Debate Over eData Security Regulation Enforcement

Some IT managers, chief information officers and others at FDA-regulated life sciences companies say they wish for more clarity from the FDA when it comes to risk management and 21 CFR Part 11 requirements, but for many companies it is hard to know just how much regulatory compliance they want to call for.

Whether compliance requirements help or hurt information security depends on one’s point of view, argues Rebecca Herold, among others, in a new white paper. Herold is an independent information security and compliance consultant and author of The Practical Guide to HIPAA [Health Insurance Portability & Accountability Act] Privacy and Security Compliance.

“The side of the fence where the information security grass is greener, before compliance or with compliance requirements, all depends upon your organization and your information security actions,” Herold writes. Her white paper pulled together several experts in a virtual roundtable to discuss the issue.

“One reason legal and regulatory compliance pressures mostly help [to advance information security efforts] is because they have undeniably forced improvements in governance standards,” said Gary Hinson, IsecT CEO.

Pulling for More Government Action

The government has helped advance ehealth initiatives by mandating requirements such as Part 11 and HIPAA, agreed Patty Sheridan, president of Care Communications, a health information management consulting firm. Reports about the large number of medical errors cited by the Institute of Medicine have also been a driver, she told PIR Aug. 10.

In fact, many IT professionals have been privately pulling for the FDA to demonstrate more public enforcement of Part 11. Some have told PIR that the agency’s failure, for example, to specifically cite Part 11 in warning letters for more than a year has made it tougher for them to get senior buy-in on tech upgrades.

But even the existence of the compliance regulations helps, says Barry Jones, principal consultant at Tribridge. “Most of these are the same principles and practices that security professionals have been advancing since the birth of the profession,” he says in the white paper. “And most of these principles and practices have been either roundly dismissed or generally lip-services by organizations until now.”

For other companies, however, trying to predict how seriously regulators will take information security issues can be a nail-biter. “Take HIPAA as an example,” says Peter Stephenson, Norwich University Master of Science in Information Assurance Program.

“Some companies truly did the right thing; had an outside independent in-depth review of their network and operations, remediated the noncompliance areas, then had another independent review to ensure they were then indeed in compliance,” Stephenson said. “Other companies just did nothing because of the resources it would take, and now they hope they will not get caught.”

Advice to Companies

Herold advises organizations to look carefully at the “vast array of regulations that apply to them, create a comprehensive compliance plan, and implement it according to the risks within their own, unique business environment, and not based upon a slick high-dollar marketing campaign that catches their attention.”

And experts stress that compliance is not about a single “silver bullet” solution. Instead, compliance success should be measured in small steps, with clear goals for the future, said Mike Corby, senior director at Gartner Consulting. “Defining those small steps, achieving success and setting out for the next milestone is critical in developing a compliance program that becomes a permanent part of the organization.”

For more information, go to www.rebeccaherold.com. — Michael Causey