Common-Sense Security

Welcome back to Compliance University! This month, I present six rules for applying compliance common sense to your security purchasing decisions.

1. Make purchases with reference to your overall strategy. What is your tolerance for risk? Are you willing to spend whatever it takes to close every possible breach of security? It is important to identify your perspective toward security compliance and the areas where you need particular focus — before you spend money. All of your subsequent spending decisions should be consistent with that perspective and focus.

2. Focus on the practical risks your security systems face. Firewalls and virus-detection systems are worthless if someone can break into the room where your hardware is maintained. Conversely, you may conclude that physical security is not a top priority. Again, make sure your solutions align with the dangers you identify, and whether those dangers are realistic for your activities.

3. Accept that neither HIPAA nor common sense requires you to treat each potential problem the same way. All data do not require the same level of protection. The more sensitive or vulnerable the information, the more you should protect the information. The consequences of accidental disclosure of infusion therapy given to an AIDS patient may be more significant than the accidental disclosure of a patient's need for a manual wheelchair.

4. Make purchasing decisions based upon your staff's needs and abilities. It is easy to focus on state-of-the-art product features. Who wouldn't want the strongest possible encryption system? But it does you no good if your staff isn't capable of using the system, or if it takes too much time to do so. In many cases, a good firewall that a systems administrator can maintain as part of ordinary operations will serve you better than a state-of-the-art firewall that requires high-level maintenance skills.

5. Don't lose sight of the trees for the forest. Your security purchases are only as good as the overall security profile they support. Modems, wireless access points, routers and firewalls can defeat your security infrastructure. They are the entry points from which inappropriate services can be enabled and ports can be opened. Without controlling the process by which you add users and equipment, you may not be able to secure the network.