On a recent flight, I had the opportunity to rub elbows with a health care researcher from a prominent U.S. university. Our discussion led to the topic of information security and compliance, and when I told him those were my areas of expertise, I thought he was going to smack me. I received the I'm so fed up with compliance look from him, which 'I've seen from many people in the health care industry.
I've always believed that IT compliance is a threat to business, and this researcher was a perfect example.
Compliance is for 'the greater good,' but you also have a business to run, and balancing the two is necessary to success.
The gentleman proceeded to tell me about the ridiculous obstacles he faced when conducting research, communicating with patients, writing reports and so on. He said he is continually blocked from websites he needs access to. File transfers and emails containing electronic protected health information (ePHI) are off limits. Even when the network transport is encrypted, or someone sends him an unsolicited research-related email containing ePHI, his hand gets slapped and he's sent to security awareness training.
All of this information security and compliance theatrics, yet the researcher said he had no encryption on his laptop and zero security on his smartphone and tablet. Ah, the irony. I see this story everywhere -- in health care and beyond. This gentleman told me all the ways he's discovered to get around these controls so he could do his work. He had become a part-time hacker.
This scenario rings true throughout the health care industry (and many others as well). So many health care professionals cannot do what they are required because of Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health (HITECH) Act. Government regulation in health care is out of control, and ironically, it's not doing much good other than giving IT and security a bad name. As in this researcher's case, the technologies aren't the problem. It's process, policy and, often, politics that get in the way. This gentleman felt like he was caught in the middle with no real support from management or IT staff.
The moral of the story is you can force information security and compliance controls on health care researchers all day long -- even at their expense -- but they're going to do what they've got to do to get their work done. When it comes to compliance, set your users expectations. Everyone needs to be on the same page, but set them and your business up for success by balancing compliance with reason.
More on information governance
The role of metadata management in information governance strategy
Q&A: The value of corporate information governance as a business asset
This means understanding how sensitive information is at risk in your unique environment -- not based on what the bureaucrats in Washington, D.C., think is best for you -- and tweaking your business processes wisely. Put reasonable controls in place and ensure they're not only enforceable, but also enforced. Then, go a step beyond and think about how your controls can and will be circumvented. You'll need to stay a step ahead and develop ways to, in essence, "control your controls."
Listen to your users, too. If they're complaining about draconian security controls in the name of compliance, then they need to be heard. Compliance is for "the greater good," but you also have a business to run, and balancing the two is necessary to success.
Security, compliance and usability require a delicate balance that's both an art and a science you perfect over time. The good thing is that this balance can be attained if you think things through and try not to let politics and self-interest get in the way.
Kevin Beaver is an information security consultant and expert witness as well as a seminar leader and keynote speaker at the Atlanta-based Principle Logic LLC. Beaver has authored/co-authored eight books on information security, including The Practical Guide to HIPAA Privacy and Security Complianceand the newly updated Hacking for Dummies, Third Edition. In addition, he's the creator of the Security on Wheels information security audiobooks and blog. For IT compliance news and updates throughout the week, follow us on Twitter @ITCompliance.
This was first published in July 2012