[ISN] Compliance isn't security, but companies still pretend it is, according to survey

From: InfoSec News <alerts_at_private>
Date: Fri, 20 Apr 2012 01:26:48 -0500 (CDT)
http://www.csoonline.com/article/704577/compliance-isn-t-security-but-companies-still-pretend-it-is-according-to-survey

By Taylor Armerding
CSO
April 19, 2012

It has become a cliche in information security: Compliance is not 
security.

But there is still an unsettling amount of denial out there, based on a 
recent study from HIMSS Analytics and Kroll Advisory Solutions.

According to the 2012 "HIMSS Analytics Report: Security of Patient 
Data," increasingly strict regulation and increased compliance from 
providers haven't slowed an increase in breaches over the past six 
years.

Yet, respondents to the survey, which included CIOs, compliance officers 
and HIMs, expressed confidence that they are better prepared for 
attempted data theft -- in spite of evidence to the contrary -- because 
they are in better compliance with regulations like the Health 
Information Technology for Economic and Clinical Health (HITECH) Act of 
2009.

This is the third of Kroll's biannual survey of healthcare providers 
nationwide.

Along with numerous other security experts, Brian Lapidus, senior vice 
president for Kroll Advisory Solutions, says being in compliance with 
policy prescriptions is not the same as actually protecting personal 
health information (PHI).

The results of that are predictable. The number of organizations 
reporting breaches went from 13 percent in 2008 to 19 percent in 2010 to 
27 percent in the past year.

[...]


_______________________________________________
LayerOne Security Conference
May 26-27, Clarion Hotel, Anaheim, CA
http://www.layerone.org
Received on Thu Apr 19 2012 - 23:26:48 PDT

This archive was generated by hypermail 2.2.0 : Thu Apr 19 2012 - 23:29:25 PDT