We always get asked, "What are the three keys to compliance success?" Compliance can be confusing and knowing where to start is not always clear. We recommend starting with a risk assessment or risk audit. The next step would be revision or creation of policies and procedures and then making sure you have the right education for your workforce. Here is a closer look at each one.
STEP ONE: Risk Assessment
STEP 1: RISK ASSESSMENT A risk assessment, will show you what percentage of risk your business is at in regard to the data you have of your customers. The assessment answers the questions, “what risk is the data at?”, “How is your network secure?”, and “Do you have policies and procedures to make sure your security platform is dialed in?" A full risk assessment will take some time. It is made up of 150+ questions that go into very specific detail on how you are protecting PHI.
Part of this assessment should include a look at cybersecurity. The key piece is understanding your directory services. How do you handle user IDs? Do you do it manually? Do you actually handle it through Active Directory or Google Workspace or another type of platform?
HIPAA compliance is often the focus of these assessments but now GDPR compliance, California’s CCPA, New York SHIELD Act, Texas HB300 also have regulations that have to be met regarding PII (Personal Identifiable Information). And this coming year more states will come out with their own privacy regulation laws. It is important to be aware of these if you do business with or have data on people in various states.
Once the risk assessment is complete you get a report. It is color-coded with the colors of criticality. Red is the most critical. From there we create an action item list. As part of the VanRein Compliance Framework, we have a client project management tool, which is like a task tool in that it helps your team assign action items, and get them to the right person or the right team. This could be your IT team, or maybe your compliance officer.
Know your level of risk
We follow you along with that process. Progress on action items is closely followed so that we can reduce your risk even further the following year when we perform a gap assessment. When we started VanRein Compliance years ago, we used to just do annual assessments, and then after the assessment, we would just come back about 10, 11 months later and say, "How are we doing?" We found that it is tough to get everything done.
The thing about HIPAA and PCI and GDPR and compliance as a whole is that you have to focus on it every day. Maintenance is importance. It's not just one-and-done, the law was not created for it to be that way. It's got to be ongoing and your team's got to know what to do. That is why we changed our process and don’t walk away and leave you to complete the tasks, we walk alongside you to support you as they get completed.
STEP TWO: POLICIES AND PROCEDURES
Next create policies and procedures that will keep your organization in compliance. We have a dedicated account manager that only focuses on those policies. So, what are the top policies we see? Privacy is one.
Sanction policies are another. Sanction policies refer to how your business handles employees who quit or employees that are terminated, specifically their access. We have businesses we talk to and they don't really have a policy or procedure in regard to access. Their access gets turned off eventually but, unfortunately, this can lead to things being stolen because access hasn't been cut off right at termination. Sanction policies are big.
Password policies are important. Believe it or not, people still do not have complex passwords! An example of a password policy could be that passwords have to be changed monthly, or they have to have a certain number of characters that are a mix of letters and numbers, etc.
With HIPAA, we often see a lack of access logging. Access logging and auditing are other important policies. The VanRein Framework includes these typical policies and procedures, but we also look at the policy and procedures that you've created for your business.
Your business may have some unique needs as far as policies go. You may have global policies or a per-location policy. We look at your unique business and take it into consideration. There should be policies and procedures for each location that you have. Often our customers have unique policies for each location. It is important to track of that and look at what you have to make sure that it is enough. Some policies may need additional language, and that's where a managed compliance partner like VanRein can help, we help create those custom policies for you.
Maybe you are thinking, "Well, I can just go buy template policies for less money." Sure, you can Google anything. Actually, you can get all the templated worksheets and everything right off the internet. But when you go into an audit, you're going to get flagged because they're not customized. Compliance management is not the same for every organization.
Important examples of where a template could fall short are disaster recovery and business continuity planning. If you have your data and servers on-site, if you're all cloud-based, which a majority of everybody is, you can't just assume that it's backed up on the cloud. What do you have to do? How do you back that up? Is the data geo-located? What are we doing with that? Those are some of the issues that we're working through in disaster recovery procedures. Other examples of policies you might need are Business Associate Agreements (BAA’s) and Subcontractor Agreements, remote work policies, and bring your own device policies. Policies and procedures are another reason why customization is necessary.
STEP 3 EDUCATION
Education is key. Knowing what data is, what data protection is, protecting PHI, cybersecurity risks, ransomware attacks, and all that good stuff. We offer on-demand training for HIPAA, Texas HB 300, GDPR, CCPA, New York SHIELD, and others, In fact, we have a whole library of on-demand courses on www.vanreincompliance.com/courses. We also create quite a bit of custom training for our customers so that it fits the needs of their business.
We feel very strongly about educating your staff and your employees so they know what to look for if an incident occurs, if a ransomware attack occurs, or if they see a weird phishing email. It's very important to educate your staff and employees. Employees should know the regulations that apply and why they are necessary, as well as what could happen if they are not followed.
Our education is not about just checking a box. It needs to be engaging so that when you go back to your work you are thinking “how can I protect this data?”
If you're looking for check-the-box compliance, that doesn't work, and that continues to show through a lot of issues. If you just check the box of compliance, you will have incidents, you will have breaches. That's why so many companies have had breaches lately, they've just checked the box. You should look for compliance management solutions that can be customized for you organization.
To recap the three action items that you can take back to your business. First, ask yourself, if your business has had a risk assessment in the last year. Second, does your business have policies and procedures? And third, is your staff trained and educated? Those are three straightforward things you can take back to your business right now. Whether you're the owner, you're the compliance officer, you're the privacy officer, security officer, these are three things that you can answer, and if they're all no, we're happy to help you. Give us a call. We'll talk to you about it.