Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 

Tim Mitchell

Tim Mitchell is a business intelligence consultant, author, trainer, and SQL Server MVP with over a decade of experience. Tim is the principal of Tyleris Data Solutions and is a Linchpin People teammate. Tim has spoken at international, regional, and local venues including the SQL PASS Summit, SQLBits, SQL Connections, SQL Saturday events, and various user groups and webcasts. He is a board member at the North Texas SQL Server User Group in the Dallas area. Tim is coauthor of the book SSIS Design Patterns, and is a contributing author on MVP Deep Dives 2. You can visit his website and blog at TimMitchell.net or follow him on Twitter at twitter.com/Tim_Mitchell.

Does regulation make data any safer?

Working with healthcare organizations, I am constantly aware of the restrictions my staff and I must abide by according to HIPAA constraints.  It’s not really rocket science; as far as data security goes, HIPAA mandates what logically should already be in place.  Any organization that takes data security seriously will already have safeguard on the storage and transmission of data, fully tested backup and recovery procedures, comprehensive access control, and auditing tools.  I’m quite sure that most people feel safer at night knowing their sensitive medical records are safer because of HIPAA.  But it is really safer?

Like most government regulations, HIPAA dictates what should or must be done without indicating how it must be done.  There are certain key items, including uniquely identifiable user IDs and auditing, that are specifically identified as “Required” by HIPAA, but the standards for these mechanisms is not further defined.  For many other elements, entities governed by HIPAA are required to take measures that are “reasonable and appropriate”, leaving much room for interpretation.  And it’s that gray area that makes me question the effectiveness of regulation as a whole.

For me, reasonable and appropriate security measures include a need-to-know policy for data access, encryption at every leg of in-transit data, a fully anonymized data set (no live data) for testing and training, and desktop access procedures to prevent inadvertent unauthorized access.  However, because regulations are largely subject to interpretation, one cannot be absolutely sure that these measures are being taken to safeguard sensitive data.  I have worked with a number of vendors who properly insist upon abiding by the best-practice implementation, but there are still many shops – and even some large organizations – that only do the bare minimum to avoid fines from the feds.  I know of one large software vendor which has a standard practice of rolling out their entire live environment, complete with sensitive personal information, to the training and testing environments where auditing is minimal if not completely absent.  I dealt with a small shop recently that was receiving most of their data on a standard unencrypted FTP server.  Interestingly enough, when I challenged their technical person that the FTP server was not secure, she told me “No, it’s pretty secure here.”  Pretty secure?  What, secure as in it’s locked up in your server room?  And though it’s difficult to prove or audit, I suspect that the exchange of sensitive information is done via e-mail much more often than people acknowledge.

Fortunately, in all of the cases I’ve found in which I found a potential vulnerability, I was able to strongarm the parties involved by waving the HIPAA security rule flag – even though there may not have technically been a violation of regulations, the suggestion that a high-profile breach was possible was enough of an argument to force a procedure change.  Still, when I think about all of the places over the years where I may have left sensitive data, I can’t help but wonder how seriously those places are in terms of security?  Are they as stringent about security as I am, or do they have the kind of lackadaisical attitude about data protection that keeps people like me up at night?

I’m curious – since most of my regulatory experience revolves around HIPAA, I’d like to hear from those who regularly deal with SOX or similar legislation.

Comments

Posted by John Magnabosco on 29 November 2008

The effectiveness of regulations such as HIPAA and SOX falls into your statement of "...I was able to strongarm the parties involved by waving the HIPAA security rule flag...".

The ineffectiveness of regulations such as HIPAA and SOX is that they require interpretation rather than following a check-off list of requirements; Although, if it is too specific, it could blindly demand one technology over another resulting in the killing of technological advancement. It can also become very difficult to govern.

There still is quite the attitude of "it's ok to leave the door unlocked at night" mindset when it comes to data security... or even worse: "I didn't buy any doors for my house because I live in a gated community and I trust that guard."

Awareness is key. Keep up the good fight, my friend!

Posted by M Noreen on 30 November 2008

I just don't see the very broad topic of data security as something that the govern can, much less should, regulate.  It reminds me of the old phrase "You can't legislate morality".  Nor can you legislate technology implementation, for goodness sake.  What may be right for one company, is completely *not* right for another.  

Corporate leaders and certainly the technical ones at said organizations should be the ones to obsessed with their operations and deciding what is "reasonable and appropriate."

Posted by Steve Jones on 1 December 2008

People make the data safer, not regulation. It's people that care about it being safe, and management/companies that don't try to deliberately prevent that, whether or not there is regulation.

It starts with each one of us being careful and concerned about the data we store, whether we have a stake in it or not.

Posted by Jamie Mack on 1 December 2008

In Australia we have similar issues with all of our acts, they also state "reasonable and appropriate" all through them.  We recently tried to find some lawyers to confirm a proposed solution would meet the legislation, no one was willing to help.  Have you been able to find anyone over there that is willing to confirm your practices?  

If in doubt always go for best practice.

Leave a Comment

Please register or log in to leave a comment.