HIPAA and PCI-DSS
Data security is a significant issue for both financial services and healthcare organizations as the proliferation of online threats grow. Both the PCI Data Security Standard (PCI DSS) and Health Insurance Portability and Accountability Act (HIPAA) set standards and guidelines to protect consumers and organizations against cyber-attacks and ensure online security.
PCI Data Security Standard
Payment security is critical for every merchant and financial services institution that stores, processes or transmits cardholder payment data. The PCI Data Security Standard (PCI DSS) defines the security requirements required to protect payment card data, and provides validation procedures and guidance that helps organizations understand security requirements.
The standards are focused on threats and risks present in the payment industry and are meant for all organizations involved in storing, processing, or transmitting payment card data. PCI standards also provide foundational security requirements across twelve main security objectives to protect payment environments. As a model framework for payment security, the PCI Data Security Standard integrates best practices from the largest global financial services corporations and include:
- Buying and using only approved PIN entry devices at points-of-sale.
- Buying and validating payment software at POS or website shopping carts.
- Not storing any sensitive cardholder data in computers or on paper.
- Using a firewall on networks and PCs.
- Making sure wireless routers are password-protected and use encryption.
- Using strong passwords and changing default passwords on hardware and software.
- Checking PIN entry devices and PCs to make sure no one has installed rogue software or “skimming” devices.
- Teaching employees about security and protecting cardholder data.
- Following the PCI Data Security Standard.
Health Insurance Portability and Accountability Act (HIPAA)
Health Insurance Portability and Accountability Act (HIPAA) compliance regulations require organizations to comply with HIPAA Security Rule to protect electronic personal health information (ePHI) through integrity control, access control, audit control and network security. The Security Rule sets national standards for protecting the confidentiality, integrity, and availability of electronic protected health information.
Technical Safeguards required for Security Rule compliance ensure that only authorized entities can access electronic protected health data. HIPAA rules include:
- Identifying and mapping data that must be HIPAA protected on-premises or in the cloud.
- Determining which users should have access to HIPAA data and grant permissions to read, write or execute only the files, resources or network access they need to do their jobs.
- Monitoring user access to HIPAA protected data.
- Creating notification alerts when a user accesses or stores HIPAA data in a non-compliant repository.
- Protecting network access with a VPN, endpoint security, two-factor authentication, strong passwords, and session timeouts.
- Continuously monitoring user activity across the network, both on-premises and in the cloud.
HIPAA compliance from Technical Framework
Technical Framework provides HIPAA compliance scanning and issue remediation services for small- to medium-sized healthcare facilities as well as PCI-DSS scanning and remediation services for companies who process or store credit card information. Technical Framework also implements and maintains PCI-DSS and HIPAA best practices to help clients ensure their IT security, productivity and regulatory compliance.