Closing the security gap
When it received a gap-analysis report detailing what steps it needed to take to comply with the security and privacy regulations in HIPAA, eMed Technologies Corp. found that for the most part it was in pretty good shape, says Kelly Pickard, director of strategic alliances at the radiology image-management service.
But that didn't mean the IT department was home free. After receiving the report from security consulting firm Guardent Inc. in Waltham, Mass., eMed's IT personnel found themselves beefing up security measures at the Lexington, Mass., company's network operations center, going to security training classes and upgrading the firm's main product, eMed.net, Pickard says. Some of these tasks were unexpected, but that's the whole point of a gap analysis, he says. "What you hire these folks for is to find the surprises," he says.
A gap analysis is becoming an essential tool in an IT manager's arsenal as new state and federal privacy and security regulations seek to protect personal information about customers contained in companies' databases. The analysis can pinpoint holes that IT departments need to fix and can protect the company from expensive penalties for breach of confidentiality.
Today, the immediate concern is the Health Information Portability and Accountability Act (HIPAA), but consumer privacy advocates have the attention of legislators, who are passing new electronic security laws that could affect many industries. While health care organizations are facing deadlines for compliance with HIPAA, the need for gap analysis is growing in all sectors of the economy. For example, banks and other financial institutions are working on following similar rules in the Gramm-Leach-Bliley Act.
Some companies are keeping the gap-analysis task in-house, but many others are choosing to hire outside consulting firms. In either case, practitioners say, IT must be involved at every step.
For HealthNet Inc., a Kansas City, Mo.-based managed health care plan, handing over the gap analysis to an outside firm was the best decision, says Lori Sayre, the plan's director of HIPAA programs. The company's small IT department has only 40 to 45 people, she says, and adding a gap-analysis project to their regular workload would have been a "big burden."
Marcel Blanchet, CIO at Branford, Conn.-based The Connecticut Hospice Inc., a hospital facility for terminally ill patients, took the opposite view. His IT department conducted an internal gap analysis because he thought his group could do it well and the in-house option would save the nonprofit organization money, Blanchet says.
Sayre says that for a company the size of hers, which has one location and a few hundred employees, $70,000 and up is the going price for compliance with HIPAA. Remediation costs can also increase the total tab. At CareGroup Healthcare System in Boston, a gap analysis by El Segundo, Calif.-based Computer Sciences Corp. resulted in a yearlong effort to move into compliance, says CIO John Halamka. The project will cost about $1 million a significant chunk of the IT department's $26 million budget.
Regardless of who has responsibility for the analysis, IT personnel need to be involved in the preparation for the
Symantec Backup Exec 12 and Backup Exec System Recovery 8 deliver industry leading Windows data protection and system recovery. Download this whitepaper to find out the top reasons to upgrade and how to get continuous data protection and complete system recovery.
Data and system loss — from a hard drive failure, malicious attack, natural disaster, or simple human error — can happen anytime. Don’t leave your business vulnerable. Make sure you have a secure recovery strategy in place. Symantec's latest backup and system recovery technology can efficiently restore critical applications, individual emails and documents and even restore your entire system in minutes in the event of a loss.
Businesses face a growing challenge to ensure that the IT environment is properly protected. Backup Exec 12 integrates with other applications in the Symantec family of products, to complement your current data protection strategy, keep your data securely backed up and make it recoverable when you need it most.
