2. PCI DSS
Companies that process credit card transactions are required to comply
with the Payment Card Industry (PCI) Data Security Standard (DSS) as
evidenced through third-party assessments and/or self-assessments
depending on the volume of card processing activity. These requirements
apply whether cardholder data is processed and stored by the company or
by a third party.
PCI DSS contains the following set of 12 high-level requirements
that are supported by a series of more detailed requirements:
Install and maintain a firewall configuration to protect
cardholder data.
Do not use vendor-supplied defaults for system passwords and
other security parameters.
Protect stored cardholder data.
Encrypt transmission of cardholder data across open, public
networks.
Use and regularly update antivirus software.
Develop and maintain secure systems and applications.
Restrict access to cardholder data based on the business’s
need to know.
Assign a unique ID to each person with computer access.
Restrict physical access to cardholder data.
Track and monitor all access to network resources and
cardholder data.
Regularly test security systems and processes.
Maintain a policy that addresses information security.
2.1. Cloud computing impact of PCI DSS
Organizations are also required to ensure that their contracts
with third-party service providers include PCI DSS compliance where
such service providers store or process cardholder data. In a cloud
environment, the organization and the supporting CSP should clearly
define their responsibilities for protection of cardholder data,
whether those responsibilities are shared or can be attributed to one
party.
A fundamental component of PCI DSS is the need to segment
systems and networks that store or process cardholder data from other
systems and networks. Limiting the number of systems that process or
store cardholder data, and isolating them on separate network
segments, has the double benefit of reducing exposure to breaches and
narrowing the scope of systems that must be assessed for compliance
with the PCI DSS requirements as they are applicable only to systems
used to store or process cardholder data. If the CSP provides services
including processing of credit card transactions, it is important that
the CSP clearly define its information flows and segment credit card
processing and storage activities from other activities, thereby
narrowing the scope of the infrastructure that would be subject to PCI
compliance requirements. In addition, utilizing end-to-end encryption
of sensitive data, such as cardholder data, is a desirable approach to
mitigate risk.
From the perspective of a CSP, it is important to be aware of
the PCI requirements. Although it is important for organizations to
take a programmatic approach to PCI compliance, it is equally
important for a CSP to do the same where the CSP supports processing
of credit card transactions. The ultimate objective of PCI is to
protect cardholder data, prevent breaches, and quickly contain a
breach if it occurs. These objectives, as applied to all sensitive
data, ring true for the cloud computing environment as well.
3. HIPAA
Entities that process protected health information (PHI) are required to comply
with the security and privacy requirements established in support of
HIPAA. The HIPAA security and privacy rules focus on health plans,
health care clearinghouses, health care providers, and system
vendors.
The following is a summary of the topics addressed by the HIPAA
Security Standards.
3.1. Administrative safeguards
Security management process
Risk analysis
Risk management
Sanction policy
Information system activity review
3.2. Assigned security responsibility
Workforce security
Authorization and/or supervision
Workforce clearance procedure
Termination procedures
Information access management
Isolation of health care clearinghouse function
Access authorization
Access establishment and modification
Security awareness and training
Security reminders
Protection from malicious software
Log-in monitoring
Password management
Security incident procedures
Response and reporting
Contingency plan
Data backup plan
Disaster recovery plan
Emergency mode operation plan
Testing and revision procedure
Applications and data criticality analysis
Evaluation
Business associate contracts and other arrangements
Written contract or other arrangement
3.3. Physical safeguards
Facility access controls
Contingency operations
Facility security plan
Access control and validation procedures
Maintenance records
Workstation use
workstation security
device and media controls
Disposal
Media reuse
Accountability
Data backup and storage
3.4. Technical safeguards
Access control
Unique user identification
Emergency access procedure
Automatic logoff
Encryption and decryption
Audit controls
integrity
Mechanism to authenticate electronic PHI
Person or entity authentication
transmission security
Integrity controls
Encryption
The following is a high-level summary of the topics addressed in
the HIPAA Privacy Standards.
3.5. Summary of HIPAA privacy standards
Uses and disclosures of PHI: General rules
Uses and disclosures: Organizational requirements
Consent for uses or disclosures to carry out treatment,
payment, and health care operations
Uses and disclosures for which an authorization is
required
Uses and disclosures requiring an opportunity for the
individual to agree or to object
Uses and disclosures for which consent, an authorization, or
an opportunity to agree or object is not required
Other procedural requirements relating to uses and
disclosures of PHI
Notice of privacy practices for PHI
Rights to request privacy protection for PHI
Access of individuals to PHI
Amendment of PHI
Accounting of disclosures of PHI
Administrative requirements
Transition requirements
3.6. Cloud computing impact of HIPAA
The HIPAA security and privacy rules emphasize health
organizations’ (covered entities) obligations to ensure that
individually identifiable health information (PHI) is adequately
protected when entrusted to business associates (e.g., third-party
service providers).
The level of security afforded particular electronic PHI should
not decrease just because the covered entity has made the business
decision to entrust a business associate with using or disclosing that
information in connection with the performance of certain functions
instead of performing those functions itself.
Business
associate agreements (contracts) are generally used by organizations
to extend the HIPAA requirements to their third-party service
providers that process or store health information. Accordingly, where
the CSP processes or stores individually identifiable health
information on behalf of entities which are subject to HIPAA, the
HIPAA security and privacy requirements apply. In addition, further
regulations regarding the protection of health information and breach
notification requirements are under development in support of the 2009
Health Information Technology for Economic and Clinical Health
(HITECH) Act.
As the move toward electronic medical records accelerates, CSPs
serving the health care industry should be mindful of these emerging
requirements. A GRC program can provide a strong foundation to
adequately safeguard sensitive medical information and a means to
effectively address new requirements.