Red Flag Rules
Because of how intimately involved collection agencies can be with consumers’ personal information, it is incredibly important to have a Red Flag Rules procedure in place. The Red Flags Rule requires organizations to implement a written Identity Theft Prevention Program designed to detect the warning signs — or red flags — of identity theft in their day-to-day operations.
For example, what process should a collector follow if a debtor claims the debt was incurred as a result of identity theft? Or, what are the specific steps to take if a creditor notifies you of several specific accounts that have been flagged as having been involved with identity theft? Finally, what steps does YOUR organization have to proactively identify and respond to possible incidences of identity theft? Does your auditor include an audit of your Red Flags/Identity Theft program as part of their audit?
GLBA Safeguards Rule, HIPAA / HITECH Act & HITRUST
The FTC recently settled their 50th data security case, this time against GMR Transcription Services which underscored the importance of safeguarding sensitive information regardless of whether it is your people and systems or your service providers and your service provider’s vendors. The FTC also set up a website with information and requirements to safeguard data which can be found here.
Although somewhat slightly different, the Department of Health & Human Services (HHS) has also been active in enforcement cases. From what I have observed, the cases won by the FTC and HHS have been slam dunk cases where there appears to be obvious failures by the organization to safeguard data.
Although there is not an independent body like the PCI Security Standards Council or AICPA that oversees auditors, I have seen third parties provide HIPAA and GLBA Safeguards Rule audits and I caution you on two fronts.
First, if the auditor is not governed by an oversight organization like PCI SSC, PCAOB, or AICPA I would review their work extensively to ensure it was a proper audit. Second, be advised that some people may obtain a false sense of security with HIPAA “compliance” or GLBA Safeguards rule as the administrative, technical, and physical safeguards may not be up to date with today’s threats.
I do not mean to pick on HIPAA, but the law was done in 1996 and has not been revised from a security controls perspective. Virtualization, mobile technologies, social media, new advanced persistent threats all have come out after 1996 and I would not be comfortable with being “compliant” with these laws given today’s threats.
Organizations looking to secure Protected Healthcare Information (PHI) and comply with HIPAA should seek HITRUST certification. The Health Information Trust Alliance (HITRUST) was established for the purpose of promoting the security of healthcare information, while allowing for the adoption of health information systems and exchanges. HITRUST believes that security is critical to the broad adoption, utilization, and confidence in health information systems, medical technologies, and electronic exchanges of health information. It also believes that security is critical to realizing the promise for quality improvement and cost containment in America’s healthcare system.
Under HITRUST, the Common Security Framework (CSF) incorporates the security controls and requirements from multiple standards, regulations and business requirements applicable in the healthcare industry.
Finding the Right Auditor
Can the auditor that you use today provide a holistic audit report that includes GLBA, HIPAA, Red Flags Rule, PCI DSS, HITRUST, FISMA, ISO 27002, etc.? If not, it may be time to look for another auditor to keep up with all of these requirements.
As a business owner or leader you should ensure you are getting the most for your money when contracting with an auditor to perform an assessment to show compliance. At the very least your auditor should help you further your business and provide a competitive advantage while giving you an idea of your risks and this can be done through a holistic audit that combines all applicable regulatory requirements and contractual requirements into one audit.
In the end, no audit will be the silver bullet of information security as each has its pros and cons. It is up to the organization to ensure they perform a proper risk assessment, understand what is required from a regulatory and contractual requirement and establish an information security or compliance management system that meets or exceeds those requirements.
Lastly, organizations would be foolish to think all auditors are created equal. Sitting in your chair for over 10 years I have been audited by some of the country’s top firms and I often found glaring errors in their audit reports. On the other hand, some of the best auditors I had experience with had these traits:
- Worked in the industry they were auditing and understood the industry systems and processed.
- Had an IT (not accounting) background or a group of team members that assisted in the audit to understand group policy settings, firewall access control lists, system hardening, logging, etc.
- Methodology – Holistic Information Security, combining multiple standards, regulations and business requirements to provide the lowest risk. Examples of this are the HITRUST audit and TECH LOCK® Certified.
- Accreditations – PCI QSA, PCI ASV, CPA, HITRUST CSF Assessor, 3PAO Assessor, etc.
- Recommendations – For me, this is the icing on the cake. Can you auditor provide you recommendations to improve your bottom line by reducing IT costs, increasing revenue, or providing a competitive advantage? The benefits of TECH LOCK’s Compliance Done Right is an audit that gives back to you vs 99% of the audits out there that leave you with an audit report and nothing more.
If you have questions about specific ways you should be focusing on compliance or how to obtain cost reductions, revenue generation ideas, or reduce risk through an audit, TECHLOCK can get you pointed in the right direction. You can contact us at email@example.com
Todd Langusch is the President & Chief Executive Officer of TECH LOCK, Inc. Todd has more than 25 years of privacy, data security and information technology experience, and has held more than 26 different information technology certifications. Join Todd at ARM-U, October 14-15 in Washington, DC, as he discusses the important ways in which operations and compliance overlap within a collection agency’s compliance management system (CMS). It’s just one of many panels you won’t want to miss!