Protecting your clients’ and employees’ personal and financial data has to be a consideration for every single business. Not only do you have a responsibility to protect this data, you also may have to do so to remain in compliance with regulations mandated by governments, industry organizations, and even your own business. With data privacy becoming a growing concern, we thought it would be useful to discuss the basics of compliance a bit in this month’s newsletter.
Regulations are put on certain data constructs for a reason: the data within is sensitive. Today, there are seemingly more regulations than ever, and as the GDPR kicks in for organizations that deal with EU-based organizations, we thought it would be a good time to talk about how to navigate these highly-regulated environments to ensure success and security.
While there are movements of industry professionals lobbying for improvements to some personal data protection laws, not much has been done about it by legislators in the U.S. The regulations that are on the books work to protect certain types of personal information, but there isn’t that overreaching article that states there will be consequences for losing someone else’s personal information. Within certain environments however, it is extremely important to know how to navigate as not to mistakenly expose information that has no business being shared.
In Healthcare
We’ll start with healthcare, as it is the most prevalent. Healthcare data is protected, and that protection is regulated, and all for good reason. This information is the most personal information a person can reveal and has no business being in possession of anyone but the provider, the insurer, and the patient. The most well-known regulation for healthcare in the United States is called the Health Insurance Portability and Accountability Act (HIPAA). It was constructed to keep personal healthcare data secure as new systems of transfer and new insurance practices were being implemented.
Healthcare information isn’t all handled the same. There are a multitude of organizations that oversee different parts of the healthcare process. The Center for Medicare/Medicaid services focuses on patient care, while the Occupational Safety and Health Administration (OSHA) focuses on the safety of workers. This is just the tip of the proverbial iceberg. With so many regulatory agencies thumbing around it can be difficult to ascertain which practices are the best practices, and which strategies work to keep every party involved insulated from having their sensitive information compromised.
For the healthcare providers it can be pretty harrowing, since they are for-profit businesses and need to keep certain information on the ready to facilitate solid operational integrity, as well as to ensure that rising costs aren’t sinking their practice. So many providers are constantly revisiting the best ways to stay compliant, while transforming their policies around the existing standards of data protection. This creates a lot of headaches and toiling over policy. One of the best ways to navigate this arena is to set defined practices that work to mitigate redundancy.
Financial Services
Another vertical market that is highly regulated is the financial services industry. Today, there are a lot of financial organizations looking to IT to speed up operations, cut costs, and manage their businesses more accurately. Since the current congress just rolled back a lot of the Dodd-Frank Act, organizations that work in financial services now have three major regulations they need to be cognizant of. They are the Gramm-Leach-Bliley Act (GLBA), the Sarbanes-Oxley Act (SOx), and the Payment Card Index (PCI DSS). Some larger organizations will still need to adhere to Dodd-Frank, but smaller banks and other lending institutions that were often hamstrung by the Dodd-Frank regulations, are now able to operate free from its stated oversight. Here is how each work in regard to data security:
The major regulators in the United States are the Federal Trade Commission (FTC), the Consumer Financial Protection Bureau (CFPB), and the Securities and Exchange Commission (SEC). They often step in and levy fines when it's called for, but they typically hold fast or take advisory roles in matters of data security as it could be looked on as above their mandate. Their function is mostly to keep trade, practices, and markets fair and efficient, not really to protect personal information. Unless threats to that sanctity are directly coming from identified threat actors, the financial regulators won’t take a proactive approach.
Despite the lack of proactive oversight, most financial entities typically keep their practices to a certain standard, however. The standards outlined by the Federal Financial Institutions Examination Council handbook or FFIEC-IT. With a dedication to keeping financial services technology the secure product it needs to be, FFIEC-IT booklets outline what is expected to keep a compliant and secure financial services IT infrastructure. The FFIEC-IT website provides all the information anyone would need to know to keep their IT infrastructure, network, security practices, and reporting at a level commensurate with the expectations of financial services customers and regulators.
Creating a Plan
All security standards tend to follow the same general principles. Most will talk about the need for concise reporting and constant assessment. This actually works in the service provider’s favor as they can outline a strategy that will work for the many types of organizational oversight that they function under. By creating a static security management plan (SMP), an organization sets up a workflow that will outline the steps everyone has to take to guide them. This can be done the old fashioned way with a checklist on a clipboard, but the best way many organizations we’ve researched accomplish this is by using an electronic spreadsheet to work in some degree of automation. This also provides the visibility to quickly translate and compile information into any reports that you are mandated to provide regulators.
The SMP should include:
Once you have a dedicated SMP in place, you can go about applying it to every facet of your organization. This is a time-consuming task as everything your business has to keep secure should have a line item in the spreadsheet, but once it’s done it will be much easier to ascertain where your organization is on a certain tactic, and how resources should be deployed to ensure that compliance is maintained.
A big part of staying compliant is to put in practice quality assessment tools. Sometimes your organization’s security and practices will work in concert, and sometimes they will conflict. Ensuring that your reference materials are current, consolidated into an easy-to-decipher format, and reported properly will provide you with a much more manageable time managing the assessment and validation systems you’ll need to prove compliance to regulators.
At PCSOFT, we are experts in designing, implementing, and supporting any business’ compliance strategies. With the GDPR finally going into effect in the EU and data security and personal privacy constant hot-button issues in the U.S., now is the time to build a compliant data security system for all the sensitive data your organization deals with. Call us today at 02 98730080 to see how our professional IT technicians can help you stay compliant.
Compliance can be difficult for some businesses. They might know that it’s a necessity--and may even know what they have to do--but they just have trouble implementing practices that are designed to guarantee the meet their regulatory responsibilities. HIPAA and HITECH compliance laws in particular are difficult to navigate, and the results of failing to adhere to them can be dire.
Just a few years ago in 2016, the Office for Civil Rights (OCR) and the Department of Health investigated data breaches; the results of this investigation led to identifying several violations of these laws. A total of 12 settlements were the results of this investigation, as well as one civil penalty, that amounted to claims of approximately $25,505,300 in fines.
The numbers in 2017 are slightly more optimistic. This past year, there were only nine HIPAA settlements and a single monetary civil penalty paid totaling $19,393,000 in fines. While it’s clear that something is working, it’s not clear what exactly is or isn’t, but we know one thing for sure. Businesses don’t want to pay money for failing to adhere to compliance laws, but this doesn’t stop everyone from meeting their requirements.
The types of violations that led to these penalties aren’t particularly varied. Most of them stemmed from a failure to protect protected health information, or PHI, but there are a couple that come from different reasons. Here are a few other reasons:
Another notable trend can also be seen in the failure of organizations to secure their mobile devices in a way which complies with HIPAA and HITECH. Furthermore, there is also a failure to implement proper security processes and delaying notification of breaches at the heart of these fines.
Recently, a well-publicized lawsuit was filed in federal court against 60 Indian hospitals over a failure to adhere to the HITECH Act. These hospitals had allegedly failed to provide records and documentation for as many as 50% of their patients within three business days of the request. As one of the requirements of receiving funding from the HITECH Act, this is a big issue for hospitals.
As a result of these failures, these hospitals face charges of well over $1 billion for failing to provide healthcare documents when asked to produce them. They obtained $324 million through the HITECH Act, but failed to adhere to its laws. Additionally, the hospitals violated the Anti-Kickback Statute and the False Claims Act for claiming falsely that they met the requirements of the HITECH legislature.
While it’s true that not all businesses need to consider healthcare compliance, it’s more likely than not that your organization works with some sort of sensitive information that is subject to compliance laws. To find out now if your organization is in trouble with compliance laws, reach out to us at 02 98730080.
Data loss, on any scale, is an organizational nightmare. Not only do you have to restore data, any lost productivity that comes as a result of the data loss incident makes it difficult on the budget. That’s only scratching of the surface of how serious data loss can be.
Technology is being deployed to help businesses of all kinds, including medical offices and other health-related facilities. By taking advantage of electronic medical records (EMR), organizations are capable of better managing their files in previously unprecedented ways. Unfortunately, even by eliminating the majority of physical records, this presents another problem that comes from digital environments: hackers and regulatory compliance laws.
Offices that fail to adapt to these changes in specific industries could be the target of compliance fines, which are more than capable of breaking budgets and hindering growth. If your office doesn’t take measures to ensure that all regulatory compliance laws are adhered to, your organization could be subject to fines that range anywhere between $100 and $50,000 per record. Your business literally cannot afford to pay for something that’s entirely preventable.
To help your business ensure compliance with regulatory laws like HIPAA, HITECH, and PCI, we’re going to go over them in detail and tell you what you need to know.
HIPAA
HIPAA, or the Health Insurance Portability and Accountability Act of 1996, is a series of compliance regulations used to enforce the privacy of electronic medical records. HIPAA covers the medical staff, patients, and employees of all healthcare-related organizations, including health insurance providers. To put it in layman’s terms, HIPAA gives patients the right to know how their electronic medical records are stored and used, and to make sure that health records and financial information are being stored according to HIPAA’s security specifications.
HITECH
The Health Information Technology for Economic and Clinical Health Act was part of a 2009 initiative to encourage medical practices to adopt new technology solutions that can improve their operations. HITECH looks at part of how HIPAA handles user privacy, stating that organizations covered by HIPAA need to report data breaches of 500+ affected users to the United States Department of Health and Human Services, the media, and to those who were affected. Additionally, HITECH alters the way that organizations handle the disclosure of electronic medical records, and how this information can be used throughout the caregiving process.
PCI DSS
The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards that are required to be met before an organization can implement major card-scanning technology systems. This is especially important, as credit card information is one of the most targeted pieces of data that a hacker will try to get their hands on. It doesn’t matter which industry you fall into; if you accept credit or debit card payments, you need to be PCI compliant. Some examples of required protocol include maintaining a firewall that protects cardholder data, restricting access to card numbers on a “need-to-know” basis, and tracking and monitoring network resources, including what accesses cardholder data.
Understanding compliance regulation isn’t something that comes naturally for everyone, but we want to help you better decipher laws that your organization might be subject to. For more information about HIPAA, HITECH, or PCI, give us a call at 02 98730080.