Almost every business today is faced with some sort of compliance requirements for securing sensitive information. Retailers usually are faced with the complexities of PCI. Healthcare providers and even employers of a certain size have to comply with HIPAA regulations. Financial institutions must comply with FFIEC.
Even if the organization doesn’t fall into one of these industry specific regulations, all but 3 US states have enacted security breach laws that can have severe consequences. Loss of revenue, loss of customer confidence and severe penalties and costs are a few possible examples.
Let’s take a look at how Sentry Risk Intelligence can help businesses comply with the top two compliance initiatives: PCI and HIPAA.
Any merchant accepting credit cards needs to comply with the PCI-DSS, or Payment Card Industry Data Security Standards. This compliance framework was brought forth by the major payment card issuers to help reduce the number of breaches where large numbers of payment card data was being ex-filtrated and sold on the black market.
Billions of dollars in fraud loss is enough to get anyone motivated.
The PCI DSS is comprised of 6 key areas of focus with 12 requirements. The 6 key areas are:
- Build and Maintain a Secure Network & Systems
- Protect Cardholder Data
- Maintain a Vulnerability Management Program
- Implement Strong Access Control Measures
- Regularly Monitor and Test Networks
- Maintain an Information Security Policy
Here are some key areas of focus where Sentry Risk Intelligence can help customers comply with the PCI DSS.
Protect Card Holder Data
Sentry Risk Intelligence provides supporting evidence for the requirements in this focus area by:
- discovering unencrypted cardholder data at rest, and
- determining which users have access to it.
One of the key tenants of the PCI DSS is to never store PAN (Primary Account Numbers), Track 1 or Track 2 data from cards in an unencrypted format. If an organization is found to have this data unencrypted on their systems, it is an automatic failure of PCI compliance. Furthermore, the organization is required to provide evidence that they are not storing this data.
The Sentry Risk Intelligence Data Breach Risk Scan report output provides this evidence for the PCI Auditor.
Maintain a Vulnerability Management Program
Sentry RI includes one of the most powerful vulnerability scanners on the market. Using it helps organizations identify vulnerabilities on systems where card data is being processed. It also helps them perform and prioritize remediation efforts due to its unique style of reporting that aggregates vulnerabilities by problem scope and vendor.
This allows quick remediation of vulnerabilities and removal of a larger percentage of problems with less effort.
Implement Strong Access Control Measures
Sentry Risk Intelligence helps organizations in this key focus area understand the answer to a very important question: Who Has Access to My Sensitive Data?
Requirement 7 in the PCI DSS instructs organizations to restrict access to cardholder data by business need-to-know. Sentry RI provides the needed intelligence for you to audit user access to these sensitive data stores and remove excessive permissions as needed.
The Health Insurance Portability and Accountability Act was enacted August 21st 1996. In short, this law was designed to help improve the portability and continuity of insurance coverage, to combat fraud and waste in health insurance and to define national standards for electronic healthcare transactions as well as national identifiers for providers, plans and employers.
Title 1 of this legislation provides the support for portability and continuity of insurance coverage. This is not an area where Sentry RI can help.
Title 2 of this legislation provides support for national standards, among them being security requirements. This is definitely an area where Sentry RI can assist with compliance.
Protected Health Information (PHI)
PHI under US law is any information about health status, provision of health care, or a payment for health care that is created or collected by a “Covered Entity” (or a Business Associate of a Covered Entity), and can be linked to a specific individual.
Under HIPAA, PHI that is linked to an individual on the following identifiers must be treated with special care:
- Certificate/license numbers
- social security numbers
- Fax numbers
- email addresses
- full face photo images
- device identifiers and serial numbers
- biometric identifiers (i.e. finger, retinal or voice prints)
- any other unique identifying number, characteristic or code
- Account numbers
- Vehicle identifiers including serial and license plate numbers
- phone numbers
- medical record numbers
- health insurance beneficiary numbers
- geographical identifiers smaller than a state
- dates (other than year) directly related to an individual
- IP addresses
Understanding the Security Rule
The Security Rule of HIPAA regulations deals specifically with EPHI, or PHI that is stored electronically. While the Privacy Rule pertains to all PHI- including paper and electronic, the Security Rule lays out three types of security safeguards required for compliance: administrative, physical and technical.
- Administrative Safeguards are a collection of policies and procedures designed to clearly show how the organization will comply with the act.
- Physical Safeguards control physical access to protect against inappropriate access to PHI.
- Technical Safeguards control access to computer systems and protect communications containing EPHI over open networks from being intercepted by anyone but the intended recipient.
Sentry Risk Intelligence and Technical Safeguards
Sentry RI can help businesses comply with the HIPAA Security Rule regarding the following technical safeguards:
Systems housing PHI must be protected from intrusion- You can’t protect from intrusion without understanding how the intrusion could occur. Utilizing the Data Breach Risk Intelligence report to illustrate where PHI exists, who has access to it and how hackers can gain access is critical to remediating and protecting systems.
Documented risk analysis and risk management programs are required and place responsibility on the organization to take all reasonable precautions necessary to prevent PHI from being used for non-health purposes. Monthly Data Breach scanning and reporting helps organizations document their risk analysis of PHI and allows them to be proactive in remediating risks to prevent PHI from being used for non-health purposes.
The End Game
At the end of the day, businesses need to determine an agreeable liability amount for their workplace. Then, Sentry RI can be used over time to manage that environment to stay below the threshold.
This can only be done by performing regular RI scans in order to verify prior remediations are being enforced and that no new, unprotected sensitive data has been identified.