ZenGRC

Simply Powerful GRC

HIPAA

The Responsibilities of a Compliance Manager

· ·

Being a compliance manager can sound tedious to a lot of people. When people think about compliance, they often think in terms of checking boxes on audit forms. However, compliance management is more like putting together a puzzle without having the cover picture. Compliance issues come from a variety of regulations and industry standards, often overlapping while sometimes being disconnected.

Compliance Manager Responsibilities

What is a compliance manager job description?

The basic job duties and tasks seem simple.

  • Conduct periodic internal reviews or audits
  • Investigate or direct compliance issues
  • Assess product, compliance, or operational risks and develop risk management strategies
  • Identify compliance issues that require remediation
  • Communicate written policies and procedures across the organization
  • File compliance reports with regulatory agencies
  • Evaluate testing procedures for continuous monitoring
  • Verify oversight and monitoring activities
  • Document compliance activities
  • Consult with legal counsel regarding compliance issues
  • Research emerging compliance issues
  • Collaborate with senior management and the appropriate department heads
  • Advise senior management and business partners about implementing compliance programs
  • Train employees on compliance topics
  • Assist external auditors or conduct internal audits
  • Report to management and the Board of Directors on compliance program
  • Review continuous monitoring and continuous documentation of systems
  • Report compliance violations

Although not a complete list of duties, many of these interrelated tasks appear to be easily managed on paper. Unfortunately, in an ever-expanding digital world, they become cumbersome.

What is the Compliance Manager’s Role in IT?

Legal requirements governing IT environments vary by industry. Thus, compliance managers need to know how to implement a variety of controls required by different governmental and industry standards organizations. These legal requirements often incorporate fines and penalties for noncompliance making them a compliance management priority.

For example, the healthcare industry focuses on the Health Insurance Portability and Accountability Act (HIPAA). However, many must still comply with the Sarbanes-Oxley Act of 2002 (SOX). This overlap of regulations requires strict attention since both regulations incorporate monetary penalties for noncompliance.

Meanwhile, the Federal Deposit Insurance Company (FDIC) and the Federal Financial Institutions Examination Council (FFIEC) set out IT regulatory requirements for the financial industry.

How are Industry Standards Related to a Compliance Manager’s Job?

Unlike government regulations, industry standards do not always invoke penalties. Despite that, competitive businesses must meet the best practices these standards control.

For example, the Industrial Standards Organization (ISO) established the ISO-27001 standard to develop controls over the IT landscape.

Meanwhile, businesses that accept credit card payments need to comply with the Payment Card Industry Data Security Standard (PCI DSS). Although not a regulation, PCI DSS noncompliance does impose fines by the payment card companies. Additionally, many payment card companies will stop processing payments for organizations that do not comply with the security standard.

How do Compliance Managers Engage in Program Planning?

Your compliance manager will look at the potential threats to data integrity, accessibility, and confidentiality. Then, she will look at the types of data stored, accessed, and transmitted throughout your IT environment. Finally, the compliance manager will determine the overall risk posed by a system, network, or software.

After this, the compliance manager determines whether you have the appropriate controls in place to protect data. For example, workforce members may want to use customer data for their nefarious purposes in the same way that external malicious actors do.

Thus, your compliance manager will ensure that your organization creates policies that govern internal access and authorization as well as ones that set controls such as firewalls, encryption, and other external threat mitigations.

What are the Struggles a Compliance Manager Faces?

A compliance officer wears many hats. First, she must be able to communicate with internal stakeholders. As businesses integrate more Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS), and Infrastructure-as-a-Service (IaaS) to streamline business operations, they create more compliance issues. Therefore, the compliance officer must constantly communicate with all department heads to align product compliance with the vendor risk management program.

Second, in a continuously evolving cybersecurity environment, the compliance officer no longer engages in once-a-year audits. Continuous monitoring and continuous documentation must occur to maintain continuous assurance over the compliance procedures.

Third, information security requires internal investigation and remediation of threats. However, managing alerts and compliance issues can become overwhelming. To maintain a robust compliance program, the compliance officer needs to triage the different remediation and response tasks daily.

Why Automation Eases a Compliance Manager’s Job

Compliance officer jobs incorporate organizing a vast amount of information to protect businesses. Early business initiatives may require little compliance.
Scaling the business means tracking multiple standards and regulations within your corporate policies and procedures. As such, spreadsheets become unwieldy. The time a security compliance manager spends engaging in spreadsheet review costs a company money.

This cost increases during the audit process. When auditors request the needed documentation, the compliance manager needs a single location for obtaining it and communicating with the stakeholders.

Automation streamlines organizing compliance activities across multiple standards and regulations, prioritizing alerts, and stakeholder communications.

How ZenGRC Eases Compliance Manager Burdens

ZenGRC’s System-of-Record makes collecting audit information easy. By streamlining the workflow, organizations can eliminate emails while tracing outstanding tasks. Additionally, the unified control management feature allows organizations to map controls across multiple frameworks, standards, and regulations to determine whether compliance gaps exist. This mapping capability enables organizations to ensure consistency that leads to stronger audit outcomes.

For example, as part of the System-of-Record dashboard, organizations have at-a-glance insight into the percentage of controls finalized and a portion of controls mapped to a particular framework.

ZenGRC’s streamlined workflow shows task managers the date on which a vendor provided a response and a status. These details mean that compliance managers no longer need to spend time following up with the organization’s multitudinous vendors.

GRC automation enables organizations to focus on the fundamental issues of compliance while eliminating the tedious tasks that often make compliance feel like a burden. Not only does this help compliance officers feel more effective at their jobs, it also makes organizations more efficient at the ongoing task of governance and continuous monitoring.

For more information about how ZenGRC can streamline your GRC process, contact us for a demo today.

What is the Difference between HIPAA and HiTrust?

· ·

The Health Insurance Portability and Availability Act (HIPAA) establishes a set of security controls that govern information security in the healthcare industry. Healthcare organizations and their business associates are legally required to protect certain types of patient information from data breaches. A HIPAA compliance violation can lead to fines and jail time, depending on how the protected health information (PHI) or electronic PHI (ePHI) disclosure or unauthorized access occurs.

The HIPAA Security Rule governs security standards regarding ePHI. Although the regulation does not prescribe controls, it details standards and regulations as guiding principles, including but not limited to COBIT, ISO, NIST, and PCI DSS. Thus, meeting these requirements can flummox healthcare organizations trying to establish controls to achieve compliance.

The Health Information Trust Alliance (HITRUST) established the HITRUST Common Security Framework (CSF) that assists companies attempting to meet the high HIPAA compliance standard. The HITRUST CSF aggregates all the suggested controls into a framework that makes it easier for an organization to be HIPAA compliant, although it is not part of the HIPAA regulation.

As a framework rather than a regulation, the HITRUST CSF creates a process that begins with establishing a risk management program that includes a self-assessment, asset inventory, risk assessment, risk analysis, risk tolerance considerations, risk mitigation process, and monitoring control effectiveness. HITRUST certification also requires the organization to undergo an external audit from a HITRUST CSF certified assessor. The CSF assessor reviews the risk management program and control monitoring to determine whether the organization appropriately completed the HITRUST assessment.

Although HITRUST CSF certification differs from HIPAA compliance, it allows an organization to create a more streamlined approach to meeting the Security Rule requirements.  

What is HITrust Pay?

· ·

Compliance with the Health Insurance and Portability Act (HIPAA) initially appears to apply only to the healthcare industry. However, HIPAA also requires healthcare provider business associates to maintain security and privacy controls over protected health information (PHI) and electronic PHI (ePHI). For payer organizations, this requirement means aligning data security protections to HIPAA.

HiTrust Pay

What is a “Business Associate”?

Under HIPAA, a business associate is any individual or entity who provides services to a covered entity. This definition includes explicitly billing and repricing. If you’re working with a covered entity and offering payment processing, then you also need to be HIPAA compliant.

What are the PCI DSS requirements?

Payment processors already understand stringent and prescriptive security and data regulations. The Payment Card Industry Data Security Standard (PCI DSS) prescribes twelve different requirements for securing data. PCI DSS focuses on protecting payment card information such as account number in conjunction with either cardholder name, the card’s expiration date, or its service code. At its core, PCI intends to protect cardholder data (CD) so that no one can steal it and spend the payee’s money.

What are the HIPAA requirements?

HIPAA requires business associates to maintain control over information including but not limited to demographic information, medical history, test and lab results, mental health conditions, and insurance information. At its core, HIPAA intends to protect people’s private health information which often includes more data points. Those additional pieces of information can enable a malicious actor to create a false identity.

Why PHI is more valuable than CD

Health information records contain more data points than cardholder data. Although a credit card or personal account can lead to unauthorized charges, health records incorporate date of birth, social security number, and additional identifiers that can allow malicious actors to create false tax return filings or create new bank accounts. Ultimately, unauthorized access to CD leaves a person’s financial identity at risk while unauthorized access to PHI or ePHI places the individual’s historical identity at risk.

Where PCI lacks HIPAA protection

The HIPAA Security Rule focused on ePHI and created three primary safeguards: technical, administrative, and physical. Additionally, HIPAA incorporates a Breach Notification Rule and Privacy Rule. Although PCI compliance aligns to some of the Security Rule requirements, it does not meet the Breach Notification and Privacy requirements.

Thus, payment processors seeking to work with HIPAA covered entities must incorporate additional controls and processes.

How HiTRUST enables payer security

HIPAA compliance for business associates rapidly becomes overwhelming.
The Health Information Trust Alliance (HiTRUST) brought together all the relevant standards that enable HIPAA compliance into a single common security framework (CSF). The HiTRUST CSF enables covered entities and business associates to work within a single program that creates a certification process for both groups. As such, the certification allows a business associate, such as payment processor, to “assess once, report many.”

This process provides continual assurance that, as a vendor, the payer security processes maintain the integrity and confidentiality required for HIPAA compliance.

What are the types of HiTRUST CSF assessments?

A business associate can choose to engage in either the self-assessment process or the validated assessment process.

The CSF self-assessment uses the methodology, requirements, and tools contained within the CSF Assurance program. After an organization submits a self-assessment, HiTRUST engages in limited validation.

The validated assessment begins with a self-assessment but then requires a certified CSF assessor to conduct and score the assessment. Once validated by the CSF assessor, the organization’s controls can be deemed CSF certified.

Why obtain HiTRUST Certification?

The HiTRUST Third Party Assurance Program allows organizations to create a streamlined reporting and validating process that eases HIPAA compliance across the supply stream.

Engaging in the CSF self-assessment offers insight into control management. However, since it does not incorporate the same level of external assurance over program effectiveness, it lacks the weight of certification.

HiTRUST CSF certification incorporates both the HIPAA risk assessment process as well as the NIST Cybersecurity Framework control effectiveness review. By bringing these two together under a single compliance umbrella, as well as incorporating other standards that apply to HIPAA, the HiTRUST certification enables third parties to assure their customers that they engage in the due diligence necessary for maintaining ePHI securely.

Because certification requires additional levels of review and more detailed reporting, most covered entities and business associates rely on certification when compared to self-assessment. Many healthcare organizations establishing business partnerships require their third-parties to obtain and maintain HiTRUST certification. Thus, many payer organizations are aligning their compliance to the CSF.

Is HiTRUST certification the same as HIPAA compliance?

The two are similar yet distinct. HiTRUST certification acts as a means of HIPAA compliance. Since HiTRUST focuses on risk mitigation, organizations can choose recommended controls based on their use cases. Each self-assessment and CSF assessment starts with the organization’s organizational, regulatory, and system risks then aligns those to the necessary security controls.

However, while this enables compliance with the Security Rule, business associates need to ensure that they also maintain compliance with the Breach Notification and Privacy Rules.

What Does a Compliance Manager Do?

· ·

Many people think that a compliance manager does nothing more than checkboxes on forms. However, in reality, your regulatory program manager coordinates across a variety of departments within your organization to keep your daily processes in alignment with your policies, procedures, and processes.

What Does a Compliance and Regulatory Program Manager Do

What are the legal IT compliance requirements?

Legal requirements governing IT environments vary by industry.

As such, compliance managers need to know how to implement a variety of controls foisted upon them by different agencies.

For example, HIPAA governs the healthcare industry. Despite the high incidence of non-profit healthcare providers, many must still comply with the Sarbanes-Oxley Act of 2002 (SOX). This overlap of regulations requires strict attention since both invoke monetary penalties for noncompliance.

Financial institutions need to comply with a variety of IT controls set forth by the Federal Deposit Insurance Company (FDIC) and the Federal Financial Institutions Examination Council (FFIEC). Moreover, the Office of the Comptroller of the Currency (OCC) announced in 2018 that it would evaluate special purposes national bank charters to fintech companies, which will increase their regulatory compliance requirements.

These legal requirements often incorporate fines and penalties for noncompliance making them a compliance management priority.

What are compliance issues are related to industry standards?

Unlike government regulations, industry standards do not always invoke penalties. Despite that, competitive businesses must meet the best practices these standards control.

For example, the Industrial Standards Organization (ISO) established the ISO-27001 standard to develop controls over the IT landscape.

However, businesses that accept credit card payments need to comply with the Payment Card Industry Data Security Standard (PCI DSS). It’s important to keep in mind that although not governed by statute, PCI DSS noncompliance also comes with fines imposed by the payment card companies. Additionally, many payment card companies will stop processing payments for organizations that do not comply with the security standard.

How do compliance managers engage in program planning?

The first step to creating a compliance program lies in assessing risk. Your compliance manager will look at the potential threats to data integrity, accessibility, and confidentiality. Then, they will look at the types of data stored, accessed, and transmitted throughout your IT environment. Once they review these two things, the compliance manager will determine the overall risk a system, network, or software poses to your organization.

After this, the compliance manager determines whether you have the appropriate controls in place to protect data. These can include ethical as well as technical controls. For example, workforce members may want to use customer data for their nefarious purposes in the same way that external malicious actors do.

Thus, your compliance manager will ensure that your organization creates policies that govern internal access and authorization as well as ones that set controls such as firewalls, encryption, and other external threat mitigations.

Why compliance managers engage in policy enforcement

Once your compliance manager has reviewed the risks and controls in place that mitigate those risks, they will evaluate whether the organization enforces policies.

Writing policies is easy. However, it’s not as easy to maintain internal compliance with them. Think of it this way, as a child, you might have told your parents that you would clean your room, but if it was a chore you disliked, you often postponed it until the last minute. The same is true with many compliance activities.

For example, access reviews act as primary protection against internal and external data threats. However, updating access logs is time-consuming. Department managers need to review their workforce roles and responsibilities continuously. As employees change positions, even within a department, they may require different system access rights. While department managers may remember to ask for additional access, they often forget to send messages to their IT departments revoking unnecessary access. Unnecessary access can put data at risk since outdated authorizations become a threat vector for social engineering attacks.

Your compliance manager acts as a second set of eyes to review whether the internal communications process works as intended. Thus, by examining policy enforcement, your compliance manager enables a more robust security and compliance stance.

How to use a compliance management system to enable your compliance manager

Automated tools allow for stronger internal and external communications. Additionally, compliance managers can maintain better documentation over your organization’s compliance program when they have a single source of truth.

Compliance managers need access to and control over compliance documentation. If multiple versions of policy exist within the organization, then the compliance manager cannot protect against a potential standard and regulatory violations.

For IT compliance managers, this becomes an even more difficult task. Malicious actors continuously evolve their threat methodologies which means risk mitigation strategies can become outdated overnight. Thus, if a compliance manager is reviewing an outdated policy or procedure, they may find your company in noncompliance.

Access and authentication serve as an example. Increasingly, best practices include incorporating multi-factor authentication for employee access to systems, networks, and software. Many organizations are moving from a simple password-protected environment to one that includes a password and either something a user owns (such as a token or cell phone authentication) or something the user is (such as biometrics) or both of these authorization techniques.

If multiple versions of your access and authentication procedures sit on a shared drive, then your compliance manager may be unable to locate the most updated version. Additionally, if these sit on a shared drive and someone accidentally changes them, then the procedure’s integrity is at risk.

How ZenGRC enables your compliance manager

With ZenGRC’s compliance management software, you can share information between stakeholders and set the appropriate role-based privileges to keep your controls accessible yet safe from tampering.

Moreover, with ZenGRC’s built-in mapping capabilities, your compliance manager can more easily employ gap analysis to determine the additional controls needed to support your company’s compliance program.

Many companies assume adding the cost of a compliance management software on top of a compliance manager salary is redundant. However, a compliance system allows your employee to focus on compliance, meaning the organization’s protocols and policies, rather than spending time on tedious tasks like gathering information for audits. ZenGRC acts as a single source of truth streamlining the audit process.

For more information on how ZenGRC can maximize your compliance manager’s efficiency, request a demo today.

How to Monitor Compliance?

· ·

You’re feeling really great about your security-first approach to cybersecurity compliance. You created controls, aligned to frameworks, and continuously monitor external threats that can compromise your information.  If you only monitor compliance from a technology standpoint, you’re missing one of the primary causes of data breaches – employee awareness.

How to Monitor Compliance in the Workplace

What data breach statistic support employee training

Remember the days when you heard someone say fishing and conjured up a calming image of a solitary day on the water? No longer. Today, phishing is the biggest risk to your data.
In healthcare, phishing led to some of the top data breaches.

Unfortunately, healthcare isn’t the only victim of phishing attacks. According to the 2018 Verizon Data Breach Investigations Report:

  • 4% of people click on phishing campaigns
  • 17% of data breaches arose from employee errors

Employees don’t generally want to harm your business, but insider threats remain a major cybersecurity concern.

The 2018 Insider Threat Report explained that databases and file servers remain the most likely targets. Surveyed cybersecurity professionals  split their concern over insider threats with 47% saying they worry about malicious insiders and 51% worried about accidental or unintentional user threats.

Simply: you can deploy all the external threat monitoring programs you want, but your employees can still accidentally lead to data breaches that cost money.

Why you need to monitor for noncompliance

Sure, data breaches cost money. However, they’re not the only costs associated with poor employee cyber hygiene.

The Healthcare Insurance Portability and Accountability Act (HIPAA) penalizes healthcare providers and business associates anywhere from $100 to $50,000 per violation (or per record).

The Sarbanes-Oxley Act of 2002 (SOX) penalties for noncompliance include prison time and monetary fines.

In 2016, Wells Fargo employees established  unauthorized accounts for existing customers as part of a sale initiative that cost the financial institution $1 billion in fines.

Noncompliance and unauthorized employee access to information means not just data breach costs but also puts you at risk for regulatory fines.

Why employee training is important to compliance management

A primary function of compliance management is ensuring a group of people follow a set of established rules.

A security-first compliance program starts with establishing controls over your data environment and ecosystem. However, you also need to create a culture of compliance that gets employee buy-in. If your employees aren’t cyber aware, then all the data analytics in the world aren’t going to protect you from noncompliance.
If your employees click on malware that exposes databases to hackers, then you’re going to lose the peace of mind that your external threat monitoring intended to provide.

How to engage in cybersecurity compliance monitoring with employees

Training sounds easy, right? You give out some worksheets, policies, procedures. You have everyone read them. You offer a quiz to ensure they retained the information.

Unfortunately, most employees hate required trainings. They’re boring and lower productivity. So, what can you do to help employees be more cyber aware?

Make it personal

People are more likely to apply education when they see it as important personally. Whether employees are disaffected, uninterested, or confused, training works best when there’s a personal connection to the information. If you think employees don’t want to be more cyber aware for you, make them see it as something to do for their families.

For example, most employees use social media outside of work. The recent Facebook data leaks are a perfect way to connect the personal to the professional. If they’re worried about their personal information, teach them better password hygiene or focus on how applications talk to each other. If they start practicing this at home, they’ll do it at the office.

Focus on passphrases

Your IT department can control user access and user authentication methods. If you’re worried that your employees won’t be cyber secure, you need to make their actions mandatory. A recent Spycloud report explained that 59% of people use the same password everywhere. Since they’re afraid they’ll forget the password, they keep using the same one.

Ensure that you focus on creating a strong passphrase policy. With more hackers using computer programs to hack passwords, the typical random generated password no longer protects your data. Incorporate the idea of a passphrase – a personally meaningful phrase – that can stymie these mathematical guesses.

Use multifactor authentication

You need to make sure you’re incorporating more than one way into your systems and networks. You can hand out corporate tokens to employees or require that they use an authentication application when signing onto your networks.

Multifactor authentication means ensuring that employees are using something they know, something they own, and/or something they are. You want to give them a way to supplement the passphrase with either an object (cell phone or token) or a biometric (fingerprint, facial recognition).

Create clear reporting procedures

Your c-suite engaged in a risk assessment, but your employees may not understand the variety of data risks inherent in their daily business activities.
You need to define your information asset risks in a way that matters to their work. For example:

  • Phishing emails -make sure to forward anything suspicious to the IT department
  • USB drives – if you find one, bring it to the IT department so they can check it out. Don’t go looking for the owner by plugging it into your computer.
  • Pop-ups on websites – tell the IT department if you’re seeing these because our browsers shouldn’t be allowing them.

You want to give concrete examples based on the risk assessment and a specific point of contact to make sure employees can report suspicious activities on their devices.

How ZenGRC enables monitoring compliance in the workplace

ZenGRC provides task prioritization that help let you track compliance activities that reduce vulnerabilities by scheduling reviews and monitoring their completion dates. With these workflows, you can ensure that your IT department reviews user access regularly while also providing employees an easy-to-use reporting tool for suspicious activities.

As a single-source-of-information, the platform stores and supports remediation activities to prove your continuous compliance and continuous auditing approach to information security.

By using our intuitive interface, you can easily upload frameworks, objectives, and controls while also managing changes to those controls across a variety of frameworks.

For more information on how ZenGRC can enable your compliance efforts, contact us for a demo.