< >

Some Information on Regulatory Compliance Requirements

Health Insurance Portability and Accountability Act (HIPAA) Compliance

Protecting Confidential Patient Health Information

The widespread adoption of measures like electronic health records and a national healthcare network for transmitting patient information throughout the healthcare industry can provide countless benefits to healthcare professionals and especially to patients. Yet these technological advances can't be employed unless Americans are assured that their sensitive health information will be protected.

So in 2003, the U.S. Department of Health and Human Services (HHS) Centers for Medicare and Medicaid Services (CMS) executed formal measures to help protect sensitive health information. HHS adopted the final rule of standards for the security of electronic protected health information—the Health Insurance Portability and Accountability Act (HIPAA)—to be implemented by health plans, healthcare clearinghouses, and certain healthcare providers.

Since 2003, the HHS Office of Inspector General (OIG) has actively monitored and enforced compliance with HIPAA. For example, out of 29,000 cases reported to HHS since April 2003, about 17 percent resulted in some type of enforcement activity:

Sarbanes-Oxley Act (SOX)

Aligning Security Best Practices and Proactive Risk Management with Your Organization's SOX Objectives

The 2002 Sarbanes-Oxley Act (SOX) is designed to protect investors by improving the accuracy and reliability of corporate disclosures made in accordance with securities laws. SOX standards must be followed or strict penalties for noncompliance can result. The federal government continues to refine SOX mandates, and in 2007, the U.S. Securities and Exchange Commission (SEC) approved a new auditing standard for internal controls. As a part of this new standard, the SEC and PCAOB are encouraging auditors to consider a risk-based approach in evaluating the internal controls over financial reporting of public companies.

This new standard requires going beyond monitoring security events from the network level. Now you should monitor and secure compliance-related data and applications throughout your enterprise by monitoring at both the application level and network activity level. Monitoring user activity is particularly important for maintaining separation of duties, and most important of all, for adopting a true policy-driven security program.

Payment Card Industry (PCI) Compliance

Implementing Best Practices for PCI: Preventing Data Breaches and Safeguarding Critical Data

Companies with responsibility for consumer credit card information face an ongoing challenge to ensure the integrity and security of credit card data. And in 2005, information security accountability intensified for merchants and payment service providers when the Payment Card Industry (PCI) Data Security Standard was introduced worldwide. Since then, all merchants and service providers that store, process, or transmit credit card data must comply with the PCI mandates or can face costly consequences such as:

  • Fines of $5,000 to $25,000 a month for each merchant who does not validate PCI compliance
  • An estimated 78 percent of consumers declining to shop where a breach occurs
  • The cost of a fraudulent or erroneous data breach ranging from $182 to $350 per data record
  • Merchants facing the possibility of bankruptcy without the appropriate data security practices in place to maintain PCI compliance

Gramm-Leach-Bliley Act (GLBA) Compliance

Safeguarding Personal Financial Information

The 1999 Gramm-Leach-Bliley Act (GLBA) requires financial institutions to develop, implement, and maintain a comprehensive written information security program that protects the privacy and integrity of customer records. The Federal Financial Institution Examination Council (FFIEC) recently updated the GLBA information security standards. These new mandates emphasize the need for each bank, thrift, and credit union agency to adopt a proactive information security and technology risk management capability. By doing so, your institution can protect information, applications, databases, and the network as part of a comprehensive information security program.

FFIEC Calls for Proactive Security

Banking regulators now require financial institutions to evolve beyond point-security products. You now must employ an integrated security strategy that establishes perimeter security as well as security inside the network and among all databases, applications, and end-point devices such as laptops, PCs, wired and wireless devices, PDAs, and more. All devices on your network must:

  • Collaborate to ensure proactive security is working effectively
  • Adapt in real-time to your institution's changing risk profile and new security threat events as they occur

Federal Information Security Management Act (FISMA) Compliance

Ensuring the Integrity, Confidentially and Availability Of Critical Federal Data

The 2002 Federal Information Security Management Act (FISMA) was enacted to streamline—while at the same time strengthening—the requirements of its predecessor, the Government Information Security Reform Act (GISRA). FISMA compliance is a matter of national security, and therefore is scrutinized at the highest level of government. Yet FISMA compliance presents significant challenges for federal agencies, and for any organization that deals with federal information.

FISMA requires federal agencies to improve the security of IT systems, applications, and databases. By presenting a baseline of requirements for government agencies, FISMA calls for risk and vulnerability measurement through information security best practices. This way, agencies can ensure the integrity, confidentiality, and availability of federal information systems. Eight steps for successful FISMA compliance include:

  • Risk assessment
  • Incident response
  • Intrusion detection systems and tools
  • Malicious code prevention
  • Individual identification and authentication
  • Change activity monitoring
  • Logging and audit controls
  • Supervision and review