Solution Providers Turn To GRC Tools As HIPAA's 'Chain Of Liability' Grows


A tougher federal rule designed to protect sensitive health-care information is spurring interest in governance, risk and compliance tools, said TraceSecurity's Alan Fortier, who is spearheading the company's partner program.

Fortier, who was named director of channel sales at Baton Rouge, La.-based TraceSecurity in March, told CRN that the company has seen a lot of interest in its new partner program designed around TraceCSO, the company's cloud-based IT governance, risk and compliance (GRC) tool. TraceSecurity has more than 25 participants in its new program and expects to close the year with about 40 partners in place, according to Fortier.

TraceSecurity's TraceCSO tool is designed to help small and midsize businesses measure, monitor and document their ongoing information security programs. Like other GRC products, it audits systems to determine the state of the business' compliance goals and helps those running the program be able to prioritize.

"Stiffer requirements and penalties are a driving force for business, so far and away the majority of our partners are focusing on health care," he said.

 

[Related: HIPAA Healthcare Data Breach Fines Climb With Enforcement Boost]

HIPAA privacy and security rules initially were aimed solely at health-care providers, health plans and other entities that process health insurance claims. In January, the U.S. Department of Health and Human Services strengthened the protections for health information set under HIPAA with a final omnibus rule, expanding many of the requirements to business associates of these entities that receive protected health information.

All organizations that work with protected health information were expected to meet the regulation by Sept. 23. But solution providers told CRN that many of their clients are still struggling to balance patient care and measure security and compliance initiatives.

Arthur Hedge, CEO of Morristown, N.J.-based managed security service provider Castle Ventures, said his company saw the need to offer a GRC tool to its growing base of health-care clients, as they were turning to it for guidance on security and compliance measures. Castle Ventures monitors customers' network security appliances and conducts log analysis to uncover suspicious activity, Hedge said.

"It's a burden on midsize companies to understand the regulatory requirements, and the compliance problem is increasing dramatically for those folks," Hedge said. "This is an opportunity for the information security manager to have a tool to go in and track all this activity from a business perspective."

Meanwhile, smaller firms with limited IT staff often don't have the budget or personnel for GRC software, said Ben Goodman, president of 4A Security, a new TraceSecurity partner.

"We are positioning it as a way you can log in and get reports, drill down and track the progress of security projects," Goodman said. "Our focus is on using the tools ourselves and offering it as a portal for our customers to get access to the results -- because we say that they're not in the business of compliance, they're in business of their business."

NEXT: Health-Care Security, Compliance Programs Still In Infancy