Step Six: Achieving Compliance

May 5, 2017

Step six in our series “Ten Steps to Drive a Connected Product Program,” looks at achieving compliance

  • Often the same person who is most concerned about IT security is also responsible for compliance.
  • Simplify the compliance process by offering automated, regulation-specific compliance reports around user authentication, access control, and product performance.
  • Most organizations overspend on audits, offering automated compliance reports helps reduce the cost and complexity.

The following statement may come as a surprise. In a 2011 survey of healthcare organizations, the Ponemon Institute asked, “Who is most responsible for preventing and detecting data breach incidents within your organization?” The answer: “The compliance department.”1 (In other words, the same compliance officer who ensures that all devices in the hospital lab are compliant with FDA standards for product safety and performance is also typically responsible for security technologies that defend the organization’s private data.) Let’s agree that this is a daunting job.

Most of your customers, if not all, will fall under one or more of the following compliance umbrellas: FDA, Good Manufacturing Practices, Sarbanes-Oxley, PCI-DSS, GLBA, FISMA, the Joint Commission, HITECH, HIPAA, the Data Protection Act, and the Freedom of Information Act. In most cases, organizations use compliance frameworks and standards (such as COBIT, ISO, ISA, IEC and NIST) to serve as over-arching guidelines to inform them on how to comply.

While there is no silver bullet to satisfy all of these rules and regulations, you can help your customers simplify the compliance process by offering automated, regulation-specific compliance reports around user authentication, access control, and product performance. Automating the compliance process provides numerous benefits to compliance officers, including the centralization of audit information, the ability to manage third-party risks more effectively, and an increased confidence in the company’s security compliance posture around the connected products initiative. An automated compliance approach also gives compliance officers more timely compliance status information, thus simplifying the work load for the never-ending cycle of external audits.

Internal Considerations:

  • Expect a security conversation. Appreciate the impact of adding intelligent devices to a network, and anticipate your customers’ security concerns around suitability and acceptability. Add credibility by demonstrating your knowledge in this area.
  • Enterprise and network security policies often require management to take a close look at vendors. Strict vendor guidelines should be anticipated by you and by counsel.
  • There are obvious differences between compliance and security. But they are very similar in more than one way. One of which is that they are designed to assure a higher standard of business performance. If your organization has standards to which it complies, now is the time to share this information.

External Considerations:

  • Many organizations overspend on audits; offering automated compliance reports helps reduce the cost and complexity of your customer’s compliance programs.
  • Understand your customer’s compliance umbrella. The lab manager concerned with FDA medical device approval is a distinctly different persona than the retailer concerned with PCI DSS. Be prepared with some sample automated compliance reports.
  • Take proactive measures to help take the cost and complexity out of compliance and security.

Securing Your IoT Infrastructure

As more components of your IoT infrastructure becomes connected, the demand for a solution that protects manufacturers and their end-customers from hackers, malware, and unsafe operations continues to increase. So how will you secure your existing IoT devices and prepare your infrastructure for the double-digit increases that are occurring year-over-year? Listen to this webcast replay that talks about how to address key challenges.

1 Security technologies are essential to defend an organization’s private data, yet according to December 2011 Ponemon Institute Research Study: Providers’ perceptions about their organizations’ privacy and security environment. Security technologies are considered essential or very important to defending their organizations’ patient data, according to 72 percent of respondents. The function considered by respondents to be most responsible for preventing and detecting data breach incidents is the compliance department (36 percent) followed by no one person or department (25 percent). The IT and IT security functions are at a lowly 14 percent and 12 percent, respectively. This is virtually unchanged from last year

Series: Ten Steps to Drive a Connected Product Program

Watch the Replay