Does Your Mainframe Comply With HIPAA, SOX, GLBA and PCI?

Companies that use open systems have a variety of tools at their disposal to help them meet the level of compliance necessary to pass an audit. But the mainframe is a more powerful system. And, as they say, with power comes responsibility.

Certain industries that use mainframes for their most sensitive data are held to stricter compliance rules than others. And this makes sense. Exposing patients’ private medical information, for example, would be a violation of the law and of personal trust. Enterprises like these that fail to comply face hefty fines, legal action and even jail time.

But not every company that relies on a mainframe has taken the necessary steps to secure their most precious resource: their data. There has been an explosion in database breaches in recent years. According to IBM Systems Magazine, “Investigations of data breaches over the past several years show that 75 to 92 percent of compromised records originated in database servers.”[1] The increase in data breaches has led government agencies to tighten compliance requirements for HIPAA, SOX, GLBA, and PCI.

A False Sense of Security

For some companies, there is an unspoken belief that ‘it won’t happen to us.’ Like the resident who believes that their “safe” neighborhood makes them an unlikely target for a home invasion, some companies think the security controls and reporting they have in place to meet their compliance challenges means they won’t fall victim to a security meltdown. But break-ins can happen in any neighborhood, and history has shown that breaches can happen to any company in every industry.

One need only look at recent cases like the Anthem Blue Cross and Blue Shield data breach to see that security is a bigger challenge than ever. Anthem, the nation’s second largest health insurance company, notified customers in February 2015 that “cyber attackers executed a very sophisticated attack” and made off with customers’ personal information, including names, birthdays, social security numbers, street addresses, email addresses and employment information, including income data.[2]

Although this case didn’t involve a HIPAA violation per se, the question remains, if attackers can access this much information, how close are they to accessing all of it? In the face of ever more sophisticated attacks greater vigilance is the only rational response.

Keeping One Step Ahead of the Auditor

Faced with these challenges, companies are wise to protect themselves by contracting with an outside security consultant who can come in and do a comprehensive assessment. A security consultant can point out ways in which the company’s compliance is lacking and work with the company to solve for those issues.

Having regular assessments—once or twice a year as necessary—gives companies peace of mind that their mainframe monitoring strategy is, and remains, compliant. The frequency will depend on the organization’s unique requirements. But recurring assessments are necessary to keep up with changes that affect risk of failure, like new security regulations or employee turnover rate.

Think of your security and compliance strategy as a living organism. It needs to grow and adapt to its ever-changing environment. It’s a cycle of survival. For companies that are beholden to strict government regulations, they need to stay aware of where their vulnerabilities are so they can remediate them. This is also a cycle. You monitor your data, make an assessment, determine necessary changes based on that assessment, and then monitor again.

A security consultant can help this process by regularly auditing your mainframe to ensure your level of compliance is always where it should be. A consultant can make sure you stay one step ahead of your next audit—and the next potential cyber threat.