What do IT and healthcare have in common? We know this sounds like a bad setup to a joke about viruses, but this is serious. We would never joke about something this serious.*

Back in 1996 (just a year before Ripple was founded), the Health Insurance Portability and Accountability Act (HIPAA) was established to create national standards for the security and privacy of health information.

This very official “mind your own damn business” policy set the precedent for other organizations and businesses in regard to security and privacy. This domino effect means that HIPAA marked the beginning of the modern era of IT security compliance laws. Just a few short years later we had Governance, Risk Management, and Compliance - thankfully shortened to GRC - popping up in research papers as a term to collectively describe “reliable achievement of objectives, while addressing uncertainty and acting with integrity”

Compliance. The word evokes little to no emotion. Maybe boredom. But whether you realize it or not, it’s important to you. It reduces your risk and protects you, both as a company or as an individual, from legal fines, sanctions, and other potential liabilities. It protects you as a consumer. Compliance demands ethical behavior within organizations and encourages everyone to work towards the common goal. Having a strong compliance program is necessary to run a successful business. So what do you need to make sure that you and your company are compliant?

The foundation of a strong compliance program consists of 5 essential components:

1. Policies & Procedures

Who is crafting your internal policies and procedures? Almost certainly these exist in HR for workplace behavior, but what about your IT policies? New security threats to your business arise daily and regulatory demands change monthly, meaning most teams end up having to choose between their regular work or updating policies and procedures. Often, this means that the daily tasks take priority over keeping compliant. Taking advantage of an MSP or co-managed IT that is already SOC 2 certified is a big help, because you know that they already maintain their systems and policies to the maximum standards.

2. Data Retention

We’re sure you have certain people in your life that are notorious for running out of space on their phone because they keep so many unnecessary files, conversations, pictures, videos, and apps. And any time their phone prompts them that there isn’t enough space to perform an action, they always find something that they can delete because there is so much unnecessary information on their phone. Companies need to be mindful in how they deal with data that is not necessary to keep. Not because of storage issues (although that could be a concern), but because of the risk involved in keeping data that you no longer need. That’s why it’s critical to have clear data retention and deletion policies. These policies include not holding onto data longer than necessary, giving your customers secure access to know what data is held, and the ability to request deletion.

3. Threat Protection

As a company, you need an active defense against malware and malicious actors, aka “bad guys”. Let’s say that someone hacks into your systems and now you have a ransomware problem. Yes, there is a cost in paying the ransom for returned access, but that’s not necessarily the end to your financial problems. A breach opens you up to compliance audits resulting in extensive fines and even potentially litigation as issues such as improper data storage are exposed.

4. Encryption

The most common way for hackers to gain access to your systems is through email. It’s easy to think, “I would never fall for an email scam! Everyone knows the foreign prince scheme.” But hackers have gotten a lot more sophisticated and are able to gain your trust by posing as an authority figure or even someone close to you. That’s why secure email is critical. Business email compromise (BEC) is the easiest path to access sensitive data. Thankfully, it’s also easy to protect with encryption and other email threat protection services.

5. Archiving

Storage is important, but it’s not just enough to be able to safely store data. You need to know exactly what you are storing and for how long. Can you imagine throwing all your possessions in a deep closet? No bins, no shelves, no organization. Sure, it’s stored. But that fire extinguisher you threw in there doesn’t do any good if you can’t access it. On the other hand, if you haphazardly tossed some perishables in there, you are going to have a problem. The data your company keeps is no different. A good modern archiving tool can help you determine what data to store, how to store it, and allow your team to enforce both regulatory requirements and internal policies.

 


IT security affects compliance in many ways, from helping companies maintain accurate and up-to-date records, monitoring employee activities to detect any potential compliance issues, automate compliance procedures, and be used to protect confidential information to ensure compliance with data privacy laws. Save yourself time, money, and a major migraine by taking the steps to become - and stay - compliant in your industry.

 

*We absolutely would and will joke about this stuff.

Q. What do you call a YouTube sensation with a computer virus?
A. A social influenza.