You Need to Actually Do What Your Policies Say!

This week I spoke with a small (~25 employees) organization (a business associate providing services to healthcare providers) that contacted me looking for help; they had purchased a whiz-bang “HIPAA compliance GRC” solution that included with everything else information security policies, but they couldn’t make any sense of the policies they were given or how they related to the rest of the expensive GRC tool.  Grrr!! There are too many vendors committing this type of product fraud, and it is putting too many organizations at risk…having so-called policy documents that are not followed or supported by an organization’s actual activities not only put them at risk of non-compliance with a wide number of information protection regulations and legal requirements, but it also leaves the organizations vulnerable because they are not actually establishing a framework of sound policies, customized to be applicable to their organization, that are effectively mitigating security and privacy risks, and preventing incidents and breaches.

“Free” is NOT “Proof”

This year it has really bothered me to see a growing number of information security and privacy vendors downplay the importance of information security and privacy policies.  Or, many I’ve seen throw in “free” policies if an organization will buy their security tool, and the vendors say that their customer can then show those freebies as “proof” of compliance if they are ever audited. Proof of what? That the organization can do a copy and paste, or download from the vendor’s site? More often, the organization seeking help has no background in or understanding of information security and privacy compliance, so they are depending upon the security vendor to know what they need do, when in actuality, the vendor may have just seen an opportunity to put together a whiz-bang slick-looking tool and make a bundle of money without ever even having been involved in information security or privacy compliance before.  Some have even gone so far as to buy “awards” to make it look like they have experience, and that their service or product has been thoroughly vetted by someone with information security and privacy compliance understanding. Too bad that more often than not all they understood was how to accept a sizable payment from whomever wanted an award.

Four years ago one vendor that asked me to help them with a HIPAA risk assessment tool they were creating wouldn’t actually take my advice when I told them that simply copying and pasting the HIPAA regulatory text verbatim into their flashy tool would not be acceptable as an organization’s policies; that each of their client organizations needed to modify the policies to fit the way their businesses actually worked. Their VP of Marketing actually put “free” policies in with their HIPAA GRC service offering, advertising them as a “free set of policies that  can be used, as-is with no extra work necessary, as proof that your organization is in compliance!” I told that VP that he couldn’t make such a claim; that organizations must have policies that support their business, and that they must actually be following them. He dismissed my advice saying, “Ah, I’m just putting in some marketing spin! It doesn’t really mean anything.”  Wrong, it meant a lot. I stopped helping that organization and decided to create something that would provide meaningful customized policies, procedures, forms, tasks and logs to fit the needs of the organizations using it for compliance.

“What does this mean? I don’t know if we’re doing this!” 

I want to provide a portion of the discussion I had with the business associate I mentioned at the beginning of this post. Here is one of the policies they were given to use, “as-is”:

“Policy:  The Business will implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner.”

The BA asked me: “What does this policy mean?  I don’t know if we’re doing this! When I asked the vendor I got it from, he said that if we use passwords then we are doing this; that we’re in compliance with this. But this didn’t seem right to me, since there is a different policy for passwords. He told me not to worry about it. Well, I am worried about it! My clients (which are CEs) are asking to audit our policies, and I don’t want them to find any shortcomings.  I can’t afford to lose clients over this!”

Me: “Your instincts are good. Ensuring data integrity involves a lot more than just using a password for your type of organization, and really for most organizations.” I then described the activities they should be doing to be in compliance with this policy, and some others they could consider using.  I also discussed the importance of having procedures to support the policies; that clearly documented the actions necessary to comply with the policy.

All organizations need to have procedures to support the information security and privacy policies, so that all personnel know what they need to do, consistently, in order to meet compliance with the policies. If organizations don’t have such procedures, and simply have a set of free unchanged policies, regulators, auditors, clients and business partners will know that the business is not doing any actions to actually be in compliance with the policies. Especially if they cannot explain what a policy actually means! 

Here are three good reasons you need to have policies that are customized to meet your business, and are supported by procedures that are relevant to business job activities.

1. Regulators check to see if you comply with your policies

Here’s the first reason you cannot just take pre-written non-customized policies and use them for “evidence” that your business has appropriate security safeguards and privacy practices in place: the regulators and their auditors will check to see if you understand your policies, and also check to see if your operations match your policy requirements.

Consider the following:

1)    The Department of Health and Human Services (HHS) Resolution Agreement with Massachusetts Eye and Ear Infirmary (“MEEI”) and Massachusetts Eye and Ear Associates, Inc. (“MEEA”) explicitly states:

“(3) MEEI did not adequately adopt or implement policies and procedures to address security incident identification, reporting, and response from the compliance date of the Security Rule to March 8, 2010.

(4) MEEI did not adequately adopt or implement policies and procedures to restrict access to authorized users for portable devices that access ePHI or to provide it with a reasonable means of knowing whether or what type of portable devices were being used to access its network from the compliance date of the Security Rule to March 8, 2010.

(5) MEEI did not adequately adopt or implement policies and procedures governing the receipt and removal of portable devices into, out of, and within the facility from the compliance date of the Security Rule to May 17, 2010. MEEI had no reasonable means of tracking non-MEEI owned portable media devices containing its ePHI into and out of its facility, or the movement of these devices within the facility.

(6) MEEI did not adequately adopt or implement technical policies and procedures to allow access to ePHI using portable devices only to authorized persons or software programs from the compliance date of the Security Rule to June 15, 2010. MEEI did not implement an equivalent, reasonable, and appropriate alternative measure to encryption that would have ensured confidentiality of its ePHI or document the rationale supporting the decision not to encrypt.”

2)    Look through the other HHS Resolution Agreements.  All document similar findings with a lack of adequate policies, and lack of organizational compliance with the policies.

3)    Look at the FFIEC IT Examination Hand Book: The audit procedures in Appendix A explicitly require the full set of policies, in addition to explicitly specified policies, in 44 different locations within the audit procedures. This is used for financial industry and bank audits.

4)    The FTC has 58 personal information protection laws, rules and guides that include the need to document information security and privacy policies, and then to also ensure personnel are actually following them.

And I could continue on for many pages.

2.    Others will check to see if you comply with your policies

Growing numbers of businesses that have been burned (financially, reputation-wise, and with regulatory fines and sanctions) by their business associates, and other types of business partners, and now realize that they need to do more than just include a brief security clause within their contract.  More and more law firms are recommending that organizations be pro-active in checking on their business partners’ compliance activities.  Too many business leaders still think that the only time their business will be audited is if they have a breach.  Business leaders need to understand that the tide has turned; their information security and privacy programs, including their policies and procedures, can be audited basically at any time by a business partner, client, state attorney general, and a laundry list of regulatory agencies, without having a breach as a prerequisite.

3.    Customized policies improve business

Compliance with customized policies improve security and reduce the number of privacy breaches as a result of clearly specifying the expectations for how workers need to protect information during the course of their daily work activities. By additionally having procedures to support the policies, workers can then better understand, and as a byproduct better safeguard, information by following specific steps and activities that are tailored for the organization’s environment and business.  Think about this; according to a December 2012 Ponemon Institute study, “Small and midsize businesses . . . are at a greater risk of their employees mishandling data than enterprises.” Why is this? Some significant reasons include 1) the lack of business applicable information security and privacy policies, 2) lack of procedures with detailed instructions for how to comply with the policies, and 3) lack of training and awareness communications about the policies and procedures.

By having workers follow the same policies and work-related procedures consistently throughout the organization, security and privacy compliance is made more efficient, saving time and preventing incidents and breaches. Additionally, having all your information security and privacy documentation managed from a central location provides a much more efficient way to provide regulators and auditors access to this type of documentation, saving your staff time, and making the duration of such audits shorter. 

Do what you say

An important point about your policies, from a short fallings aspect, is that your organization needs to actually be doing what your policies state. This is a common problem, and audit finding, at BAs and CEs (and throughout all industries, actually).  Sometimes the policies are comprehensive, but the organization is not actually following them. I would encourage you to review your policies and identify any of them that you are not actually operationalizing or otherwise following.  Then, determine

1)    do you need to update your policies to better fit your organization’s environment, or

2)    do you need to change your business activities to support compliance with the policies?

Bottom line for all organizations, from the largest to the smallest:  Your documented, published policies establish your business to be accountable for following them, and a responsibility for all your personnel to follow them. They create the blueprint by which you will be audited. You need to make sure that your policies are customized to fit your actual business environment, and then make sure you are following the policies.

Additional information about the need for customized policies

Find some good additional information about the need for good, business-representational information security and privacy polices here:


This post was written as part of the IBM for Midsize Business ( program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet.

Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Leave a Reply