The greatest challenge for organizations subject to compliance is proving if they are compliant or not. It’s easy to state that policies, processes and procedures are in place and have been disseminated to the staff, but is anyone adhering to these?
Most compliance standards seek to protect sensitive data that is made accessible to appropriate staff:
- HIPAA—electronic patient health information
- GLBA—personal financial information
- PCI—payment card information
- Assessments of compliance usually revolve around checking those policies, processes and procedures and not if data is actually misappropriated or misused.
For example, using HIPAA and patient health information as the example, an employee can access, update and close a patient record, but then go onto Facebook and post that “celebrity X is staying at our hospital!” – a clear violation of HIPAA. Alternately, a nurse can hit the Print Screen button on his computer to bring some notes to a room, and accidentally misplace it, only to be found by another patient. Additionally, one employee can log on as a fellow employee because they forgot their password and need to update a patient record before heading home for the day.
What tests of policies and procedures will catch those compliance violations?
What to do to Assess Compliance?
First, stop thinking that compliance assessment is a reactive activity. It can, and should, be a proactive, constantly occurring process.
Second, think about where you need to be continuously assessing the state of compliance. It comes down to two simple concepts – your systems and your employees. If your systems are secure and you employees are using sensitive data appropriately, you most definitely are compliant.
Systems can be monitored using centralized log management where security logs, containing information about logon attempts, access to data, and inappropriate attempts of both are collected with alerts sent out in real-time informing compliance and/or security personnel of these events.
Employees can be continuously monitored by watching the source of breaches – the employee’s computer. By monitoring every employee action, compliance and security personnel can be notified in real-time when actions that are clear breaches of compliance standards are taken. Additionally, with the ability to capture screen snapshots, organizations have the unique ability to replay the employees actions before, during and after the breach, allowing extent of breaches to be identified.
By monitoring systems and employees, the celebrity Facebook poster, the print-screening nurse and the identity-borrowing employee would all identified at the time the action was taken, alerting compliance staff of the breach (or potential breach, as the case may be) where action can be taken immediately, rather than days, weeks or months later.