reveal that many organizations have not implemented adequate safeguards/controls, or taken adequate remediation steps to correct compliance gaps. Initial audits conducted by the Health and Human Services Office of Civil Rights (HHS-OCR) in 2011 found a widespread lack of follow-through or attention to remediation. These findings are punctuated by commonly occurring, high-profile, and highly penalized breaches caused by easily preventable issues. To address these issues, many regulatory agencies are taking an increasingly aggressive approach to enforcement. OCR has launched a second round of audits focused specifically on the common lapses revealed previously.
To be protected from breaches and punitive enforcement action, we recommend a proactive strategy to manage IT Security risks and ensure regulatory compliance.
Not every breach can be avoided. But, through a strong security management program, organizations can minimize the severity of the breach and potential for heavy penalties. A strong security program consists of:
- Periodic Risk Assessments,
- Remediation of identified gaps, and
- A risk management program that works to identify new risks on an ongoing basis.
- Documentation of risk treatment is equally important to remediation of the risks.
Before considering remediation steps to be taken, an organization should consider whether or not the particular risk can be accepted. If it is determined that the risk is low or that the cost to remediate is too high, and if the risk does not compromise applicable compliance regulations, remediation may be postponed. This is a difficult determination to make if you are not familiar with the regulatory perception and treatment of a particular risk. It is often impossible to be objective enough from within an organization to make such decisions. For each risk or vulnerability identified by our assessment process, Loricca can guide your company to make wise and cost effective remediation decisions.
Options for addressing risks may include:
- Applying appropriate controls to reduce the risks/vulnerabilities;
- Accepting certain risks, providing they don’t compromise compliance with applicable security guidelines or corporate policies;
- Mitigating/managing/avoiding risks through implementing proper procedures and controls;
For those vulnerabilities and risks where the mitigating treatment decision is to apply additional controls and/or enhance existing controls, these controls should provide assurance that policies, procedures, regulations, laws and guidelines are followed and complied with, as identified by a thorough risk assessment and compliance gap analysis. Controls should ensure that risks are reduced to an acceptable level.
Loricca is flexible in the delivery and administration of its services, and works with clients to effectively and efficiently address any compliance gaps and sufficiently mitigate the identified risk exposures and specific vulnerabilities.
To assist with security implementation and necessary remediation, Loricca provides a wide range of ongoing compliance and IT security services, including compliant Policy & Procedures (P&P) and developing a workforce awareness training program to rollout the new P&P. Loricca also offers the flexibility to choose the type of support needed. For example:
- Access to applicable Subject Matter Expert (SME)
- Provide ongoing support in maintaining the Risk Management IT Security Program
- On-site or web based consulting time per month to participate in:
- Management meetings
- Risk Management Program briefings & presentations
- Security-related project planning and reviews, staff training, etc.
- Direct line phone support for offsite assistance
- Security awareness webinar training for employees and temporary staff.
- Policy and procedure development support, review and recommendations
- Provide regulatory audit preparation and guidelines
- Provide technical Security Program Management & Compliance support
Contact us today to learn how Loricca can help identify compliance gaps and help your organization make wise decisions to prioritize the appropriate remediation steps to be taken.