HIPAA Compliance
The Health Insurance
Portability and Accountability Act (HIPAA) are a set of standards for the
privacy and protection of all electronic health information. It includes a Privacy Rule and a
Security Rule, which require healthcare organizations to increase the security
of their patient-related data.
HIPAA
Regulations
The Security
Rule featuring Technical Safeguards lists a number of technical requirements
healthcare organizations must follow to protect health information. The Access
Control Standard requires a covered entity to “Implement technical policies and
procedures for electronic information systems that maintain electronic protected
health information to access only to those persons or software programs that
have been granted access rights as specified in § 164.308(a)(4)[Information
Access Management].” Four
implementation specifications are associated with the Access Controls standard
one of which is
encryption and decryption.
Encryption
and Decryption §
164.312(a)(2)(IV).
Where this implementation specification is a reasonable
and appropriate safeguard for a covered entity, the covered entity must
"Implement a mechanism to encrypt and decrypt electronic protected health
information."
Penalties for non-compliance
with HIPAA requirements include:
- Civil penalties of $100 per
violation up to $25,000 per year for each violation or prohibition
violated
- Criminal penalties for
knowingly violating patient privacy of up to $250,000 and 10 years
imprisonment
Sarbanes-Oxley Compliance
The Sarbanes-Oxley Act is
legislation created in response to past financial scandals to protect
shareholders and the general public from fraudulent practices. Because this set of laws requires that
financial institutions store relevant business records "not less than 5 years"
this affects IT departments greatly.
Securing data-at-rest
becomes an even greater concern to those companies that are affected by the
SOX Act
Penalties for non-compliance
with Sarbanes-Oxley requirements include:
- Criminal penalties for
knowingly violating patient privacy of up to $15,000,000 and 10 years
imprisonment
California Senate Bill 1386
The California SB Act
requires organizations that own or have access to personal information of
California residents to notify them if the security of their information is
compromised.
California SB 1386
Requirements:
According to California,
personal information includes "an individual's first name or first initial and
last name in combination with one or more of the following": a Social Security
Number, Drivers License number or California Identification Card number, account
number, and/or credit or debit card information including numbers and passwords,
PINs and access codes. The bill
also limits coverage to personal data that is "un-encrypted."
According
to the Bill, each organization must follow certain disclosure obligations
following the discovery of a security breach that may have compromised customer
data. "Notice must be given to any
resident of California whose personal information is or is reasonably believed
to have been acquired by an unauthorized person. " Notice must be given in "most
expedient time possible" and "without unreasonable delay" subject to certain
provisions that define what reasonable is for your organization.
For
those companies that hold personal data on California residents, it become
essential for IT departments to review the security of consumers personal
information.
Gramm-Leach Bliley Act
The Gramm-Leach Bliley Act
includes laws that govern the collection and disclosure of customers’ personal
financial information by financial institutions and requires all financial
institutions to design, implement and maintain safeguards to protect customer
information.
The Financial Privacy Rule
requires financial institutions to provide each consumer with a privacy notice
at the time the consumer relationship is established and annually
thereafter. The privacy notice must
explain the information collected about the consumer, where that information is
shared, how that information is used, and how that information is
protected.
The Safeguards Rule requires
financial institutions to develop a written information security plan that
describes how the company is prepared for, and plans to continue to protect
clients’ nonpublic personal information.
The Gramm-Leach Bliley Act
requires IT attention because they need to account for the security procedures
in place regarding protecting consumer data.
Penalties for non-compliance
with GLBA requirements include:
- Criminal penalties for
knowingly violating patient privacy of up to $1,000,000 and 10 years
imprisonment
PCI Data Security Standard
The Payment Card Industry
Data Security Standard is a set of comprehensive requirements for enhancing
payment account data security. The
PCI DSS includes requirements for security management, policies, procedures,
network architecture, software design and other critical protective measures.
This comprehensive standard is intended to help organizations proactively
protect customer account data.
Requirement
3: Protect stored cardholder data
Encryption is a critical component of cardholder
data protection. If an intruder
circumvents other network security controls and gains access to encrypted data,
without the proper cryptographic keys, the data is unreadable and unusable to
that person. Other effective
methods of protecting stored data should be considered as potential risk
mitigation opportunities. For
example, methods for minimizing risk include not storing cardholder data unless
absolutely necessary, truncating cardholder data if full PAN is not needed, and
not sending PAN in unencrypted e-mails.
Stated in this set of standards, encryption is a critical component to
protecting customer data.
BOSaNOVA's Q3 Storage
Encryption Solution assists in your compliance with the PCI Standard by
protecting your customer's data with encryption. The Q3 Storage Security Appliance
encrypts data-at-rest without affecting your current backup procedures.
Installation is quick and key management is strong yet simple.
