Chris Clark, senior manager, embedded ecosystems, at Synopsys, said while the regulations are “well intended and have provided a level of control on PII (personally identifiable information), they really have not adapted at a pace necessary to address the current data landscape.”
Beyond that, he said, even companies that try to comply aren’t always able to. “We have seen a multitude of successful attacks on organizations that fall under these standards. In many cases the organization has attempted to meet requirements outlined by a standard but did not take all aspects or implementation details into account. The standards need to evolve to delve deeper than process,” he said.
Difference between compliance and security
Another reality is the long-established mantra of experts that “compliance is not security.” In other words, following all the rules, while it will help, doesn’t mean you’re bulletproof, since regulations generally don’t keep up with the evolution of threats.
Berger said he regularly reminds clients of the difference. “The overriding concern with the HIPAA model is that it is very possible to be compliant without being secure,” he said. “Regular penetration testing, vulnerability analysis, and social engineering exercises—particularly ‘phishing’—should be conducted in addition to HSRAs.”
Cougias adds that data security doesn’t equal data integrity, and that there isn’t really a “best model” for that, especially in cloud deployments.
“Data integrity is about protecting data from unauthorized or unplanned modification or deletion. In the cloud, with highly diverse solutions, or even a multi-cloud environment, data integrity can be tricky,” he said.
Different levels of regulatory compliance
Yet a third challenge is that while all these standards and regulations share a similar goal, they are not all the same. Compliance with one regulation doesn’t mean you’re even close to complying with them all.