I recently had the opportunity to speak with Bob Janacek, CTO and co-founder of DataMotion.
The company provides secure data delivery solutions such as encrypted email. It also does an annual survey (www.bit.ly/DataMotionSurvey) of companies that represent a broad spectrum of enterprises and has about half of the respondents representing IT. I always find this survey interesting because it helps me corroborate (and sometimes disprove) what I hear from others.
This year the big news is in the increasing HIPAA compliance, with more than 90 percent having policies in place. This confirms much of what was being said to me by the execs at Aria Systems regarding HIPAA billing compliance.
However the good news about policy hides the fact that we still have a problem with method. Compliance as it refers to policy is definitely improved; but, in terms of actions, not only is it not adhered to, but enforcement is rare. This is not due to fraud or security breaches, but a lack of education, planning and operational standards. Let’s break down the survey results and see the root cause. The first is education: 56 percent of the respondents felt the policies weren’t enforced, which meant that the paper it was written on was not followed up on with any additional information. In effect, many employees took this as the company covering its responsibility, but not changing its workflow.
In 20 percent of these cases, the employee may be right, that the policy did not match the workflow requirements. Often the policy is written without a method. File transfer, email encryption, and secure messaging may be intended, but the specification of how to implement is not explained. The employee then uses third-party solutions and is led to assume that any system is acceptable. The result is a hodgepodge of solutions that are unaudited and non compliant.
Much of this has to do with two communication systems. The first has to do with partners, particularly small business partners that are significantly less concerned with compliance (HIPAA or otherwise) and if the employee is more concerned with getting the work done with the partner than the policy. Once again the lack of a specification gives rise to accepting whatever the partner uses. Additionally, bring your own device employees are often not audited to see what apps and tools are being used on their devices. The result is that the policy is further removed from employee experiences. Now to be clear, the conversation was not about mobile device management solutions. Janacek and I were interested in the workflow and the apps and had the perspective that the focus needs to be on the workflow and the transfer more than the locking down of the employee’s mobility.
Of course from DataMotion’s perspective this survey shows the value of its solutions for email, file transfer, and secure messaging. And I do see their value, but from a developer’s perspective, I want to take this message further and ask where the role of Internet of Things comes into play. For example, should the customer record be an IoT record that monitors and manages its own access? Should gateways be the place where security and policy is enforced?
All too often developers get to punt away the issues of compliance and security with assumptions that someone else has the responsibility to do quality assurance and security verification. Most IT organizations expect the largest impact of IoT is on personnel and then on policy. This suggests that the answer to improving adherence can be accomplished by how we keep things moving. I look forward to seeing that next year’s study shows that policy is married to performance.
Carl Ford is CEO and community developer of Crossfire Media (www.xfiremedia.com).
Edited by Ken Briodagh