Partner View

3 Steps for Maintaining Regulatory Compliance

Secure your corporate IT infrastructure by assessing, assigning and auditing.

• By Stephen Dress
• April 01, 2006

At Netrix, we assess the IT systems of health care organizations, finance companies and law firms every day. In the health care industry, the biggest issue is compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), which has sparked a whirlwind of concern about how to best ensure the privacy of patient information.

While there are many interpretations of how best to address HIPAA, all involve a fundamental understanding that HIPAA compliance requires a documented process for closely controlling personal health information. This means that each organization must address the security of Microsoft systems that it uses to transfer, store and access health data.

There are three steps IT administrators should follow to address regulatory compliance within their Microsoft systems: 1) Assess, 2) Assign and 3) Audit. For example, if you were to implement a security solution for your home, you would first "assess" your current security by stepping outside and looking at potential points of weakness, such as windows and doors. Second, you would "assign" security controls to those windows and doors, perhaps by replacing locks and bolts. Finally, you would "audit" how the controls perform and decide whether the new locks and bolts provide adequate protection. By applying the same process to an organization's IT infrastructure, IT administrators can ensure that they're approaching HIPAA compliance, and the security of their Microsoft systems, in a comprehensive and systematic manner.

By far the biggest security issue for our customers involves file-level permissions -- including provisioning, or the allocation of file-access privileges to various employees based on their characteristics, roles and physical locations. During the initial security assessment phase, consultants can write a complex script to help customers identify potential compliance breaches related to file-level permissions, or they can use a third-party tool such as ScriptLogic Corp.’s Enterprise Security Reporter. Many IT departments are in the bad habit of leaving their security settings lax in favor of productivity, and others perform poorly at removing redundant employee security permissions as employees change roles or leave the company. The assessment phase identifies security concerns on the file level as well as other security factors. It is critical that companies look beyond their IT infrastructures and examine all elements of security, including file-level security, access controls and physical security.

During assignment, the second step of the process, companies must assign security controls to any weaknesses identified in the assessment phase. Many of our clients are investigating new technologies, such as dual-factor authentication, whereby more than a password is needed to access information. Often, secure tokens are used that provide an additional level of protection.

The third phase -- having an outside organization conduct an audit -- is perhaps the most important step. Some companies have insisted that they can check the security of their networks on their own, an approach that's ineffective at best. It's vital for companies addressing HIPAA compliance, or any other government regulation, to implement a scheduled set of third-party tests to evaluate the effectiveness of their security implementations.

Only with all three steps -- assess, assign and audit -- can the security of corporate IT be assured. Ensuring compliance with HIPAA and other regulations requires a gut check on a company's basic security approaches, both on the IT side and with physical security, but eliminating security issues now reduces risk to both the company and its customers or patients.