Compliance and Ethics Hot Topics

1
1692

compliance hot topics

DougPollackBy Doug Pollack, CIPP/US, chief strategy officer, ID Experts

Back in 2012, I attended a panel discussion about the nightmare that social media was becoming for privacy and risk managers in a hospital setting. They told of a doctor who had posted information about a patient on Facebook. Although unnamed, the patient was still identified. The doctor, of course, was fired.

Almost four years later, the compliance risks posed by social media is the number-one nightmare for healthcare organizations, according to the recently released Compliance and Ethics Hot Topics for 2016. Conducted by the Society of Corporate Compliance and Ethics and the Health Care Compliance Association, this survey lists the top compliance concerns for more than 900 respondents. (By the way, social media also topped the list for privately held companies and small companies with less than $100 million in revenues.)

It’s no wonder social media is a concern, when you consider The 5 Social Media Posts Your Privacy Officer Fears Most, an article on the SCCE blog. The author, a healthcare compliance expert, listed such reprehensible posts as:

  1. “Happy birthday Millie! I love being your nurse!”
  2. “Treated a pregnant teen tonight for an overdose. So sad…”
  3. “Alcoholic hockey players are so grumpy…”
  4. “Tired of cranky patients who argue with me over which shirt to wear!”

Cybersecurity and Cybercrime Top the List

Not surprisingly, cybersecurity/cyber-crime was the hottest topic for all respondents. It was also the primary concern for in-house compliance practitioners, nonprofits, non-healthcare companies, and educational institutions. The Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data, conducted by Ponemon Institute, had similar findings revealing that criminal attacks cause half of data breaches among healthcare organizations and 41 percent of data breaches among business associates.

In the article, Experts Predict Security and Privacy Trends for 2016, Karen Barney, program director at the Identity Theft Resource Center (ITRC), predicted that the threat of cyber-attacks and cyber-crime will continue to grow. “We track data breaches daily, and we’re seeing from our data breach report that hacking and skimming has definitely increased significantly over last year,” she said. “In 2014, hacking, skimming, phishing and other cyber-threats accounted for 29 percent of breaches. So far this year, they account for 38 percent, and I expect that trend to continue into 2016.

Social media has become an effective vehicle for spreading cyber threats, such as malware propagation, data leakage, and spam, according to an article on U.K.-based ITProPortal.com. These threats are hidden in SSL-encrypted traffic that network security controls cannot detect. This is a major problem, since it is expected that two-thirds of all Internet traffic will be encrypted this year, and by 2017 half of all attacks will use encryption to evade security controls.

Don’t Forget Third-Party Risk

Third-party risk was the uppermost hot topic for multinational, publicly traded, and large companies with $3 billion or more in revenues. Such companies face the daunting task of managing compliance and risk among the thousands—or even tens of thousands—of vendors who make up their supply chain. Target and its HVAC vendor come to mind.

Of even greater importance, consider the risks to our national security and physical safety. In September 2015, Security Week reported on U.S. Director of National Intelligence James Clapper’s testimony before the House Committee on Intelligence. Clapper told the committee that unknown Russian threat actors had successfully compromised the supply chains of at least three industrial control system (ICS) vendors, causing their customers to download malicious malware designed to facilitate attacks via the ICS vendors’ web sites.

Can I Trust You?

Another hot topic was creating and maintaining an ethical culture. Ethisphere Institute, an organization that gauges ethical business practices, just released its 10th annual list of the “World’s Most Ethical Companies.” The list covers 131 companies from 21 countries, and represents 45 industries.

Tia Smallwood, Ethisphere’s chief marketing and strategy officer, told Forbes magazine: “The papers are filled with scandals and companies that made judgment errors, that made policy errors or that don’t have good practices in place to handle things like non-retaliation or transparency or open reporting, or have had a crisis and handled it poorly. But there [are] a lot of companies that are really trying to do things the right way.” Among the top-ranked American companies were 3M Company, Allstate, CareFirst BlueCross BlueShield, Ford Motor Company, Intel, Microsoft, Starbucks, and Xerox.

Ethics Is Always a Hot Topic

This is a critical time for privacy, compliance, and risk professionals. Evolving technology, growing cyber-threats, and the battle over privacy and security have created untold complexity and raise ethical questions for which there are no easy answers. But we must do our best. As businesswoman and philanthropist Dame Anita Roddick reportedly said, “Being good is good business.”

[clickToTweet tweet=”Compliance and Ethics Hot Topics” quote=”Compliance and Ethics Hot Topics” theme=”style3″]

1 COMMENT

  1. From my position, this is a good example of how a new topic can easily be addressed using the tried and true seven elements of a compliance program. I know it may not sound trendy or as catchy as some folks would like to see it…but if one goes back to various elements of an effective compliance program, there are at least two which I think many people have failed to implement effectively which is adding to the level of anxiety related to social media.

    For example, there are a good number of folks at the recent CI when I asked if they had a policy and procedure on social media (relax…keep reading) that clearly identified and gave some examples of the types of posts that were deemed inconsistent with the position taken by the organization (again…we are talking about clear examples on the use of PHI and not going into the realm of National Labor Board issues, etc)…many folks agreed that though they did have a policy, it likely was somewhat nebulous or lacking in details that would help better identify expectations.

    So certainly…social media…hot topic…here to stay. At the same time, see what tools in your tool box you may have not yet used to help you deal with some of the challenges related to social media as it relates to HIPAA, PHI, and your workforce.

Comments are closed.