While there are numerous security regulations that might apply to your company — like SOX, which deals in issues surrounding corporate governance — in this post we’re going to focus specifically on the three your business is most likely to fall beneath the scope of: HIPAA, PCI-DSS, and GLBA.
In our last post we talked about which areas these compliance laws regulated, and who they affect — but we didn’t get into the how. This week, that’s our subject: the hows of building your business’ compliance strategy.
Knowing where to get started with these regulations is no easy task. Some comprise hundreds of pages of nearly impenetrable legalese — bodies of text in possession of such weight and heft that tripping over one would very much risk you a broken toe. Since nobody wants the irony of having to explain to the harried nurse handling their charts that a freak run-in with a HIPAA hardback is what sent them to the ER, we’ve taken the risk for you and dug into them ourselves.
Choosing the right compliance technology doesn’t have to be a headache, but for many companies: it is.
To make your transition to compliance as painless as possible, check our our HIPAA, PCI-DSS, and GLBA checklists below bearing in mind that these are just a general starting point for businesses like yours.
HIPAA (Health Insurance Portability and Accountability Act) | |
---|---|
What it is: A federal law that enshrines a patient’s right to privacy and requires businesses to implement security protocols to ensure the confidentiality of electronic protected health information (ePHI). | |
Technical Safeguards |
|
Physical Safeguards |
|
Administrative Safeguards |
|
Payment Card Industry Data Security Standard (PCI-DSS) | |
---|---|
What it is: A set of technical and operational requirements for organizations accepting or processing payment transactions. | |
Build and Maintain a Secure Network and Systems |
|
Protect Cardholder Data |
|
Maintain a Vulnerability Management Program |
|
Implement Strong Access Control Measures |
|
Regularly Monitor and Test Networks |
|
Maintain an Information Security Policy |
|
Gramm Leach Bliley Act (GLBA) | |
---|---|
What it is: An ACT that requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. | |
Assign Controller(s) | Designate one or more employees to coordinate its information security program. |
Perform Risk Assessment | Identify and assess the risks to customer information in each relevant area of the company’s operation, and evaluate the effectiveness of the current safeguards for controlling these risks. |
Establish Safeguards | Design and implement information safeguards to control the risks you identify through risk assessment, and regularly test or otherwise monitor the effectiveness of the safeguards' key controls, systems, and procedures. |
Ensure Provider Oversight | Select service providers that can maintain appropriate safeguards, make sure your contract requires them to maintain safeguards, and oversee their handling of customer information. |
Make Adjustments | Evaluate and adjust the program in light of relevant circumstances, including changes in the firm’s business or operations, or the results of security testing and monitoring. |
Even in bullet points it’s a lot to process, but with a bit of strategy, and perhaps a checklist or three highlighting the various requirements you’ll need to fulfill, you can go a long way towards achieving compliance free from headaches (or an ironic trip to the ER).
For a specific solution, it's always advised you reach out to a company with knowledge and experience in compliance technology design, policy, and implementation.
Contact JNT TEK today for guidance on how to establish top-to-bottom IT compliance within your company, and learn more about how to adhere to your industry’s security regulations.