Privacy and Compliance

Privacy and Compliance

Businesses that have instilled a culture of compliance view privacy and security not as a burdensome list of boxes to be checked during a once-a-year review, but as a set of systemwide priorities that affect every company decision.

A culture of compliance starts at the top, with a committed senior leadership team that leads by example, and extends all the way to junior staff, with responsibility and consequences at every level. The goal is to ensure that each employee at every tier of the organization understands both the importance of safeguarding confidential data and how they every employee helps fulfill that obligation.

Protecting Privacy

Businesses need to be confident that their potential third-party partners have the systems and safeguards in place to keep data secure and confidential. The following list of best practices can be used as a tool to evaluate vendor privacy policies and compliance. An effective third-party vendor that prioritizes privacy should:

  1. Vendors that handle sensitive information should have a senior-level privacy official dedicated to ensuring that the vendor’s business operations and employees comply with privacy regulations, policies and procedures.
  2. The breach notification requires vendors to provide notification following a breach of unsecured data. The notification must contain, to the extent possible, the names of each individual affected by the breach and any other available information that the covered entity must provide in its notification to affected individuals. Without written policies in place, it’s impossible to make sure vendors are abiding by consistent standards.
  3. If a privacy breach event occurs—specifically an incident involving the unauthorized use or disclosure of sensitive data—the vendor should, at a minimum, have policies and procedures for investigating, mitigating and documenting the incident. When a vendor maintains a culture of compliance, its employees are constantly asking themselves if the tasks they perform—no matter how routine or unique—adhere to these principles.
  4. As part of company’s vendor-review process, they should check to make sure that employees receive training on privacy policies and procedures when first hired. Vendors should also, at a minimum, conduct annual training to ensure that privacy and security policies stay fresh in their employees’ minds. And because human error is one of the greatest sources of privacy and security incidents, vendors ideally should provide training on how to avoid malware attacks, including social engineering, such as phishing. Cybercriminals use social engineering to manipulate or deceive users.

Adhering to privacy compliance standards and demonstrating that adherence requires commitment, discipline and rigor. Information privacy and security is not a bolt-on service or a package that can be purchased. Rather, as a best practice, it should be integrated into every process and procedure.

Beyond this framework, an organization can also demonstrate compliance by achieving certifications or attestations of compliance against security standards, such as the International Organization for Standardization (ISO), Payment Card Industry Data Security Standard (PCI DSS), Service Organization Controls (SOC), and the Health Information Trust Alliance (HITRUST). In order to achieve one or more of these certifications or attestations, a knowledgeable and trusted third party must conduct an audit and verify that the vendor is able to demonstrate compliance with the standard in question. Certification to the above standards can provide assurance, but it does not always tell the entire story, nor does it equal compliance.

Notably, a majority of cyberattacks begin with a “spear phishing” email. The email appears to be from a legitimate, familiar sender who attempts to elicit a specific response from the recipient. For example, the sender may ask the recipient to provide confidential information or to click on a link in the email. Untrained employees compromise an organization’s security. Therefore, it is vital that employees receive training on how to detect and eliminate social engineering attempts. In addition, annual training should be updated to reflect new regulations, industry standards and changes to business processes.

Put simply, security refers to the controls and processes that protect data from being accidentally or intentionally accessed by unauthorized individuals. Privacy, on the other hand, refers to the policies and procedures that control how patient data can be accessed, used and disclosed.