Laws, Standards, Mapping, and HIPAA

Today is the last day of Norwich University’s Masters programs residency week; this afternoon is graduation.
It has been a great week…I have loved chatting with the students and faculty, and I’ve compiled a page full of topics I want to research and blog about!


One of the topics I discussed with some students was the challenge of trying to comply with multiple regulations, standards and laws. Folks are always looking for resources, which is not only understandable but a great idea, to help them see the commonalities of requirements between these multiple types of directives.
Some of the best resources I have found for mapping a large number of laws, regulations and standards to the common requirements are the Unified Compliance Project (UCP) tools
from the IT Compliance Institute.
For full disclosure, yes, I co-authored my last book, “Say What You Do” with one of the authors of the UCP tools, Dorian Cougias.
However, I have no direct connection to, or financial interest in, the UCP tools, and I do not make any type of revenue whatsoever from the UCP tools.
Yes, these tools do have a price. However, whenever you consider the amount of time they save you from doing the mapping yourself, and considering they are much more comprehensive and immediately useable than the other free mapping documents I’ve seen, I think they are a good investment for most organizations of any size.
As I was thinking about this topic and doing some scans of recent news stories related to it, I ran across an article in SC Magazine, “Shedding some light on PCI DSS.”
The article itself contains some valid points and information, however, I cringed when I read the following paragraph at the beginning of the article:

“While the PCI DSS is much more detailed and specific in what organizations are required to do, versus other standards like Sarbanes-Oxley and HIPAA, much is left to individual interpretation as organizations attempt to achieve the compliance necessary to participate in online commerce.”

The Sarbanes-Oxley Act (SoX) and HIPAA are *NOT* standards! They are laws.
In general laws cannot be detailed down to specifically required technologies or other detailed requirements such as those found within standards. The process of making laws and getting them put into effect does not make this feasible, and with the speed that technology, products and services evolve, it would not be good to include such details within laws anyway.
Data protection and privacy laws are generally similar to information security policies within organizations; they provide the targeted goal results for specific issues that covered entities must meet. They often include references to standards that can be used for meeting compliance.
Laws are not standards in the same way that organizational information security policies are not organizational information security standards.
Sometimes some of the requirements within laws evolve to become what are considered as “de jure” standards. We cover this in great detail in the Say What You Do book. I had great fun writing the bulk of the chapter on standards; you can find an excerpt about standards from the book here.
As another example, the U.S. Federal Trade Commission (FTC) has made multiple statements about how they consider the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule as a standard of best practices for all types of organizations, not just financials, to follow with regard to demonstrating a standard of due care.
Oh, and while I was at going through SC Magazine for the article I mentioned earlier, I ran across another article, “SSL: The handshake that requires scrutiny,” that included within the text, “Health Insurance Portability and Accounting Act (HIPAA).”
AARRGGGHHH!!
It is the “Health Insurance Portability and Accountability Act“!
Making such an error with the name of a regulation can completely blow credibility for the author and the entire article.
I do not know who made this mistake, the author or the publisher’s editor; I’ve had some editors change my writing that incorporated errors in the published version, and it really made me see red to have their mistake blow the effectiveness of something I wrote.
Writers, please be sure that when you are referencing a law or regulation that you have the correct title!
Publisher’s editors, when you change writers’ articles, please let them proofread your final version before publishing to ensure you do not introduce any errors into the article!

Tags: , , , , , , , , , , , , , , ,

Leave a Reply