The HIPAA Omnibus Final Rule, released January 2013, introduced some significant changes and updates. The 2012 HIPAA audits, performed by KPMG, concluded with some initial findings released by the Department of Health and Human Services (HHS) Office of Civil Rights, OCR. These two events may impact how you govern your internal organization and network for patient privacy and protection of PHI.
Here are nine network considerations to address in the new HIPAA landscape. I will discuss the first consideration in this blog.
HIPAA Audits will continue
The HIPAA Audit Protocol and NIST 800-66 are your best preparation
Knowledge is a powerful weapon―know where your PHI is
Ignorance is not bliss
Risk Assessment drives your baseline
Risk Management is continuous
Security best practices are essential
Breach discovery times: know your discovery tolerance
Last week, we sat down with Bart McGlothin and Christian Janoff from Cisco’s security team to discuss PCI Security for Retail to better understand “What is PCI Compliance?” and “How does that affect Retailers?”
As a quick re-cap: PCI Compliance is a 12-step process to secure credit cards. Any retailer that accepts credit card payments must be “PCI Compliant” (i.e., follow those 12 steps). Compliance is enforced by the Retailer’s acquiring bank (the financial institution that processes the credit card payments for the Retailer).
Q. So, we know that Retailers need to be PCI Compliant. How can Cisco help?
A. Cisco has a PCI design and implementation guide for merchants to use. It really stands alone in the industry because it provides holistic guidance in three key ways:
A common perception is that there is a difference between being secure and being compliant. A Verizon analysis on cybercrime reported that cyber-attacks on Retailers are increasing and becoming streamlined and automated. According to the 2012 Verizon PCI compliance report, “97% of breaches were avoidable through simple or intermediate controls”. How does a Retailer protect itself? One method is through PCI Compliance. Does that sound contradictory to that common perception?
Join Cisco on April 16th, 2013 10:00am PT for a webcast on PCI compliance and security with guests from Ponemon Institute, Verizon Business and PCI Security Standards Council.
As part of the planning of the webcast, we sat down with Bart McGlothin and Christian Janoff from Cisco’s security team to discuss PCI compliance and security for retail and get some answers. Here’s what we learned:
As a frequent attendee of the US RSA Conference in the past, this year I had the opportunity to work in the Cisco booth on the exhibition floor. This year’s RSA event was very busy, it seemed like there was a continuous flow of people and energy across the show floor. I had the pleasure of staffing Cisco’s Compliance Solution demonstration where we test people’s knowledge of PCI compliance. This is one of my favorite demos/stations to operate because it rewards people for their hard learned knowledge and skill on the topic with a prize instead of the normal random drawing (if you get the highest score in the shortest amount of time, you’re the winner!). I was surprised by the number of attendees that did not want to take our quiz. Was it a fear of being put on the spot? Or were they just not very knowledgeable about PCI? I consider the RSA conference as a security minded conference and thought a solid business driver like PCI Compliance would be front and center for many security professionals that often have to justify security purchases. Further, given the proliferation of data breaches across all industry segments, this should be a top of mind topic. Many industries outside of retail accept credit cards for payment of services and products (e.g., hospital co-pays, DMV fees, city permits, Insurance payments, hotels, transit stations) so when all three days of the quiz were won by retailers I was a bit surprised. I would have expected a few security vendors or professionals to have won at least one day! Read More »
Anyone who has been involved with compliance knows that simplifying complexity is the key to maintaining a secure and compliant organization. It’s become quite apparent that sustaining compliance is a marathon, and the journey must be travelled with vigilance. This is not something that is an endpoint or a task, that once accomplished, can be shelved and forgotten; therefore, it is very helpful for merchants, who wish to become compliant or maintain compliance, to purchase solutions that are “certified.”
The fact that you are purchasing a product that’s already been validated as secure and “capable” of being compliant reduces the complexity and uncertainty associated with big-ticket items. Adding new credit card readers or a payment application in your stores is expensive, and knowing that these products are validated by the Payment Card Industry (PCI) Council gives merchants confidence that they’re making a wise and secure decision. Read More »