Solution Providers Turn To GRC Tools As HIPAA's 'Chain Of Liability' Grows

A tougher federal rule designed to protect sensitive health-care information is spurring interest in governance, risk and compliance tools, said TraceSecurity's Alan Fortier, who is spearheading the company's partner program.

Fortier, who was named director of channel sales at Baton Rouge, La.-based TraceSecurity in March, told CRN that the company has seen a lot of interest in its new partner program designed around TraceCSO, the company's cloud-based IT governance, risk and compliance (GRC) tool. TraceSecurity has more than 25 participants in its new program and expects to close the year with about 40 partners in place, according to Fortier.

TraceSecurity's TraceCSO tool is designed to help small and midsize businesses measure, monitor and document their ongoing information security programs. Like other GRC products, it audits systems to determine the state of the business' compliance goals and helps those running the program be able to prioritize.

"Stiffer requirements and penalties are a driving force for business, so far and away the majority of our partners are focusing on health care," he said.

Sponsored post

[Related: HIPAA Healthcare Data Breach Fines Climb With Enforcement Boost ]

HIPAA privacy and security rules initially were aimed solely at health-care providers, health plans and other entities that process health insurance claims. In January, the U.S. Department of Health and Human Services strengthened the protections for health information set under HIPAA with a final omnibus rule, expanding many of the requirements to business associates of these entities that receive protected health information.

All organizations that work with protected health information were expected to meet the regulation by Sept. 23. But solution providers told CRN that many of their clients are still struggling to balance patient care and measure security and compliance initiatives.

Arthur Hedge, CEO of Morristown, N.J.-based managed security service provider Castle Ventures, said his company saw the need to offer a GRC tool to its growing base of health-care clients, as they were turning to it for guidance on security and compliance measures. Castle Ventures monitors customers' network security appliances and conducts log analysis to uncover suspicious activity, Hedge said.

"It's a burden on midsize companies to understand the regulatory requirements, and the compliance problem is increasing dramatically for those folks," Hedge said. "This is an opportunity for the information security manager to have a tool to go in and track all this activity from a business perspective."

Meanwhile, smaller firms with limited IT staff often don't have the budget or personnel for GRC software, said Ben Goodman, president of 4A Security, a new TraceSecurity partner.

"We are positioning it as a way you can log in and get reports, drill down and track the progress of security projects," Goodman said. "Our focus is on using the tools ourselves and offering it as a portal for our customers to get access to the results -- because we say that they're not in the business of compliance, they're in business of their business."

NEXT: Health-Care Security, Compliance Programs Still In Infancy

Some of 4A Security's clients struggle with the international compliance landscape as well, where restrictions and enforcement vary by country and can negatively impact the bottom line. Data classification projects are a challenge, but they play a big role in identifying the most sensitive data and reducing burdensome encryption or tokenization requirements, Goodman said.

"The chain of liability extends to everyone now," Goodman said. "They have to prove their compliance and they need tools that are not going to take an army to deploy and cost them an arm and a leg."

Greg Williams, a security compliance consultant for MMIC, the largest policyholder-owned medical liability insurer in the Midwest, said the company supports a variety of health-care providers -- from large hospitals and health-care systems to physician practices, outpatient and long-term-care facilities. Williams calls the health-care industry's progress substantial but still very much in its infancy in terms of adopting, embracing and managing a security program over time.

"They're all in different stages of compliance right now," Williams said. "They're all still incorporating controls and developing policies and we're helping guide them along the process."

The business of maintaining compliance has gotten increasingly complex, Williams said. For example, specialty care organizations may use business associates to help support various parts of the clinic and those third-party providers -- all with different risk profiles -- are under the same compliance requirements.

"They all have different and unique security profiles," Williams said. "One of the things that the industry struggles with is to be able to manage all their compliance needs over time."