Those in corporate America who are used to treating security problems as inconveniences and nothing more might want to think again, especially if in a regulated industry. The government is taking a harder line on regulatory breaches, and that can cost companies serious money.
The good news is that experience and an information systems degree can provide the tools to offer value to employers by helping them stay out of trouble. After years of inaction, the Department of Health and Human Services (HHS) has begun to seriously investigate non-compliance with the Health Insurance Portability and Accountability Act (HIPAA) and then levy significant fines.
For example, the UCLA Medical Center agreed to pay $865,000 to settle charges that it violated security and privacy rules. Complaints from two celebrity patients that hospital employees had obtained unauthorized access to their records set off the initial investigation. The fine isn’t enough to make much dent in a big organization. However, it shows that regulators have begun to look more seriously at what they expect from companies. This was the third time this year that HHS disciplined an organization for HIPAA problems. Cignet Health had to pay $4.3 million, while Massachusetts General Hospital agreed to a $1 million payment. HIPAA isn’t the only regulatory framework catching organizations up short. Here are just a few recent cases:
- Dow Chemical is about to pay $2.5 million, as part of a settlement with the Environmental Protection Agency and the Department of Justice, for pollution violations.
- St. Anthony Hospital in Oklahoma City faces a $1 million fine for not complying with drug inventory requirements under the federal Comprehensive Drug Abuse Prevention and Control Act.
- Ford Motor Company will pay $225,000 for building a test track in Arizona without the proper permits.
- Eight regional airlines face Department of Transportation fines of between $66,000 and $200,000 over federal regulations covering transporting disabled passengers.
What distinguishes these from recent actions over commodities markets manipulation and a violation of the Foreign Corrupt Practices Act for illegal payments to foreign officials, is that they are largely operational in nature. Proper safeguards and automated controls might have prevented the actions that set off the fines in the first place. Not that IT can always prevent misdeeds. Some people will still misuse authority and put a company a risk. But enforcing proper action through IT systems and detailed audit trails on business processes can reduce the chance that people do so through ignorance or sloppy practice. Creating the systems that can support compliance requires a thorough knowledge of the publicly available regulatory requirements, and advanced training in architecture that you might receive in a masters of information systems degree can also help.