In the MediaPro article, “Why Mere Compliance Increases Risk” published in CSOonline.com, the authors state that in some cases, poor awareness training is as bad, as-if not worse than–no training it all. The Department of Health and Human Services recently confirmed that a lack of training is a common cause of HIPAA compliance difficulties. Given the poor state of awareness training in many organizations, it’s no wonder that PCI and HIPAA compliance violations are actually on the rise.
It should be obvious that there is more to “compliance” than simply doing the least one can do. For starters, ask yourself, in addition to being compliant, is your organization also competent to see that the spirit of the law is also fulfilled? Does your organization, in the true spirit of compliance, promote a culture that respects the interests of customers, patients, shareholders, and other constituents? Does everyone see themselves as responsible for the security of protected health information (PHI), credit card data, or the many other forms of personal information collected today? A growing body of case law clearly demonstrates that satisfying the letter of the law alone just won’t cut it.