Let the Law Decide
When it comes to reducing technology risk, sometimes the law can be your best friend. For CIOs in the healthcare field, for example, the Health Insurance Portability and Accountability Act (HIPAA) can serve as a guide to what is and isn't acceptable risk; it can also provide a definitive argument for taking a strong security stance.
"HIPAA dominates everything we do," says Jason Thomas, CIO at Green Clinic, an all-physician-owned facility with six satellite locations headquartered in Ruston, La. "We use it to look at all decisions: Where is this coming from? Is patient data protected? Are we encrypting data before we send it to someone else? If we send it, do they have a business agreement with us and are they HIPAA-compliant?"
Deciding what does and doesn't qualify as "HIPAA-compliant" isn't as straightforward as one might think. "HIPAA has a lot of requirements, but they're very vague," Thomas says. "It was written almost 10 years ago and nobody really knows what it says. That's led a lot of people to be either very lax or very stringent where HIPAA is concerned. Some don't worry about encryption or auditing their access — their interpretation is that it doesn't apply."
Green Clinic comes down on the stringent end of the spectrum, he says, and that has occasionally caused friction with both vendors and the doctors who want to buy their products. "There are a lot of sales reps out there, and they're frankly not always on our side," he says.
For example, Green Clinic's IT team insists on using encryption for all patient data. "We have a facility that does X-rays, and we had a vendor tell us they would set up their workstation, install their software, and that's how it needs to stay," Thomas says. From his point of view, having a device on-site handling patient data in a way he couldn't manage or encrypt was unacceptable. "I can't just have a workstation dropped at my door and everything's hunky-dory," he says.
Using HIPAA to insist on higher security standards has worked out for Thomas and his team. "I've had some vendors who've done it their way for 20 years keel over and do it the way we wanted," he says.
HIPAA works as a big stick only for those industries that fall within its domain. But nearly every industry has state or federal regulators it must answer to, and beyond that, a regime of contractual agreements. For instance, any organization that takes credit card payments directly must comply with the Payment Card Industry Data Security Standard (PCI DSS).
Then there are contracts with business partners and clients. For example, at ad agency Kirshenbaum Bond Senecal + Partners, CIO Matt Powell can refer to client contracts when he needs to rein in employees' enthusiasm for new cloud-based products. When the creative team recently sought to start using a cloud-based imaging system that integrates with Adobe Photoshop, Powell said no because the new software would give the provider access to client data. "If it moves out of our ecosystem, it creates a contractual issue," he says. Worse, some cloud providers have terms of service that give them the right to reuse any uploaded data, something that's clearly out of bounds for anything belonging to clients.
Sign up for CIO Asia eNewsletters.