This post was originally published by (ISC)² Management.
Security Without Regulatory Muscle
As a security practitioner, you may have worked in an industry that was not affected by any regulatory authority. There was a time when security was not driven by governmental power. In many cases, this is why security did not exist in smaller organizations. The ideology that a company was “not an attractive target” to cybercrime was a cozy pillow upon which many C-Level executives rested their heads. Over the last twenty years, this has changed. In fact, not only has security been codified in law, but privacy has become an even stronger legal tool to stimulate security in most organizations.
In some of the early security and privacy regulations, there were exceptions based on the size of the company, as well as the earned revenue of the company. Most privacy regulations, however, do not offer those types of exemptions. Privacy exemptions are granted based more on the context of the data processing. For example, data processing for research, or national interests can be excluded from regulatory consideration, but only if other criteria are met, such as pseudonymization and data obfuscation.
Privacy in the Land of Healthcare
Privacy in the healthcare field has always been a primary concern. Before the days of electronic records, printed medical records were stored in locking file cabinets. When in active use, such as during a patient visit, medical records were kept confidential, even from the patient under care. This may seem implausible to many people living in the relatively new “freedom of information” era, but patients were generally not permitted to view their own medical records. It is no wonder there were serious concerns at the early stages of proposals to create electronic, freely sharable healthcare records.
The obvious advantage of electronic health records is the ease of accessibility for medical professionals to access the information when needed. Through the use of patient portals, a person is now able to view their own medical file, enabling better care for themselves. The clear disadvantage is anyone could gain access to records if they are not adequately protected. This emphasizes the need for qualified, trained healthcare security and privacy practitioners.
Read more here: blog.isc2.org/isc2_blog/
