Prime Factors Blog

Five Ways Your Company Can Improve Its Compliance

Posted by Pete Flagella on Aug 23, 2016 10:00:00 AM

Find me on:

13931427_l.jpgCompliance comes in a variety of forms, and the rules can get messy quickly. Because it's so tied up with the technology of today, compliance laws have to be built with enough breathing room to account for advances in both software and privacy standards. However, one company's definition of 'reasonable accommodations for protection' can be very different from another company's, which is why it's easy for companies to get sidetracked on the wrong matters or feel unable to keep pace with the regulations. We'll look at 5 ways you can improve your compliance so you don't have to go through a messy legal struggle with endless fines and lawyer fees due to your company coming up short on securing data.

To learn how encryption can lower the cost of regulatory compliance while enhancing security, download our white paper Reducing the Cost of Regulatory Compliance with Encryption 

Use Cryptography

Encryption and tokenization are some of the best ways to keep your company and your customers' private information under virtual lock and key. The principle behind it is that anti-malware and perimeter protections have been shown time and again to fail at keeping criminals at bay. These protection methods are very similar to a chaperon at a school dance who keeps missing teenagers intent on sneaking off into hallways. Encryption not only helps you restrict access from certain employees or partner organizations, but it also ensures that a thief steals a string of unbreakable code as opposed to a string of credit card numbers, expiration dates, social security numbers or home addresses.

Encryption is a concept that may be understood by IT teams, but one that hasn't been adopted as universally as it should be. It could be because hackers continue to test encryption software, just as they do other security tools. However, it's crucial to remember that encryption is currently the best defense possible to creating an additional safety measure that's remains effective even after a successful hack occurs. If you choose software that focuses on creating simple-to-use software that accounts for new hacker techniques, then you severely reduce your chances of a disaster occurring. Countless scams have been run from unsophisticated and incredibly skillful criminals alike, and the more layers of protection in the way, the more you can pass your compliance testing with flying colors.

Ransomed files, phony credit cards, tax fraud, and total identity theft are just some of the devastating realities that might not have occurred with better encryption. Hackers continue to try to break through barriers of all kinds, and they share their secrets everyday. This means that security barriers have to be ready to change just as quickly. As major websites, Realtors, and even credit bureaus found out, when things mattered the most their encryption software simply wasn't strong enough to keep the hackers away.

Change Your Security Practices

When a manager does something as simple as stepping away from their computer and forgetting to lock their screen, it's a sign that that security may not be as well-enforced as you need it to be. If you deal with PHI or sensitive financial information, there are few risks you can afford to take, and unfortunately no one is immune to getting a little lax with their daily habits. To comply with HIPAA, you'll need to have a means to authenticate everyone who accesses the information, as well as a means to deactivate accounts after a certain amount of time has passed with no activity.

Employees connect their own devices to the company network, they forget to update the software on their computer, they share a password when they're up against the wall and need a favor, they divulge too much information when trying to make a sale or a contact. And every once in a great while, an unhappy or greedy employee can start planning to do something a tad more intentionally harmful to the company. You cannot get lulled into a false sense of complacency when dealing with compliance.

To make security a priority, you're going to have to start with more education. Most employees don't understand just how many ways they're putting the company in danger, evidenced by the fact that breaches are often caused by some sort of employee error and not necessarily the work of some criminal mastermind who graduated from MIT. If you're finding that memos aren't doing very much to curb company behavior (and you should be auditing employee behavior on a regular basis), then you may want to try more involved training sessions. If you feel so inclined, you can always start taking away certain privileges that employees may be taking advantage of, but that can be tricky as employees may start trying to get around those barriers as well.

Examine Your Vendors and Employees

It's not enough to change your own security policies, especially not now that the rules of HIPAA and HITECH have shifted to start demanding more from organizations and companies in light of the breaches that have occurred. If you're a covered entity, you'll be expected to do your due diligence in examining how your vendors approach their security. You can do so with a security questionnaire and a request to see their recovery plans. Not only will you have to keep up with them while you have a business relationship, but even potentially after you terminate a contract with them if they're still in possession of your data. If you haven't been doing this, you may be violating the HIPAA terms of keeping PHI safe.

This tip also applies to those who work with credit card transactions. For anyone you share information with (e.g., payment processor, parent company, etc), you'll want to ensure that they're doing everything possible to keep things under wraps. Even the largest companies are not immune to skimping or cutting corners on their tech needs. Courts understand that you can't regulate another company's security, so this is mainly about showing your effort to do your homework when working with companies to show they emulate your own standards when it comes to keeping data safe. Much like a game of telephone, information is easy to lose when it comes to separate networks housing the same information and operating at different capacities with different protocols. You may also wish to examine your hiring policies if they haven't been updated for a while. It's the General Services Administration (GSA) that lays out the rules when working with any type of Personally Identifiable Information (PII), and they also keep records of people who are not allowed to have access to such sensitive information (e.g., a prior arrest for fraud.) So whether you're checking out your own employees or your vendors' reputation, keep GSA's databases in mind to search the validity of the companies and people you work with.

Get Your Documentation Straight

Some people adore paperwork. It makes them feel in control to have all of their ducks in a row. However, some people can't stand it, and they can show their hatred for the task in a variety of ways. Statements may not make much sense or forms may be filled out in a rush without much attention paid to the details. Maybe the person filling out the form will understand exactly what they meant 5 years later, but chances are they won't. And, more importantly, an auditor most certainly won't understand it at all. Make no mistake, the amount of audits and the level of intensity of these audits have increased recently in order to stay on top of the public's need for privacy.

If you have an organization expert among you, it may be time to start making them the designated person to both document and categorize as much as possible. Release notes, logged errors, memos, reports, and tests should all be easy to find and properly dated and filed. You'll also need to have documentation that your vendors are performing at your security level as well. A Business Associate Agreement (BAA) is a required contract between you and a business associate that complies with HIPAA rules to put all agreements in writing when it comes to keeping data safe.

The subcontractors of your business associates also have to have a BAA between each other, so you can see how the sharing of information between multiple entities can become very complicated quickly. More documentation rather than less can be the key to being in control of the situation, rather than feeling like you're caught in the eye of the storm.

Keeping Physical Records Intact

Not everything is done on a computer these days, even if it sometimes feels like your whole life lives in the virtual space. From faxed forms to patient documents to receipts, you've still got a lot to keep track of within the office or possibly within a locked storage facility. HIPAA makes it clear that you and your partners should be using tools like video surveillance, and security clearance to identify who is accessing the information. If an organization is lax about people borrowing keys or allowing people to access restricted rooms for the sake of convenience, then it's not only a compliance violation but also a means of opening up the company to fraud.

Should you choose to work with a document-scanning service, that service will need to have a data backup plan. Whether it's a cloud-based server or non-flammable protective equipment, you should have all of their information as well as a secure solution of your own. In all matters of compliance, it's better to be on the safe side for better results.


To learn how encryption can lower the cost of regulatory compliance while enhancing security, download our white paper Reducing the Cost of Regulatory Compliance with Encryption


Topics: Enterprise Data Protection, encryption, PCI Data Encryption