The phrase “regulatory compliance” often strikes fear in even the most seasoned executives, but it doesn’t need to be that way. Education and awareness are critical, so let’s look at the top two regulations that your company may need to think about – Payment Card Industry Data Security Standard (PCI-DSS) and Health Insurance Portability and Accountability Act of 1996 (HIPAA).
Regulatory compliance refers to the steps put in place by an organization to comply with state, federal, and international laws and regulations that are relevant to its business operations. If regulatory compliance is violated, there can be monetary and even criminal penalties that a company may incur.
If your company directly accepts payments for goods or services through payment cards (VISA, AMEX, and Discover for example), you need to have a plan for PCI-DSS compliance.
PCI-DSS was established to prevent credit card fraud. This is accomplished by putting standardized controls (rules) in place at all merchants accepting cards. This is a good thing. It increases your customer’s confidence because they know you are actively working to protect their card data.
1. Build and Maintain a Secure Network and Systems
2. Protect Cardholder Data
3. Maintain a Vulnerability Management Program
4. Implement Strong Access Control Measures
5. Regularly Monitor and Test Networks
6. Maintain an Information Security Policy
Let’s quickly break down each of the objectives:
Simply put, the company needs to have basic security in place. This means having a firewall and password-protected computers. Do not use default passwords on any systems or software.
If you take orders over the phone, do not leave cardholder information on a notepad or sticky note. Preferably, the numbers would be directly entered into your terminal system or software and never stored, if possible.
Make sure you are using up-to-date anti-virus and anti-malware protection on all systems.
All operating systems must be current and patched. Third-party software must be up to date.
Limit access to and protect equipment used to process transactions. If you must write down card data, make sure it is shredded. Any systems used to process transactions must have their drive destroyed when decommissioning.
Regular network scans, both internal and external, need to be performed regularly or whenever there is a change to systems or software.
Establish and maintain an information security policy. Review this policy at least annually—train employees on security awareness and social engineering. Screen new employees to limit the incidence of internal breaches. Lastly, have an incident response plan in case of a data breach.
There are a lot of things to consider. If you need help understanding any of these controls, reach out to your IT Security Professional or Edge Networks.
HIPAA was passed into law to provide a framework to safeguard Protected Health Information (PHI).
PHI is defined as any piece of information in an individual’s medical records that could be used to identify them personally. Basic examples include name, social security number and date of birth. Many other identifiers are included, and these continue to evolve as more technology is used in healthcare.
If your company is healthcare-focused, then you are very familiar with HIPAA. Your company falls into a group called “covered entities”.
You might feel a sense of relief when you notice that you are not on the list of covered entities. However, you may not be off the hook just yet. If you perform work for these organizations, you may be what is known as a business associate, and you must also be compliant. In this situation, you must enter into a contract called a Business Associate Agreement (BAA).
The BAA details what information your company has a responsibility to protect. A few examples of service companies considered business associates are shredding services, attorneys, accountants, marketing services, and transportation services. This is not an exhaustive list. Please check with legal counsel if you are unsure.
To ensure health data protection is taken seriously, there can be monetary penaltiess associated with unauthorized disclosure of PHI. Penalties are levied based upon severity and negligence of a given disclosure.
The penalties are adjusted for inflation annually.
Individuals involved in disclosures can also incur criminal penalties. These penalties are based on the severity and negligence involved in the disclosure. If an individual has profited from the theft, access or disclosure of personal health information (PHI), then those monies may also have to be forfeited in addition to the fine.
The value of PHI on the black market continues to increase. This has been a big temptation for some individuals given recent economic conditions. Social engineering and malware attacks are on the rise to gain access to this valuable data.
It is imperative that organizations subject to this Act take appropriate actions to reduce the risk of breaches.
This is just a brief glimpse of the two main regulations that you may encounter in your business. It is best practice to review your compliance policies at least annually, and certainly when a change is made to the regulations.
If your company lacks in-house talent with the detailed knowledge needed to ensure compliance, we recommend that you consult with legal counsel. For the technical and operations aspects, you should reach out to a knowledgeable compliance and technology partner like Edge Networks to assist you with your journey into the compliance world. The investment will immediately begin to pay for itself because you just cannot put a price on your peace of mind. Contact us today for a free, 30-minute consultation.