When you build your IT security program, you don’t have to start with a blank page. Instead, you can leverage existing security standards. However, these standards have different requirements. To get you started, let’s take a closer look at two of the most popular IT security standards: HIPAA compliance vs. ISO 27001.
HIPAA Compliance: The Fundamentals You Need To Know
Best known in the health care industry, the Health Insurance Portability and Accountability Act (HIPAA) is a US law with far-reaching consequences. From an IT security and privacy perspective, HIPAA compliance is covered in two main rules: The HIPAA Privacy Rule and The Security Rule, which are closely related. It is important to note that HIPAA compliance does not require any specific set of technology or software. There are multiple methods and techniques you can use to meet the standard.
The Privacy Rule states: “The Rule requires appropriate safeguards to protect the privacy of personal health information and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization.”
The Security Rule states: “The Security Standards for the Protection of Electronic Protected Health Information (the Security Rule) establish a national set of security standards for protecting certain health information that is held or transferred in electronic form.”
To meet HIPAA expectations, you need to conduct a security assessment, provide training to employees, and meet security requirements on several dimensions. For example, your security program is expected to have administrative, technical and physical safeguards. That means a technology solution is just one part of the HIPAA solution.
It is important to note that HIPAA is specifically focused on protecting “protected health information” relating to an individual. If your organization never handles such data, then HIPAA compliance is unlikely to be a concern. However, if you serve customers or clients that process such data, you may be expected to achieve HIPAA compliance requirements.
ISO 27001: Information Security Management
In contrast to HIPAA, ISO27001 is an international standard intended to apply to many different kinds of organizations. The ISO standard also directly focuses on IT security topics, while HIPAA is not primarily about IT security. Since the ISO standard can be used by more organizations and industries, we will consider it in greater depth:
Key concepts from ISO 20071 include the following:
● Continual improvement. In IT security, there is no such thing as “done.” That’s why the ISO standard recommends adopting a consistent improvement approach to security.
● Respond to emerging risks. No standard, even the ISO 27001, can comprehensively describe every IT security risk. Therefore, organizations need to develop processes to detect emerging risks and respond to them effectively.
● Assessing and treating information security risks. Building an IT security program requires professional judgment to sort between competing priorities. Use a risk assessment approach to make the most of your IT security resources.
● Effectiveness monitoring. You need processes to measure whether or not your IT security processes are working effectively.
● Effective business continuity management. While some business continuity issues are unrelated to security (e.g., power failures), there is a tight link to security, so these issues should be addressed.
● Information security awareness, training and education. This ISO 270001 principle reinforces the fact that everybody in the organization has a role to play in robust IT security.
● Information Security Incident Management process. Even with the best protections in the world, IT security events (e.g., data loss, hacking events, etc.) can still happen. That’s why the ISO 27001 standard expects that you build an information security incident process.
HIPAA compliance vs. ISO 27001: Which Should You Implement?
As you consider HIPAA compliance vs. ISO 27001 debate, there is a straightforward way to decide on your strategy. Consider the ISO 27001 as your baseline guidance that companies around the world aim for. This standard will help you build a comprehensive information security program capable of continuous improvement. In contrast, HIPAA is focused on specific situations in the United States relating to health care data. If you are not in the US health care industry, HIPAA compliance may not be significant.
Don’t assume that HIPAA compliance is a simple question, however! If you are a university that collects health information (e.g., with a university-affiliated health facility), then HIPAA comes into play. Likewise, a software company that processes or manages health data for health facilities or health insurance companies needs to keep HIPAA compliance in mind. It is worth taking a long, hard look at whether HIPAA applies because it is a law rather than a standard.
Failing to live up to ISO standards increases your security risk. However, it is unlikely you will suffer a penalty from the government. In contrast, failing to follow HIPAA compliance is a different matter altogether. According to the American Medical Association, HIPAA violations can lead to significant fines of up to $1.5 million and criminal penalties. For that reason alone, it makes sense to conduct a thorough analysis to see if HIPAA applies to your organization.
HIPAA compliance vs. ISO 27001: Three Ways To Speed Up Your Implementation
Some organizations use consultants and hire full-time staff to manage HIPAA compliance. That’s one approach. However, that is not the only way to achieve compliance. You can also leverage technology solutions — what HIPAA would call a “technical safeguard” — to protect your organization. Let’s look at a few ways identity and access management software makes fulfilling these standards easier.
● Information security awareness, training and education. Providing training for your employees is a good idea. However, how do you make the most of your training time? Open up your password management software and check on employee password trends. If you find many staff are not using multi-factor authentication, for example, you can focus your training on that topic.
● Effectiveness monitoring. Enabling IT audits or third-party consultants to review your organization from time to time is a smart move. However, those professionals can only do their jobs if they have the right tools. Using a tool like Compliance Auditor makes it easy to keep all of your changes in one place.
Achieving compliance with leading IT security standards doesn’t have to be scary. Use these software tools to make it easier today!
