I read an article this morning which highlights something that we run into a lot at Emagined Security. Just because you have a Security Plan in place doesn't necessarily mean that you are compliant. And, just because you passed your HIPAA or compliance audit doesn't mean that you are "secure".
In the article, a Healthcare provider was made aware of a laptop theft back in November 2017 that potentially exposed 43,000 patients PHI. They stated that the laptop had some security protections in place but the laptop was not encrypted. HIPAA states that covered entities must consider the use of encryption, however, it is not mandatory. The article goes on to state that after the Health Care provider was made aware of the situation they did everything they could to minimize any potential harm and it's unknown whether the stolen laptop resulted in the actual exposure of 43,000 patient records.
My point is that even though the organization was in adherence to HIPAA requirements, they weren't necessarily secure. What's their business case for not encrypting laptops? Who knows. I'm sure they have their reasons and those reasons are likely being reconsidered in light of the theft. What I do know is that Security isn't compliance and compliance isn't security. They're two different things that must work together. Compliance tends to get the most attention and seems like a proactive approach but it doesn't provide the defensive measures needed to really secure your organization. I can hear you saying, "Yeah, but at least compliance gets us talking about security." And, I agree! Having an auditor breathing down your neck or the threat of massive fines hanging over your head really lights a fire. Also, I think compliance is a great way to report and account for what you're trying to do. But, it's not an end state, or comprehensive security framework that an organization should be aiming for.
A robust security framework can help you meet compliance requirements and compliance requirements can be a great motivation to sure up your technological defenses. If you'd like additional information on compliance click here. If you're looking for more information on security frameworks, let us know and I can send you a few things that we've used in the past.