Despite being one of the most heavily regulated industries, 90% of health organizations have gone through at least a single form of a data breach within the last two years, according to the Ponemon Institute. Well, compliance in the health sector is aimed to protect the personally identifiable data of clients as well as prevent common causes of data breaches. Sadly, most organizations in this industry tend to think that compliance is synonymous to optimal security.
While using compliance requirements as their blueprint, they leave behind gaping holes in their security, through which hackers can gain access to applications and even hold patients’ data in exchange for ransom. A good example of this situation would be the Wanna cry ransomware that took the internet by surprise a few years ago. The question is, are you also falling into this trap of the checkbox mentality?
Read on to learn why compliance isn’t the same as optimal security:
What is the Checkbox Mentality?
The checkbox mentality is a situation whereby organizations are only interested in fulfilling their compliance requirements. They ignore the common security needs of the organization and instead think that the security regulations are good enough for them. But, who can blame them?
Some regulations require a heavy investment of both time and money to satisfy, which are scarce in the business world. For instance, investing in Active Directory reporting tools will not only need you to have a team analyzing and recording the data that comes from the tools for compliance purposes but also complementing such tools with other ones. The fact, however, is that looking at security at a microscopic level is all to the benefit of the organization.
Compliance is All About Generalized Security
Regulations tend to deal with industry-wide requirements that tend to be generalized. They are meant to ensure that such organizations have the threshold security requirements that will help run their business. What if you have an IT asset that is unique to your organization?
What if you have a different business model from most organizations in your industry? This increases and differentiates the scope of security threats that you can face from that of other businesses in your industry. Looking at security from a customized perspective will ensure that your security is more than ‘just enough.’
Most Compliance Standards Might Not Be Comprehensive Enough
An effective security standard will perceive compliance as part of the security initiatives instead of treating it as the main requirements. While some regulations are quite strict on the specifics of compliance, some are only but vague. For instance, they will offer detailed guidance in storage, breach disclosure, and user awareness, but fail to touch on significant security issues such as security awareness, penetration testing, and policy controls.
Encryption tends to be one of the most effective methods of pseudonymizing user data, but not all regulations encourage businesses to follow it. GDPR, for example, encourages businesses to use encryption, but it doesn’t have it as a mandatory requirement. Such trends echoed through the different security regulations make it tough to rely on compliance as a security blueprint.
Threats Evolve Faster Than Regulations
Considering the ever-dynamic threat landscape, it is evident that threats tend to evolve faster than the most common regulations — hackers and cyber-criminals gain no sleep as they tweak the different malware to circumvent common security walls. Furthermore, new zero-day threats are unearthed daily, increasing the need for an equally dynamic security landscape.