Higher Education and Its Regulatory Burden
The higher education simmers with security risk. Institutions are highly regulated. Their trade is sensitive information from personal data about students and staff to research data with national security concerns and the IT infrastructure colleges use can evolve rapidly as users bring new devices or new services onto the network.
Educational institutions have very difficult privacy and cybersecurity requirements under FERPA. The Family Educational Rights and Privacy Act. FERPA imposes privacy protections and access restrictions on student records, so colleges must keep academic records secure and manage permissions from third parties (parents, for example) who may or may not have authorization to see records.
All the standard privacy laws (HIPAA, Gramm-Leach-Bliley, GDPR) extend to the personal data of others who might be in a colleges database: faculty, staff, contractors, and perhaps even parents.
Most colleges and universities either bid on government research projects or accept federal dollars for financial aid. In that case, those institutions must also meet the security standards of NIST 800-171. Projects related to military or national security issues can also face export control restrictions where foreign nationals working with the school cannot be allowed to access project data.
Compliance Objective
Firms handling medical data must ensure compliance with privacy and security rules from the moment a piece of PHI is created. In a major healthcare system that relies on cloud-based services, that means the system must:
HIPAA itself only tells firms the compliance objectives they must achieve, not how to achieve them. HITRUST, a consortium of healthcare businesses, has worked to map HIPAA requirements to the Common Security Framework, a standardized assessment and certification program. HITRUST can also be mapped to other frameworks such as NIST, PCI, or COSO.
Assess the starting security posture of their own systems and any third parties they use.
Establish corrective steps that might be necessary, and assign them to control owners.
Monitor usage of IT services to see whether new third parties are on the network.
Identify security gaps they must fill to meet regulatory requirements.
Monitor whether those fixes are on schedule.
Conduct any news risk assessments might be necessary as new regulations emerge.