Last week we addressed the importance of implementing a Disaster Recovery plan under your own Business Continuity program. And as we mentioned previously, this is a necessity under most, if not all, compliance requirements. The next question is, do you know what it means to maintain compliance?
Last week in The Ping: State of Cybersecurity, we spoke about the rise of cybercrime. Cyber criminals are continuing to find ways to access both personal and organizational networks. The good news is that there are a few things you can do to help prevent this from happening to you and your company.
For each area of concern with sensitive data, there are published guidelines to follow in order to achieve compliance. Reading and digesting the guidelines in whole can be a difficult task. There are decision making tools, technical requirement write-ups, security policies, and security procedures to pour through. So, without getting into the nitty gritty, we want to answer some of the frequently asked questions that come our way.
Criminal Justice Information Services (CJIS)
Criminal Justice Information Services, or CJIS, is a division of the FBI that provides criminal justice information needed to perform law enforcement duties. It “serve[s] as the focal point and central repository for criminal justice information services in the FBI.” – FBI. In Texas this information is disseminated via the DPS and includes details such as vehicle registration, criminal history, driver’s license, license plate, firearm, etc. Because this information is highly sensitive and needs to be protected, CJIS provides security compliance requirements and performs audits to ensure these requirements are being met. Below are just a few example requirements of the Security Policy…
- Security Awareness Training
- Perimeter Intrusion Detection
- Advanced Authentication
- Maintain Log History
- Change Management
- Device Encryption
Failing a single audit flags an agency as non-compliant. If compliance is not achieved, the agency can lose access to the information and tools needed to perform their duties.
What is compliance? Some of you might be acutely aware of this term, and others might have little to no idea. In broad terms, business compliance means following the rules required to secure your business and the people that interact with it. More specifically, compliance is aimed at information security. Business Compliance means you are complying with requirements by a credible organization or government department that promotes the security and protection of sensitive information.
The Department of Health and Human Services recently published the Final Omnibus Rule which officially implements the HITECH Act under HIPAA. The Final Omnibus Rule will replace the Interim Rule on March 26, 2013 and will significantly raise the bar on patient privacy. By September 23, 2013, all covered entities and business associates will be legally required to be in compliance with HITECH.
Who are these “Covered Entities”?
Any medical office regardless of size, large hospitals, drugstore chains, and large health insurance companies are all covered entities. Offices of all size must comply with current regs. On April 17, 2012, the United States Department of Health and Human Services (“HHS”) announced that its Office of Civil Rights (“OCR”) had reached a settlement with Phoenix Cardiac Surgery, P.C. requiring the practice to pay a $100,000 fine. Phoenix Cardiac Surgery is a five-physician practice in Phoenix, Arizona. The practice was posting clinical and surgical appointments for its patients on an Internet-based calendar that was publicly accessible.
The biggest changes to the final rule are:
1. Business Associates
Business Associates are now directly liable for compliance with the requirements of HIPAA. Under the Security Rule provisions, they must evaluate security programs and implement risk management strategies to protect electronic PHI. To learn “What is a Business Associate?” please click here.
2. Breach Notification
The “risk of harm” standard used to determine when notification of a security or privacy breach is required has been replaced with the “risk assessment” standard. While the two are similar, a risk assessment is more precise and it is hypothesized that more breach notifications will be reported.
This is just a small part of the changes needed. If you don’t know where to start then give us a call at 512-832-6209 and we can help.