD Virtual Experience Virtual Trade Show

New DW Options and Price Points. View Teradata Platform Family Data Sheet.

See how AT&T can help protect your network.

3 Innovations. 3 Free Downloads. Free trials of Windows 7, Windows Server 2008 R2 and Exchange Server 2010.

Take the Netezza TwinFin TestDrive!

Citrix NetScaler with nCore Outperforms F5 BIG-IP - Learn More

New Analytical Platform Options. Download Data Sheet and More.

Get more enterprise mobility value for up to 25% less.

Unified Communications: Thoughts, Strategies and Predictions. Join the discussion.

NYUs M.S. in Management and Systems. Offered Online and On-site.

Increase UPS efficiency without sacrificing protection

Crystal Reports Server: Single server access to reports & dashboards

Create new opportunities. See business making progress now

ESET NOD32 with ThreatSense(R) - Get your free trial now!

Looking to add Unix/Linux functionality to Windows?

Join the conversation about the hottest IT trends with Computerworld on Twitter.

ITwhitepapers.com - Access thousands of white papers on 300+ technical topics.

Leverage Your Cisco infrastructure for Superior Application Performance

Learn about the AMD Virtual Experience

Introducing: Project Icebreaker

About Us Advertise Contacts Editorial Calendar Help Desk Jobs at IDG Privacy Policy Reprints Site Map

CIO

Computerworld

CSO

DEMO

GamePro

Games.net

IDC

IDG

IDG Connect

IDG Knowledge Hub

IDG TechNetwork

IDG Ventures

IDG.net

InfoWorld

ITwhitepapers

ITworld

JavaWorld

LinuxWorld

Macworld

Network World

PC World

The Industry Standard

Copyright © 1994 - 2009 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of
Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.

Compliance legislation: lack of enforcement or lack of solutions?

What People Are Saying

Enforcement of compliance

I think enforcement is a

the amount of ginorance here

Enforcement is still a huge

Hey CJ, What is the max fine

This is the correct approach

Related Posts

Today's Top Stories

Hot Posts

Recent Comments

White Papers & Webcasts

Computerworld Reports

Newsletters

C. J. Kelly's Archive

IT Topics

Sponsored Links