INFORMATION SECURITY-KNOW WHAT COMPLIANCE YOUR ORGANIZATION NEED
Data is the most critical part of any business. Every organization is either producing their own data or acquiring it from their employees or customers, so it becomes the organization’s responsibility to safeguard that data from unauthorized access. Digitization and digitalization has changed the working techniques of every organization. Almost all of the data is on information systems, which increases the risk of information exposure to the outside world .Many organisations already knows the importance of information Security and are working in a controlled environment one or the other way, however there are many organisations who still does not consider information security necessary for their business. Statutory and regulatory bodies has made information security mandatory for many businesses. Let’s discuss about different information compliances for organisations.
Why Organisations need IT Security Compliance
Compliance is a set of guidelines by the regulatory body which the organisation needs to adhere. Compliances brings great benefits for the organisations:
- Improvement in Information Security: IT security regulations improve organisations security measures by setting baseline requirements. This baseline requirements helps keeping business data-security levels relatively consistent within respective industries..
- Increase Control on Information Systems: Improved security goes hand-in-hand with increased control. This is helpful in preventing employee mistakes and insider theft with enhanced authentication mechanism while keeping an eye on outside threats.
- Minimize Organisations Losses: Improved security, in turn, prevents breaches, which are costly to businesses. There are many organisations which end up losing very large amount of their revenue in sales, repair costs and legal fees, all of which can be avoided with the right preventive measures
- Maintain Trust with customers:A better information security system definitely built and maintain customer trust. Customers trust organisations which keeps their information safe, secure and available at the right time.
There are numerous IT Security compliances exits each related to different industry verticals. The most common compliance includes
Health Insurance Portability and Accountability Act of 1996(HIPAA)
INDUSTRIES AFFECTED:This act affects any organisation or office that deals with healthcare data. That includes but is not limited to doctor’s offices, insurance companies, business associates, and employers.
WHAT HIPAA regulates: This act is divided into 5 titles.
Title I: It protects health insurance coverage of employees either they change job or laid off.
Title II: It controls health care fraud and abuse. It also establishes policies and procedures for maintaining the privacy and security of individually identifiable health information, outlines numerous offenses relating to health care, and establishes civil and criminal penalties for violations
Title III:This sets guidelines for pre-tax medical spending accounts.
Title IV:This sets guidelines for group health plans regarding coverage of persons with pre-existing conditions, and modifies continuation of coverage requirements
Title V:This governs company-owned life insurance policies.
General Data Protection Regulation (EU) 2016/679 (GDPR)
INDUSTRIES AFFECTED: This regulation impacts all the organisations which process personal data in any form. This includes any cloud service provider, marketing company, insurance provider, law firms, data analytics companies and many more. GDPR applies to all organisations collecting and processing personal data for people residing in the European Union, even if that organisation is not physically located or based in the European Union.
WHAT GDPR regulates : General Data Protection Regulation(GDPR) has 11 chapters’ general provisions, principles, rights of data subjects, controller and processor, transfer of personal data to third countries or international organisations, independent supervisory authorities, cooperation and consistency, remedies, penalties and liabilities, delegated acts and implementing acts, final provisions.
GDPR, motive is to protect personal data of European Union (EU)citizens from data breaches.
Payment Card Industry Data Security Standard (PCI-DSS)
INDUSTRIES AFFECTED:Payment Card Industry Data Security Standard (PCI DSS) is meant for all the organisations which handles credit card data.
WHAT PCI DSS regulates: PCI DSS has given a set of 12 regulations which are designed to protect customer credit card information and to reduce fraud. Compliance requirements pertaining to PCI DSS are: Build and maintain a secure network and system, protect cardholder data, maintain a vulnerability Management program, strong access control measures, regular monitoring and testing networks, maintain an information security policy
Sarbanes-Oxley Act of 2002(SOX)
INDUSTRIES AFFECTED: This regulation is meant for all U.S. public company boards, management and public accounting firms. In addition to this a number of provisions of the Act also apply to privately held companies, such as the willful destruction of evidence to impede a federal investigation
WHAT SOX regulates:Sarbanes-Oxley Act has eleven sections: Public Company Accounting Oversight Board(PCAOB), Auditor’s independence, corporate responsibility, enhanced financial disclosures, analyst conflict of interest, commission resources and authority, perform various studies and report their findings, corporate and criminal fraud accountability, white collar crime penalty enhancement, corporate tax returns, corporate fraud accountability.
According to this act organisations required to maintain financial records for seven years. It was implemented to prevent financial scandals like Enron.
The Federal Information Security Management Act (FISMA)
INDUSTRIES AFFECTED:Federal Information Security Management Act (FISMA) is for all federal agencies in the US. According to FISMA act all the federal agencies need to develop, document, and implement an agency-wide program to provide information security for the information and information systems. This also includes the information and information systems provided or managed by another agency, contractor, or other source.
WHAT FISMA regulates: FISMA defines a framework for managing information security of information systems. According to NIST FISMA is divided into: Inventory of information systems, categorization of information and information systems according to risk, implementation of security controls, risk assessment, system security plan, certification and accreditation and continuous monitoring
There are many other laws and regulations present to protect information. However it is not always very clear to the many decision makers or compliance officers which regulations or compliance is applied to their organisation. Compliance is very critical part of any business. Not adhering a mandatory compliance can lead to serious consequences, sometimes unnecessary disruption in the business. So this is very necessary for organisations to identify and understand all the desired regulations for the business and adhere to all the requirements of it.
#tags:SOX, FISMA, HIPAA, GDPR, regulatory
#keywords: compliance, SOX,FISMA, PCIDSS, HIPAA,GDPR, information security, data protection
What is HIPAA?
HIPAA (Health Insurance Portability and Accountability Act) signed by US President Bill Clinton in 1996, provides data privacy and security provisions for safeguarding medical information.
HIPAA Act does the following:
- HIPAA reduces health care fraud and abuse.
- HIPAA acts mandates the storage, protection and handling of handling of medical data, ensuring healthcare data is kept secure.
- HIPAA Act provides provisions for storing patient’s healthcare information.
- HIPAA act is meant for protection and safeguarding unauthorised handling of PHI(Protected Health Information)
HIPAA compliance is a must for healthcare solution providers. HIPAA compliance guidelines are meant to safeguard patient’s health information, ensuring that it is securely stored and correctly used.
All the sensitive data which can reveal patient identity must be kept as confidential in order to adhere HIPAA. There are set of rules of policies and privacy which the organisation need to adhere to achieve compliance.
What information is protected under HIPAA?
HIPPA Privacy Rule protects a patient’s health information and any identifying information, in any medium or format—files, email, audio, video or verbal communication. Any of the following is considered private health information:
- Name of patient
- Birth date, death date or treatment dates, and any other dates relating to a patient’s illness or care
- Finger and voice prints
- Social Security Number
- Medical records numbers
- Telephone numbers, addresses and other contact information
- Any other unique identifying number or account number
Why HIPAA compliance is Important?
HIPPA compliance is a well thought of guidelines meant for safeguarding patient’s .Failure to this can put patient’s critical information at risk. Cyber Security breaches have catastrophic impacts on organisation’s reputation, also can leads to disciplinary actions and sometimes huge penalties and fines.
In past years ransom ware and malware attacks like WannaCry, Non Petya, have impacted millions of computers across the world, including healthcare organisation.
Hackers exploited vulnerabilities existing in the Network devices like weak passwords, outdated versions of Operating Systems which are commonly used in healthcare sector.
Since there is not adequate awareness and information security support in medical service providers, the attack was very easy to carry out.
Now a day’s everything is technology driven, so HIPAA also regulates some aspects of technology systems used to store, manage, and transfer healthcare information.
The organisations that fail to implement adequate system can suffer significant damage. If any data breach incident take place, the affected organisations has to submit disclosure documents for each and every breach individually.
WHO NEEDS TO BE HIPAA COMPLIANT?
Following is the list of the organisation which needs to be HIPAA compliant
- Healthcare providers, who stores data and process PHI in electronic form.
- Regional health care services,
- Medical practitioners
- Healthcare clearinghouses
- Healthcare billing services
- Community health management information system).
- This also includes any organisation which collects PHI from healthcare organisations and process it into an industry standard format.
- Health plans
- HMO (Health Maintenance Organisation),
- Public health authority,
- Medicare prescription drug card sponsors,
- Universities and schools which collects, store or transmit PHI)
- Business associates of all the above
- Any organisation which handles PHI in electronic format such as vendors, contractors and infrastructure service providers.
- This also includes organisations that store or destroy (shred) documents.
- Transcription services,
- Medical equipment companies,
- Auditors and
HIPAA PRIVACY, SECURITY AND BREACH NOTIFICATION RULES
HIPAA Privacy rules are Standards for privacy of PHI of individuals. The main goal of HIPAA rules is to protect medical reports and other PHI(Personally identifiable health information)
HIPAA privacy rules are applies to these types of organisations;
- Providers, supply chain (vendors, contractors) and service providers (data centre and cloud service providers). All healthcare Clearinghouses and health care providers shall be compliant.
- This rule also applies to healthcare service providers who conducts health related electronic transactions.
Accordingly to HIPAA privacy rule patients have legal rights over their health information.
Below are the fundamental rights of patients:
- To authorise disclosure of their health information and records.
- To request and examine a copy of their health records anytime
- To request correction to for the health records as needed
HIPAA Security Rule are the Security Standards for the protection of ePHI and is a subset of privacy rule only. This rule is applicable to electronic personally identifiable health information (ePHI), which shall be protected if it is created, maintained, and received by any organisation. Covered entities shall maintain confidentiality, integrity and availability of ePHI.
Covered entities shall adhere all safeguards to be compliant:
- Technical Safeguards:
Access Control, Audit control, integrity control, transmission security
- Physical Safeguards
Physical Access control, work station and device security, security of electronic media
- Administrative Safeguards:
Security Management process, Security Manager, Information Access Management System, training and awareness, evaluation system.
HIPAA breach notification rules
Even after having adequate security measures in place, there is a possibility of breach. For such cases Breach notification rules specifies how the organisations should deal with it.
First of all organisations should know how to define a breach. A breach is unauthorised use or disclosure of PHI forbidden by Privacy rule. The unauthorised use or disclosure of PHI is presumed to be a breach unless your organisation demonstrate there is a low probability the PHI has been compromised based on a risk and impact assessment of at least the following criteria:
- The extent and nature of the PHI involved, including the types of identifiers and the probability(likelihood )of re-identification
- The unauthorized individuals to whom the disclosure was made or who used the PHI
- Whether the PHI was actually acquired viewed or acquired
- The extent to which the risk associated with PHI has been mitigated
PHI breach notifications must be provided without unreasonable delay and no later than 60 days following the breach discovery. Notifications of smaller breaches which is affecting fewer than 500 individuals may be submitted to HHS (The United States Department of Health & Human Services) annually. The HIPPA Breach Notification Rule also requires business associates like vendors, suppliers, service providers of covered entities to notify the covered entity of breaches at or by the business associate.
As per HIPAA Privacy Rule, a healthcare data breach as well as failing to give patient’s access to their PHI, could result in a fine from OCR(Office for Civil Rights)
The minimum penalty for:
- Unknowingly violating HIPAA is $100 per violation, with an annual maximum of $25,000 for repeat violations.
- Reasonable cause for violating HIPAA is $1,000 each violation, with an annual maximum of $100,000 for repeat violations.
- Wilful neglect of HIPAA, but when the violation is corrected within a given time period, is $10,000 per violation, with an annual maximum of $250,000 for repeat violations.
- Wilful neglect of HIPAA, and the violation remains uncorrected, is $50,000 per violation, with an annual maximum of $1.5 million for repeat violations.
The maximum penalty for all of these is $50,000 per violation, with an annual maximum of $1.5 million for repeat violations.
Covered entities, organisations and individuals who intentionally disclose or obtain PHI in violation of the HIPAA Privacy Rule can be fined up to $50,000 and receive up to one year in prison. If the HIPAA Privacy Rule is violated under false act, the penalties can be increased to a $100,000 fine and up to 10 years in prison.