You May Be Compliant, But Not Secure.

Don’t hospitals have both compliance and security covered?
Seat belt laws can’t guarantee you won’t get hurt in a car accident, even if you comply. Neither can a driver’s license in good standing with the DMV. Likewise, compliance with HIPAA, Meaningful Use and other federal regulations can’t ensure the patient data under your care is secure.

Take Target, for example. The retail giant made the news in December 2013, for a major security breach affecting credit card numbers, expiration dates and security codes for 40 million customers and other personal information for up to 70 million people. Prior to the breach, Target was PCI compliant, having aced an audit for the Payment Card Industry standards just a couple of months before all hell broke loose. For cybersecurity experts, Target’s data breach reflects the reality that compliance can’t guarantee security — not even close.

So what’s the difference?

Below is a snapshot of how compliance and security stack up:


  • Conformity with official requirements.
  • Standards set by a third party with no knowledge of your organization.
  • May be open to interpretation.
  • Compliance violation costs: as
  • high as $1.5M per implementation specification.
  • You can be 100 percent compliant.


  • Protection from harm.
  • Standards tailored and tested internally to address the organization’s specific needs and evolving challenges.
  • Clear and specific to organization.
  • Security breach costs: frequently 10-20 times more than penalties as lawsuits, lost business and PR crises mount.
  • You cannot be 100 percent secure.

Don’t hospitals have both compliance and security covered? Actually, no. Having performed more than 20,000 risk assessments on medical devices containing patient data, we’ve witnessed countless security and compliance oversights with a real potential to take down a provider’s operations, finances, and delivery of care. But that shouldn’t come as a surprise. HIPAA violations affecting 500 or more records are up 138 percent  since 2012, says the U.S. Department of Health and Human Services.

So where’s the disconnect?

There’s much to say here, but let’s start with the misperception that security beyond basic compliance is a luxury, not a need. Although you’ll be hard pressed to find someone who openly admits to that mindset, you’ll find evidence for it in the form of insufficient security resources or a slew of higher-priority initiatives.

Perhaps the main reason is the issue of invisibility: when security works well, nothing bad happens (which is exactly the outcome you want). But then, because nothing happens, security is viewed as a needless expense. Until, of course, something does happen, like it did for Target.

So where to start?

What does it look like to go from just implementing minimum deterrence elements so you can check off compliance requirements, to being adequately secure? Below are characteristics of effective, risk-based security:

  • Compliance is viewed as a part of security, not a substitute for it.
  • Avoidance of compliance violations or fines does not dominate decision making. An enterprise-wide systems security and risk management approach does.
  • Leadership approaches security processes in terms of acceptable risk levels, not a compliance checklist.

Wherever you are in the security spectrum, there are only three possible ways you can respond to risk:

  1. Acceptance: You accept the risk is real and do something about it.
  2. Transference: You find ways to place the risk on someone else’s shoulder, like an insurer.
  3. Rejection: You cover your eyes, redirect your attention elsewhere, and act as if the risk doesn’t exist.

As you examine your current attitude and efforts, which security approach best describes yours?

We understand you have challenges — lots of them. Common obstacles include limited resources, both financial and human; a lack of knowledge about where to start and what level of security is appropriate; and a false sense of security that may come with compliance.

You’ll be ahead of the curve just realizing that following the letter of the law alone will not achieve security. Rather, both compliance and security can be achieved together by continually assessing threats and vulnerabilities, and implementing practices to minimize or eliminate those threats.


– See more at: