I’m fond of saying that a business entity complies with regulatory and industry requirements for one of two reasons: because it helps protect sensitive information or because they have to. Some may argue that regardless of the reason, both will get you to the same place with the same results.
Doing something because you have to almost always converts into doing the bare minimum necessary in order to appease the regulators and auditors. It’s an approach that encourages addressing all key points within scope for the requirement, but all but ensures you’ll never think past it and look for additional risk factors to address. I speak from experience having seen clear examples where this proved to be true. For example, take a client I did work for last year who was absolutely PCI compliant but who also would occasionally create Excel spreadsheets that included credit card information and used to support batch payment processing. Those spreadsheets would be created by one person and emailed to another for processing. Because the client’s corporate policy prohibited using email to convey personally identifiable information (PII) between their employees and customers, the company did not pursue any testing or further documentation of controls to address the associated risks. I asked all sorts of questions about what happens to those internal emails: Are they archived, backed up and stored somewhere off-site? Can the attachments be downloaded to a USB storage device without detection? Can the email be forwarded to an external email address without detection? The client didn’t really have all the answers (though they certainly did a short while later). And yet they were PCI compliant.
This subject came to mind this week after news out of Boston about a loss of nearly 800,000 patient records by South Shore Hospital. This first caught my eye because most (if not all) of my Boston-area based nephews and a niece were born there and several of my in-laws had stays there over the past fifteen years. My first thought was how could this have happened? There’s no doubt that they had some manner of controls in place to address this, which is how they first came to realize there was a problem. When shipping almost anything there are tags and bar codes everywhere so you know who picked up what, where they picked it up, when they picked it up and where it was moved to along the way. I mean honestly, I can track a new Dell laptop across their production floor, onto a truck, through a few distribution centers and back onto a truck right up until it shows up at my front door. How is it that something far more significant wasn’t tracked similarly? And from all available information, it sure seems as if though South Shore Hospital followed proper protocol on its end.
Still, despite having controls in place and being able to establish that the rules around those controls were followed, there are 800,000 former patients who have no idea who has access to their personal information.
This is a perfect example of why compliance by itself is not enough.
I’ve advocated for years that any regulation is an excellent starting point but there’s a healthy dose of vigilance required in order to ensure the spirit and intent of that regulation are properly addressed. At best, compliance is a point in time validation and absolutely no guarantee that the most significant risks are being properly managed.
When a client tells me that his goal is to be compliant with whatever set of regulations govern his industry, I counter with, “Your goal should be doing whatever is necessary to avoid being on the front page of your local newspaper.” Hiding behind a statement claiming that you were compliant with all necessary regulations at the time of the security breech is cold comfort for your customers (or patients) and a poorly formed management strategy. I’m willing to bet I can find 800,000 people to agree with me up in Beantown.