While there are numerous security regulations that might apply to your company — like SOX, which deals in issues surrounding corporate governance — in this post we’re going to focus specifically on the three your business is most likely to fall beneath the scope of: HIPAA, PCI-DSS, and GLBA.
In our last post we talked about which areas these compliance laws regulated, and who they affect — but we didn’t get into the how. This week, that’s our subject: the hows of building your business’ compliance strategy.
Knowing where to get started with these regulations is no easy task. Some comprise hundreds of pages of nearly impenetrable legalese — bodies of text in possession of such weight and heft that tripping over one would very much risk you a broken toe. Since nobody wants the irony of having to explain to the harried nurse handling their charts that a freak run-in with a HIPAA hardback is what sent them to the ER, we’ve taken the risk for you and dug into them ourselves.
Choosing the right compliance technology doesn’t have to be a headache, but for many companies: it is.
To make your transition to compliance as painless as possible, check our our HIPAA, PCI-DSS, and GLBA checklists below bearing in mind that these are just a general starting point for businesses like yours.
|HIPAA (Health Insurance Portability and Accountability Act)|
|What it is: A federal law that enshrines a patient’s right to privacy and requires businesses to implement security protocols to ensure the confidentiality of electronic protected health information (ePHI).|
|Payment Card Industry Data Security Standard (PCI-DSS)|
|What it is: A set of technical and operational requirements for organizations accepting or processing payment transactions.|
|Build and Maintain a Secure Network and Systems||
|Protect Cardholder Data||
|Maintain a Vulnerability Management Program||
|Implement Strong Access
|Regularly Monitor and Test Networks||
|Maintain an Information Security Policy||
|Gramm Leach Bliley Act (GLBA)|
|What it is: An ACT that requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data.|
|Assign Controller(s)||Designate one or more employees to coordinate its information security program.|
|Perform Risk Assessment||Identify and assess the risks to customer information in each relevant area of the company’s operation, and evaluate the effectiveness of the current safeguards for controlling these risks.|
|Establish Safeguards||Design and implement information safeguards to control the risks you identify through risk assessment, and regularly test or otherwise monitor the effectiveness of the safeguards’ key controls, systems, and procedures.|
|Ensure Provider Oversight||Select service providers that can maintain appropriate safeguards, make sure your contract requires them to maintain safeguards, and oversee their handling of customer information.|
|Make Adjustments||Evaluate and adjust the program in light of relevant circumstances, including changes in the firm’s business or operations, or the results of security testing and monitoring.|
Even in bullet points it’s a lot to process, but with a bit of strategy, and perhaps a checklist or three highlighting the various requirements you’ll need to fulfill, you can go a long way towards achieving compliance free from headaches (or an ironic trip to the ER).
For a specific solution, it’s always advised you reach out to a company with knowledge and experience in compliance technology design, policy, and implementation.
Contact JNT TEK today for guidance on how to establish top-to-bottom IT compliance within your company, and learn more about how to adhere to your industry’s security regulations.