Do You Really Want Me to Keep the Door Unlocked for Just Anyone?
“You have some very strict security policies in place.”
Normally, this is a compliment. Any I.T. firm worth dealing with should be serious, no – rabid, about network security. Their own and their clients’. But in this case, it was delivered as a complaint! David Xiong, our VP of Technology, couldn’t believe his ears.
A third-party vendor to one of our clients wanted unfettered, unsupervised access to our client’s server. We weren’t giving it, so this vendor wasn’t happy. Too bad.
I don’t know, are you concerned about security in 2014? David is. I am. And you should be, too. We face it every single day on your behalf. That day, our VP of Technology was standing up to a third-party cloud software vendor who was trying to push us around. They should have known better. The client is a medical facility. With HIPAA in place, computer data security is even more vital. Violations can cost tens of thousands of dollars.
HIPAA Compliance Requires This
Compliance with HIPAA, the Health Insurance Portability and Accountability Act, relies on good documentation of your security and data-handling processes. The purpose of HIPAA is to standardize healthcare-related information systems and to protect the confidentiality of all patient-related data. There are legal and financial ramifications for business that don’t have these standards in place.
If you’re not in the medical or health industry you might wonder why that matters (as a consumer of health services you should care a lot about whether your provider is HIPAA compliant). Regardless of your industry, in those businesses where the government has created a lot of regulatory or compliance requirements (and let’s be honest, that’s all of them) there needs to be written security and acceptable use policies which address third-party access. Our acceptable use says we don’t let people who’ve messed things up in the past have unsupervised access to a client’s server.
How Do We Keep Our Clients’ Data Secure?
But the tech guy on the other end of the phone kept whining about having to go through us to make updates to the client’s server. David was following our policy. That’s how you do it in your business. Start with a written security and acceptable use policy, make sure your staff is trained on all processes, and then hold staff (and vendors!) accountable for these policies. Technology should be strategically employed to help you do this. So why are we getting yelled at by other I.T. security “professionals” for having a security policy in place … and following it?
David wasn’t having any of it. “You can’t come in when you want, reboot the server when you want and then leave when you want. This is our client’s confidential information. It’s secure for a reason! And if you mess it up, we’ll have to clean it up.” That means lost productivity for the client and an opportunity for future problems.
It’s like giving someone the key to your house and saying, “Come on in, do what you like, leave me a note about what you did. I don’t really know who you are, but feel free to invite your friends, too. Just don’t burn the place down.”
We can be friends, I’ve just got to open the door for you. You’re a guest in my house. Or my valued client’s house. And as far as we’re concerned, that’s the same thing.