You might assume, given the time of year, I’d be referring to a sunburn. You would be wrong. Possibly to the tune of $100,000.00.
My last few articles have focused on the average computer user. This one takes aim at a specific sector of users and businesses. People and companies that deal with HIPAA ( Health Insurance Portability and Accountability Act ) and PCI ( Payment Card Industry ). In general terms HIPAA applies to anyone dealing in personal data collected thru Health and Human Services organizations such as doctors and dentists. PCI deals with personal information captured thru the use of a credit card.
Every individual has a legal right to have their personal information protected from unauthorized disclosure. When such a breach occurs, the consequences can be devastating to the individual. Identities stolen; bank accounts emptied. They can also be devastating to the company that caused the breech to occur. The government, at both the local and federal level have put into place rules and regulations that companies and organizations must follow to prevent such an occurrence. When a breach occurs, the government can look back over many years to see if the organization had, and is still in compliance with those regulations. Here are the rules in a very high-level format. Within each of these there are required implementations and addressable ones. The “addressable” designation does not mean that an implementation specification is optional. However, it permits covered entities to determine whether the addressable implementation specification is reasonable and appropriate for that covered entity, or as Clint Eastwood once said “Do you feel lucky?”
Make sure you have a secure network:
• Make sure your firewall configuration protects cardholder data.
• Make sure all passwords meet updated security standards.
Protect all of the personal cardholder data:
• Encrypt transmission of cardholder data.
Put in place a monitoring and management program for your systems:
• Monitor and update anti-virus software.
• Create and implement a way to secure your systems and applications. These include but not limited to updates to the operating system and 3rdparty applications.
Implement strong access control procedures:
• Restrict access to cardholder data by need-to-know.
• Assign a unique User ID for each employee or user of the system.
• Restrict physical access to all systems that contain personal data.
Create and use a monitoring procedure for all your networks:
• Include the ability to monitor and track access throughout your entire network.
• Set and implement a schedule to test the security and processes you’ve put into places.
Maintain an Information Security Policy:
• Create and maintain a policy that addresses all of the information above.
If the above information relates to you or your business and it’s started you thinking let me add a little more context.
You’re a small office, say a Dentist, Doctor, Accountant or Orthopedic. You have a bookkeeper or some other professional access your systems either on-premise or remotely for legitimate reasons. Do you know you have to have written agreements with those 3rdparty vendors that show they meet the same requirements for security?
Fines for data breaches can be staggering.
- In 2017 a dentist was fined $12,000.00, and he thought he was in compliance.
- In 2012 Beth Israel was fined $100,000.00.
- An orthopedic clinic failed to execute a business associate agreement prior to turning over 17,300 patients’ PHI to a potential business partner. The settlement included a monetary payment of $750,000 and a comprehensive corrective action plan.
- A 12-physician pediatric and adult dermatology practice group paid $150,000 for alleged HIPAA violations arising out of a lost, unencrypted flash drive containing protected health information (PHI).
- Fines for PCI breaches are no less painful.
In the past two years alone the U.S. Dept. of Health and Human Services has started proceedings against 6000 businesses for violations.
In order to avoid exposing sensitive information to malicious attackers, companies need to stay vigilant.
- Employees must be trained and maintain the training, so they don’t incorrectly disclose PHI.
- Risk assessments must occur on a regular basis in order to identify system vulnerabilities. Find any issues before a hacker does.
- All vendors must be comprehensively reviewed to ensure that they’re trustworthy.
Achieving all three of these preparations will show that you’re making your best effort to protect your patient’s or customers privacy by maintaining security throughout your business. Although data breaches can still occur due to situations outside of your control, staying prepared by investing in a secure network and employee training ensures you’re adhering to the Minimum Necessary Standard.
So, what does it cost to become either HIPAA or PCI compliant? The cost is a pittance compared to the cost of a single data breach.
Remember don’t get burned. Before you or your company becomes an expensive statistic let Parsec Systems sit and review your current strategy (if you have one), and get you started on a road to keep you safe.
Tom Lopolito owns and runs Parsec Systems Inc., an IT support and consulting company that’s been providing service in the Boston area since 2003. He can be reached at firstname.lastname@example.org for questions and comments.