HIPAA Training and Awareness Software Lightens Compliance Load
Just because a product or company calls itself “smart” doesn’t mean it actually is.
I recently received a promotional email from a company selling a “smart firewall.” It was built, the marketing said, to protect connected devices. Out of curiosity, I visited the website where, not too surprisingly, I didn’t find any type of security or privacy notice. Unable to temper my curiosity, I contacted the company to request information about the security and privacy of its device. No response. After two more attempts, I gave up.
But, I was left wondering: Did they not have any information to provide? Or worse, were they trying to hide something? Such impressions do not engender trust.
Would anyone consider securing a tablet, TV, smartphone, information-of-things (IoT) door locks and other connected devices – as the email suggests – with a technology that can’t be trusted to keep safe the data it collects?
Sadly, I think many would. In fact, far too many people likely wouldn’t even think twice about it. And far too many companies get away with not having adequate privacy policies in place.
This is no reason to ignore the very real need to have a privacy policy, as well as basic information about information security practices.
What is a privacy policy?
A statement, such as posted on a website, or legal document, such as those banks and credit card companies send to you annually, that discloses the ways a party gathers, uses, discloses and manages personal data, a privacy policy often fulfills a legal requirement. Yet, it’s also a critical component to any reputable business’s security program, and to meet de facto internationally accepted privacy standards. Importantly, it lets a company’s customers, clients or patients know it cares about the security and privacy of their data.
Unfortunately, privacy policies are often nonexistent or treated as nothing more than a formality. In these circumstances, the policies are often inadequate, poorly maintained and / or unenforced.
In addition to failing to prepare and communicate privacy policies, an alarmingly large number of businesses have not performed privacy impact assessments (PIAs). Of those that have, many of them are more than two years old. That length of time may as well be decades, given the rate at which technology is changing and new vulnerabilities are being introduced.
Insist on privacy policies
Businesses should only partner with entities that can demonstrate they take data security and privacy seriously.
There are a number of resources you can use to evaluate the entities you do business with. Here are a few:
Assessments. A privacy impact assessment identifies risks to personal data and potential harms to the associated individuals. It is becoming an expected activity within all information security and privacy programs, as well as a legal requirement within a growing number of U.S. and international regulations.
Surveys. A vendor security and privacy assessment survey, particularly a concise one that gets to the point without redundancy, is a great way to quickly get an overall sense of an organization’s approach to privacy. Watch for answers to questions that do not match the organization’s actual practices. For example, if the company indicates it has a policy to use passwords that are a minimum of eight alpha numeric characters in length, but you find its passwords are actually five alpha characters, that is a red flag. It shows the organization does not comply with its own security and privacy policies. Makes a person wonder: Are they not complying with all other security policies? That would put the data you’ve entrusted to them at great risk.
Contracts. When partnering with an organization, include within your contracts a security and privacy clause that includes, at a minimum, a right to audit, to request completed risk evaluations on a quarterly or bi-annual basis, to be notified and approve of subcontractors with access to sensitive data and to review documented information security and privacy policies.
Attestations. Obtain from executives monthly or quarterly attestations that security and privacy programs are maintained and enforced. This will establish personal accountability and responsibility for the executives to ensure appropriate safeguards are in place. It is a powerful motivator to make sure these actions are performed with an busing leader can be personally liable.
Affirmations. Third-party affirmations, such as SSAE 18 SOC 2 or ISMS certifications, are a good testament to the company’s privacy and security practices. Keeping track of these is made easier with cloud-based tools like SIMBUS Tracker, which provides businesses with access to documentation of vendor certifications and affirmations, along with assessments and key security and privacy program validation.
The next time you consider partnering with an organization – or even responding to an ad for a new “smart” device – be sure you understand the company’s approach to privacy and its commitment to keeping your data (and that of your customers) safe.
Related posts
