While there are numerous security regulations that might apply to your company — like SOX, which deals in issues surrounding corporate governance — in this post we’re going to focus specifically on the three your business is most likely to fall beneath the scope of:  HIPAA, PCI-DSS, and GLBA.

In our last post we talked about which areas these compliance laws regulated, and who they affect — but we didn’t get into the how. This week, that’s our subject:  the hows of building your business’ compliance strategy.

Knowing where to get started with these regulations is no easy task. Some comprise hundreds of pages of nearly impenetrable legalese — bodies of text in possession of such weight and heft that tripping over one would very much risk you a broken toe. Since nobody wants the irony of having to explain to the harried nurse handling their charts that a freak run-in with a HIPAA hardback is what sent them to the ER, we’ve taken the risk for you and dug into them ourselves.

Choosing the right compliance technology doesn’t have to be a headache, but for many companies:  it is.

To make your transition to compliance as painless as possible, check our our HIPAA, PCI-DSS, and GLBA checklists below bearing in mind that these are just a general starting point for businesses like yours.

HIPAA (Health Insurance Portability and Accountability Act)
What it is: A federal law that enshrines a patient’s right to privacy and requires businesses to implement security protocols to ensure the confidentiality of electronic protected health information (ePHI).
Technical Safeguards
  1. Ensure access control, so that only those with authorization may access ePHI.
  2. Enact integrity controls to confirm ePHI isn’t altered or destroyed in an unauthorized manner.
  3. Establish encryption and decryption protocols to guarantee the security continuity of transmitted data.
  4. Record all ePHI, and implement audit controls and activity logs to monitor all associated systems.
  5. Ensure all devices and computers log off automatically.
Physical Safeguards
  1. Implement access controls limiting facility access to authorized personnel only.
  2.  For workstations with ePHI access, initiate policies restricting their visibility/use to authorized personnel.
  3. Implement security protocol for ePHI on mobile devices, where applicable, with policies pertaining to offboarding and removal from employee devices.
Administrative Safeguards
  1. Introduce a policy of risk management and assign a Security Officer and Privacy Officer, whose responsibility shall be to conduct regular and thorough risk assessments and establish HIPAA-compliant policies and procedures.
  2. All employees should receive training on HIPAA policy, and demonstrate thorough knowledge of company procedures and how to identify possible breaches. Workers who violate your security policies must be sanctioned.
  3. Develop a contingency plan to ensure the integrity of ePHI, and that your business processes won’t grind to a halt in the face an emergency.
  4. In the case of business associates or subcontractors, restrict — and draw up agreements governing — any and all third-party access to ePHI.
  5. Report breaches, as per the HIPAA Breach Notification Rule.
Payment Card Industry Data Security Standard (PCI-DSS)
What it is: A set of technical and operational requirements for organizations accepting or processing payment transactions.
Build and Maintain a Secure Network and Systems
  1. Install and maintain a firewall configuration to protect cardholder data.
  2. Do not use vendor-supplied defaults for system passwords and other security parameters to Protect Cardholder Data.
Protect Cardholder Data
  1. Protect stored cardholder data.
  2. Encrypt transmission of cardholder data across open, public networks.
Maintain a Vulnerability Management Program
  1. Protect all systems against malware and regularly update anti-virus software or programs.
  2. Develop and maintain secure systems and applications.
Implement Strong Access
Control Measures
  1. Restrict access to cardholder data by business need to know.
  2. Identify and authenticate access to system components.
  3. Restrict physical access to cardholder data.
Regularly Monitor and Test Networks
  1. Track and monitor all access to network resources and cardholder data.
  2. Regularly test security systems and processes.
Maintain an Information Security Policy
  1. Maintain a policy that addresses information security for all personnel.
Gramm Leach Bliley Act (GLBA)
What it is: An ACT that requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data.
Assign Controller(s) Designate one or more employees to coordinate its information security program.
Perform Risk Assessment Identify and assess the risks to customer information in each relevant area of the company’s operation, and evaluate the effectiveness of the current safeguards for controlling these risks.
Establish Safeguards Design and implement information safeguards to control the risks you identify through risk assessment, and regularly test or otherwise monitor the effectiveness of the safeguards' key controls, systems, and procedures.
Ensure Provider Oversight Select service providers that can maintain appropriate safeguards, make sure your contract requires them to maintain safeguards, and oversee their handling of customer information.
Make Adjustments Evaluate and adjust the program in light of relevant circumstances, including changes in the firm’s business or operations, or the results of security testing and monitoring.

Even in bullet points it’s a lot to process, but with a bit of strategy, and perhaps a checklist or three highlighting the various requirements you’ll need to fulfill, you can go a long way towards achieving compliance free from headaches (or an ironic trip to the ER).

For a specific solution, it's always advised you reach out to a company with knowledge and experience in compliance technology design, policy, and implementation.

Contact JNT TEK today for guidance on how to establish top-to-bottom IT compliance within your company, and learn more about how to adhere to your industry’s security regulations.