Loads of people believe compliance is a four letter word. It often feels like a drudgery of requirements with the threat of penalties for failure lingering in the background. We need to change our mindset on this. We would be better off if we see compliance regulations as a starting point rather than the most we will do to protect data and systems. Compliance frequently travels with its mates governance and risk. The trio are referred to as GRC: governance, risk, and compliance.
Compliance is the set of rules and regulations that organizations are required to follow in order to mitigate risk to the data and systems in use. The reason for such requirements is to protect the subjects of the data. For example, credit card companies are required to comply with the Payment Card Industry Data Security Standard (PCI DSS) which is meant to prevent customer data from being leaked or stolen. This standard is a minimum level of protection for customer data. We should strive to use such standards as bouncing off points, not as the most we are willing to do. Think of everything that is at risk when customer credit account information is stolen. Along with the credit account becoming accessible, their personal information that is part of the account is now known which can lead to identity theft.
In the case of medical offices failing to comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) puts patient medical information, By strictly adhering to the HIPAA rule, a minimum level of protection is given to patient data. Keep in mind all the information the medical offices keep in their patients. It is so much more than just blood pressure measurements, weights, and appointment notes. It is the insurance information and the payment details from every visit. Like with the PCI DSS, enough information can be collected here that identity theft can be conducted.
I’ve given only two examples, but there are so many out there. The point is the same no matter which rule or standard is being followed. Compliance guidelines should serve as our starting place for protecting data, not the most we are willing to do.
Comments