Businesses that have instilled a culture of compliance view privacy and security not as a burdensome list of boxes to be checked during a once-a-year review, but as a set of systemwide priorities that affect every company decision.
A culture of compliance starts at the top, with a committed senior leadership team that leads by example, and extends all the way to junior staff, with responsibility and consequences at every level. The goal is to ensure that each employee at every tier of the organization understands both the importance of safeguarding confidential data and how they every employee helps fulfill that obligation.
Businesses need to be confident that their potential third-party partners have the systems and safeguards in place to keep data secure and confidential. The following list of best practices can be used as a tool to evaluate vendor privacy policies and compliance. An effective third-party vendor that prioritizes privacy should:
Adhering to privacy compliance standards and demonstrating that adherence requires commitment, discipline and rigor. Information privacy and security is not a bolt-on service or a package that can be purchased. Rather, as a best practice, it should be integrated into every process and procedure.
Beyond this framework, an organization can also demonstrate compliance by achieving certifications or attestations of compliance against security standards, such as the International Organization for Standardization (ISO), Payment Card Industry Data Security Standard (PCI DSS), Service Organization Controls (SOC), and the Health Information Trust Alliance (HITRUST). In order to achieve one or more of these certifications or attestations, a knowledgeable and trusted third party must conduct an audit and verify that the vendor is able to demonstrate compliance with the standard in question. Certification to the above standards can provide assurance, but it does not always tell the entire story, nor does it equal compliance.
Notably, a majority of cyberattacks begin with a “spear phishing” email. The email appears to be from a legitimate, familiar sender who attempts to elicit a specific response from the recipient. For example, the sender may ask the recipient to provide confidential information or to click on a link in the email. Untrained employees compromise an organization’s security. Therefore, it is vital that employees receive training on how to detect and eliminate social engineering attempts. In addition, annual training should be updated to reflect new regulations, industry standards and changes to business processes.
Put simply, security refers to the controls and processes that protect data from being accidentally or intentionally accessed by unauthorized individuals. Privacy, on the other hand, refers to the policies and procedures that control how patient data can be accessed, used and disclosed.