The regulatory compliance burden spreads far and wide. Oftentimes, it is assumed only end users have to worry about compliance. That’s not true. Compliance is everyone’s deal. Whether you’re a VAR, systems integrator, or consultant like myself, you are responsible for meeting various regulatory compliance requirements.
Overlooking the fact that you're a business associate of a regulated business can be hazardous to the health of your business.
Holding third parties accountable for compliance became popular in the health care industry nearly a decade ago with the HIPAA Privacy and Security Rules and the concept of the business associate. Now practically every industry or government information security regulation includes business associates in some capacity. In essence, if you provide services for a business that’s required to comply with a specific regulation, then you need to comply with it as well.
A great example of this is the HITECH Act for the health care industry. The HITECH Act provides more enforcement “teeth” to ensure electronic protected health information (ePHI) is kept in check and people are held more accountable regardless of who’s in possession of it, including business associates.
Questions to consider
Overlooking the fact that you're a business associate of a regulated business can be hazardous to your business’ health. You need to be mindful of business associate agreement requirements and take the necessary steps to protect sensitive information and ensure your customers and business are in compliance. The following are questions you can ask yourself to help determine the impact compliance has on your business and whether you’re taking the proper steps to minimize your own business risks:
- What regulation – or set of regulations – is each of your customers responsible for? If you’re not sure, just ask. If your customers aren’t sure then perhaps you’ve got a new project in the works!
- How is your business impacted by these regulations? Are you considered a business associate or an actual covered entity, which may be held to even higher standards?
- What have you agreed to in customer contracts and customer policies? These agreements are often more stringent than industry regulations.
- What sensitive information (i.e. credit card numbers, health care records and mortgage loan applications) do you collect, process, store or otherwise handle for customers? Don’t overlook what’s stored on unencrypted laptops, smartphones and backup tapes, as these tend to be areas a lot of people overlook and consequently get into trouble.
- Are you really doing the best you can to protect sensitive customer (or third-party)
- Are all of your laptop hard drives and mobile storage devices used in the course of business encrypted with an enterprise full disk encryption solution?
- Are your smartphones protected against loss, theft or malware?
- Are you performing security assessments of your own environment (Web applications, databases, operating systems, network infrastructure devices, etc.) to find out where you’re weak and how you can get hacked?
- Do you have someone on staff who is in charge of monitoring industry and government regulations to ensure compliance and to seek out business opportunities?
Every situation is different. Every regulation is different. So is every business’ risk tolerance. You’ll even see a wide array of expectations from your customers when it comes to information security and compliance. Whatever you do, never fall into the mindset that compliance comes in a box. It doesn’t.
It pays to be vigilant, and understand what you’ve signed up for and what security regulations your customers and your business are held to. Even if there are no laws, contracts or policies governing how you handle customer information (which is unlikely), it pays to do your own due diligence when protecting sensitive data by holding yourself to a high standard of information protection. You are the IT expert in the eyes of your customers. Not only is your guidance golden, you’ll gain credibility and build trust by practicing what you preach.
About the author
Kevin Beaver is an information security consultant, expert witness, and professional speaker with Atlanta-based Principle Logic, LLC. With over 22 years of experience in the industry, Kevin specializes in performing independent security assessments revolving around information risk management. He has authored/co-authored 10 books on information security including The Practical Guide to HIPAA Privacy and Security Compliance and Hacking For Dummies. In addition, he’s the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. Kevin can be reached on Twitter at @kevinbeaver or on LinkedIn.
This was first published in November 2011