Security Compliance is Essential for You and Your Business Partners

Security Compliance is Essential for You and Your Business Partners

Second of a two-part series

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules and other government regulations are fairly well-understood. But maintaining compliance is becoming increasingly complex, especially as companies shift to next-generation computing models like hosted cloud services, shared networking and digitization of vast amounts of data.

In fact, last year two health care organizations—New York and Presbyterian Hospital and Columbia University—agreed to settle charges that they potentially violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules by failing to secure thousands of patients’ electronic protected health information (ePHI) held on their network. They paid $4.8 million to settle the complaint. The two hospitals operate a shared data network and firewall, and because of a lack of technical safeguards, the ePHI became accessible to Internet search engines and hence the public.

This is why it’s critical to understand the compliance policies and practices of those companies with whom you partner, including service providers. After all, sharing data, systems and networks also means sharing the burden of compliance. Here are three key regulations you should be discussing with your partners and service providers:

1. The Sarbanes-Oxley (SOX) Act

The act establishes a set of requirements for financial systems to deter fraud and increase corporate accountability. IT systems are central to any financial operation and fall under the purview of the act. The regulations require audit trails of those who logged in and out of systems and when; that access and modifications made to files; and the authorizations in effect. What’s important to know is that SOX clearly states that a company is responsible for any accounting or financial wrongdoings, even if these are the result of a third-party, such as a cloud service provider. When assessing a potential provider, make sure it has all of the necessary processes and controls in place to ensure SOX compliance. The provider should also be able to demonstrate that they regularly audit their systems and policies for compliance.

2. HIPAA Compliance for Electronic Protected Health Information (ePHI)

If you handle health information, you have to meet the requirements of the HIPAA Privacy Rule, which establishes a set of national standards for the use and disclosure of individually identifiable health information. If any of that protected health information moves into the cloud, it still has to meet the HIPAA Privacy Rule, which requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of ePHI. Ask any potential provider what HIPAA policies they have in place, whether they have a dedicated HIPAA staff, and what encryption technologies they use. Find out about access controls, offsite backups, disaster recovery, and audit procedures.

3. Data Protection for Information Sharing with EU Entities

The Safe Harbor data-transfer agreement, which for about 15 years has governed data flows between entities in the European Union and the United States, is in limbo. Earlier this month the European Court of Justice declared the agreement invalid. Cloud providers should be diligently working through the unrest, especially if they are processing EU data in the U.S. Until new guidance or a Safe Harbor alternative emerges, ask your provider what its plans are. Is the provider adopting stronger encryption? If it is a global provider, will it only process regional data at the corresponding regional data centers (and can it actually do that)?

As companies come into possession of increasing amounts of customer data, their legal liability to protect that data will increase. And as networks and information sharing between partners increases, the need for all parties to be in compliance with key policies and best practices will increase. As the old adage states, you are judged by the company you keep.

Learn about Masergy’s compliance testing services.

About Craig D' Abreo

VP, Security Operations, Masergy
Craig oversees the Managed Security, Threat Intelligence and Security Professional Services departments at Masergy. He is responsible for Masergy’s proactive enterprise cybersecurity threat management and operations program. Craig holds a bachelor’s degree in Computer Science and an MBA in Information Security. He is a Certified Information Security Systems Professional (CISSP) with over a decade of experience in the security industry and holds various network security certifications. He has written on various security blogs, spoken on a range of industry panels and is a recognized thought leader in the cybersecurity space.