Solution Providers Turn To GRC Tools As HIPAA's 'Chain Of Liability' Grows


Some of 4A Security's clients struggle with the international compliance landscape as well, where restrictions and enforcement vary by country and can negatively impact the bottom line. Data classification projects are a challenge, but they play a big role in identifying the most sensitive data and reducing burdensome encryption or tokenization requirements, Goodman said.

"The chain of liability extends to everyone now," Goodman said. "They have to prove their compliance and they need tools that are not going to take an army to deploy and cost them an arm and a leg."

Greg Williams, a security compliance consultant for MMIC, the largest policyholder-owned medical liability insurer in the Midwest, said the company supports a variety of health-care providers -- from large hospitals and health-care systems to physician practices, outpatient and long-term-care facilities. Williams calls the health-care industry's progress substantial but still very much in its infancy in terms of adopting, embracing and managing a security program over time.

"They're all in different stages of compliance right now," Williams said. "They're all still incorporating controls and developing policies and we're helping guide them along the process."

The business of maintaining compliance has gotten increasingly complex, Williams said. For example, specialty care organizations may use business associates to help support various parts of the clinic and those third-party providers -- all with different risk profiles -- are under the same compliance requirements.

"They all have different and unique security profiles," Williams said. "One of the things that the industry struggles with is to be able to manage all their compliance needs over time."

PUBLISHED NOV. 19, 2013