As this year comes to an end, regulators seem determined to stuff as many announcements and proposals into the compliance “stocking” as they possibly can. Beleaguered compliance teams would probably rather receive a pile of coal. There’s one 2017 prediction that’s easy to make with confidence: Next year, sorting through and integrating a fresh batch of cybersecurity and data protection rules will be a major focus for heavily regulated sectors like healthcare and financial services. While mandates to protect sensitive data, applications and systems from accidental and criminal breaches are nothing new, many of the specific requirements are either new or newly codified from guideline to law. For example, both healthcare and financial entities face intensified emphasis on managing risk introduced by third-party vendors, certifying consumer data protections and reporting breach incidents.
HIPAA compliance pressure continues
In healthcare, much of the focus in 2017 will be on audits and data-breach enforcement actions carried out by the Office of Civil Rights (OCR). 2016 saw a marked increase in ransomware attacks and massive breaches of protected health information (PHI). As healthcare organizations big and small continue to struggle with risk analyses, cybersecurity controls and third-party management, the OCR is compelling them to improve their HIPAA compliance through desk audits, on-site audits and post-breach investigations and penalties.
The OCR completed almost 900 compliance reviews in the first half of 2016, and thousands of cases remain open. In that same time period, the OCR reached nine settlements totaling over $20 million, a dramatic escalation of penalties levied in previous years ($28 million total in the preceding 12 years). Smaller healthcare organizations have been warned that OCR regional offices will be investigating breaches affecting 500 or fewer individuals. Likewise, recent OCR guidance specifically warns healthcare business associates (BAs) to carefully assess their compliance with HIPAA rules about processing and transmitting PHI.
In 2017, healthcare organizations and their associated business parties need to make and proactively maintain BA agreements, review and strengthen policies that protect data and cyber systems and follow through by implementing procedures and controls based on thorough risk analyses. With attitudes toward data privacy maturing and HIPAA enforcement expanding, keeping patients’ data safe will continue to be imperative to earning their trust and their business.
Financial services companies wait for answers
For banks and other financial services companies, the outlook is even more uncertain. The incoming administration has promised to negate provisions of Dodd-Frank and bring back Glass-Steagall divisions. Rep. Jeb Hensarling, chair of the House Financial Services Committee, is likely to forge ahead with the deregulatory blueprint he unveiled in June.
Meanwhile, New York recently proposed significant new state cybersecurity regulations for financial services (23NYCRR Part 500), set to take effect starting in January 2017. Given New York’s prominence in the financial sector, these first-in-the-nation regulations regarding cybersecurity and data protection could become the de facto standard throughout the industry.
If the promise of regulatory streamlining comes to fruition, state-based regulations may have more impact. State regulations mean another layer of monitoring, reporting and auditing. For example, if a bank is in multiple states, a changing multi-jurisdictional regulatory environment compounds compliance obligations and efforts. This is not good news for compliance teams that will be beholden to a patchwork of disparate standards and breach notification laws.
Banks and fintech partners have been anxiously awaiting further guidance and clarification from the Office of the Comptroller of the Currency (OCC) about managing the risk introduced by innovations like online lending and banking, digital wallets and algorithmic insurance and investment advising. Likewise, the proposed enhancements to cybersecurity rules published jointly by the Federal Reserve, OCC and FDIC in October hang in the balance. Waiting for final rulings on standards such as these puts business efforts and risk management efforts in limbo. In the interim, banks are likely deferring partnerships, major outsourcing and innovations until the rules have been defined. This cycle holds back banks and, in turn, hurts customers that would have benefitted from such innovations.
In the meantime, financial institutions of all sizes should foster responsible innovation by continuing to invest in integrated risk management and compliance strategies. By strengthening and systematizing enterprise-wide cyber risk management and incident-response programs and extending the scope and defense of risk management to include partners and third parties, banks will be better prepared not only for whatever regulatory framework eventually prevails, but also for the ongoing imperative to preserve trust in their systems and services.
Managing expanding compliance burdens
The pressure to do more with less is unlikely to subside — financial and healthcare institutions are still primary targets of organized cybercrime, and the damage caused by massive data breaches has far-reaching consequences. Regulatory requirements may be rolled back in some ways (federal), but are likely to increase and become more complex in others (industry and state).
International regulations will have an increasing impact, especially as stringent EU consumer data protections come into effect in 2018. The extensive multi-factor authentication and encryption requirements issued by NY regulators highlight the ways in which new rules create sizable projects for already maxed-out businesses.
SMEs and IT service providers likely will see their compliance burdens increase dramatically, as the intensified focus on third-party risk expands the range of entities being held responsible for safeguarding the processing and transmission of sensitive data to include cloud service providers, software companies, medical device manufacturers and fintech innovators.
How to be resilient despite continual regulatory change
How can such a wide range of companies propel themselves into a constant state of preparedness and resilience in the face of constant change and challenge? The first step is to design an integrated, optimized blueprint for flexible and nimble risk management. Technologically enabling this plan helps to efficiently and effectively automate and centralize enterprise cybersecurity, risk management, vendor assessments and audit activities.
The scope and intricacy of this undertaking has rendered traditional approaches obsolete — spreadsheets, shared drives, manual workflows conducted through email and departmental silos of activity and documentation simply aren’t sufficient. Executives are increasingly being held liable; an expanding number of state regulations require board officers or senior compliance officers to certify their company’s risk controls and mandate that a designated CISO oversee the implementation of the new rules.
Boards and executives need unified visibility across the compliance landscape, and mechanisms for tracking regulatory changes, compliance activities and auditable entities (facilities, processes, vendors and information systems). Comprehensive, integrated governance, risk management and compliance (GRC) software solutions are integral to implementing holistic cybersecurity risk management and data protection programs that can be documented, analyzed, enforced and readily audited. These platforms import relevant data from multiple sources, organize records in a central location and ease communication across business units.
Being able to systematize assessments and inventories, automate risk management workflows and map policies to controls improves process maturity by reducing harmful gaps and wasteful redundancies. Vulnerabilities and risk trends are easier to spot, prioritize and manage with dashboards and custom reports, and the analytics engine can help stakeholders understand when key performance indicators (KPIs) reflect impending risk or loss of value in the organization. A full-featured GRC solution helps compliance and security teams integrate, triage and simplify critical IT security activities and prove to both internal and external stakeholders that controls and defenses are functioning as required.
Constant preparedness is not an abstract concept. It can be achieved with an efficient, effective and integrated blueprint for processes, implemented and tested controls, regular assessments and reviews, strategically planned responses and a commitment to collaborative effort and accountability across the enterprise.
Healthcare and financial services rely on trust-based relationships with patients, customers, vendors and partners. No matter the regulatory specifics, sustaining that trust by defending sensitive data and systems against cyber threats, exposure and exploitation must be a core competency. Optimizing and integrating information governance, risk management and compliance programs builds trust, increases efficiency and conveys advantage in these ever-changing and unpredictable times.
Sam Abadir is the director of product management at LockPath, a leading provider of governance, risk management and compliance (GRC) solutions.