You did it — you passed your PCI (or SOX, HIPAA, GLB, etc) audit! But the work isn’t over. A recent Verizon study found that most companies fall out of PCI compliance after just nine months. And it doesn’t stop with PCI, either. Many companies work hard around audit time to ensure they can report compliance for the audit period and advertise their security, only to falter once the audit is complete.
For PCI, that also means being able to continue doing business with credit card companies. For other standards like HIPAA and SOX, it means avoiding hefty fines and legal consequences.
Unfortunately, simply checking the compliance boxes doesn’t mean you’re safe for the foreseeable future. You need to maintain compliance at all times throughout the year, not just when the auditors are knocking on your door.
While many organizations combine Security and Compliance under a single banner, and there is nothing inherently wrong with having a Chief Security and Compliance Officer or managing risk mitigation under a single umbrella, the fact is that compliance and security measures are two overlapping but inherently different practices of information security.
Compliance standards often change quickly and require quite a bit of work to ensure enforcement across an entire organization. Audit trails, regulator inspections, minimum mandates…they have to be tracked and adhered to 24/7. But meeting compliance standards often puts blinders on a security administrator.
Simply meeting a compliance measure — or even four or five — does not mean that your infrastructure is up to snuff with security best practices. Nor does following industry standards of security guarantee that you’ll meet your next compliance audit.
After years of waiting, the Office for Civil Rights (OCR) has finally sent out its initial round of notice letters for HIPAA audits. This first batch consists of 167 covered entities, who will have to answer a list of audit questions and provide a complete list of their Business Associates (BAs). BAs are where hosting partners come into play: a HIPAA compliant data center must sign a Business Associates Agreement with each covered healthcare provider. The OCR will be using these lists of BAs to choose around 30 BAs to audit, starting in September.
Even if your organization did not receive an audit letter, know that up to 50 more covered entities and BAs will face on-site comprehensive audits by OCR in early 2017. Now that OCR audits are upon us, how can healthcare providers and their business associates prepare?
In the IT world, if it isn’t logged or documented, it might as well never have happened. Without properly keeping track of change management, even for routine processes, it can be impossible to discover why a system stopped working, or worse. Technicians might be stuck halfway through a switch upgrade, unable to retrace their steps when they realize the equipment install won’t work. Or an entire organization could be held accountable under the law because they failed in their compliance.
IT documentation, in other words, is an essential if occasionally painstaking piece of data center operations. At Green House Data, we document everything we possibly can. Outside of support or internal emergency responses, which are always tracked in a ticket, planned changes must undergo a five-step process in order to keep track and learn from the change.
The Patient Protection and Affordable Care Act of 2010 (ACA) requires each state to have a health insurance Exchange, a marketplace where consumers can easily shop around for health insurance and find the best option for them by comparing price, benefits, services, and quality. In order to obtain Health Insurance Exchange (HIX) compliance, Section 1561 requires that certain security standards and protocols be met by these Exchanges in order to make every effort to protect and ensure the confidentiality, integrity, and availability of the system and its users.
These Minimum Acceptable Risk Standards for Exchanges (MARS-E) are separated into three different classes: technical, operational, and management. These classes consist of nineteen various control families, handling everything from Personally Identifiable Information (PII) to Protected Health Information (PHI), and Federal Tax Information (FTI).
If you find yourself dreading the thought of another audit, viewing it as more of a hassle than anything else, you may be suffering from the widespread but little known "Compliance Fatigue".
The Office for Civil Rights (OCR) is responsible for enforcing the HIPAA Privacy and Security Rules. After years of testing and delays, the second round of HIPAA audits are finally materializing, and are expected to be more comprehensive while focusing on the real-world application of policies and procedures across the entire organization and their business associates (BAs).
This program puts to the test the processes, control, and policies of covered entities (CEs) and BAs in accordance with the HITECH Act audit mandate. The OCR has published its entire audit protocol on their website, which completely outlines the procedures auditors must follow when conducting a program audit, making it easier to prepare.
Is your health organization ready for the OCR auditor?
As faster network speeds, MPLS networks between data centers, and software-defined technologies proliferate, it becomes easier than ever to host some applications across the country—or even across the world—without any negative impact.
However, for other cloud computing uses, data center location can have major implications when it comes to performance, compliance, and disaster recovery. There are two camps on the issue of data center locations for cloud infrastructure: yes, it matters, and no, it doesn’t make much of a difference.
Security is already high on the totem pole of IT priorities, but with 2015 kicking off with a massive Anthem health breach, encryption is a hotter topic than ever.
Many compliance mandates require or encourage some form of encryption, including the commonly encountered PCI and HIPAA standards (the HIPAA Security Rule, while it doesn’t require encryption, does require you to prove, in writing, why you believed encryption wasn’t necessary in your special case. Which, let’s be honest, if you are disclosing a large breach to the public as required, encryption was probably necessary).
There are many encryption methods and vendors on the market, but all of them require access to an encryption key in order to unscramble encoded data. If a malicious agent gets their hands on this key, it’s game over for your encrypted information.
This means that every enterprise needs a secure, organized system to manage all of their encryption keys. As data sets are updated with new keys, new data is added, different encryption systems are introduced, and user access is modified, encryption key management becomes even more essential.
Healthcare providers who are researching and implementing new digital tools and electronic health records (EHRs) realize that infrastructure costs can increase quickly, especially for large file sets like medical imagery.
Some organizations may find that cloud and colocation may not be cost effective as they still have in-house infrastructure; others may be looking for a disaster recovery solution or new systems or software that must work together with the current Picture Archive and Communication System (PACS) or EHR environment.
By combining existing patient record systems with Vendor Neutral Archiving (VNA) and Enterprise Content Management (ECM) tools hosted with a compliant cloud vendor, providers can enable a central repository of patient information in an economical and powerful manner.