Abstract:
A majority of the key points of this research
essay is to explain to Sara and Bob the importance of HIPAA and PCI DSS
compliance. Including the legality and
regulatory documentation utilized behind the scenes along with it. Many questions that will be asked during the
time of research will be the following.
What is HIPAA and how does it relate to business objectives? What IT products and/or services help with
HIPAA compliance? What is PCI DSS and
how does it relate to business objectives?
What IT products and/or services help with PCI DSS? Are there legal responsibilities when
adopting IT for HIPAA and/or PCI DSS? Are
there ethical responsibilities when adopting IT for HIPAA and/or PCI DSS. As a way to understand the risks, what
happens if HIPAA is violated? As a way
to understand the risks, what happens if there is a credit card breach? What other acts, laws, regulations, or rules
do you need to know? If your company
branches out to other countries, what are the implications? Participants involved would be the IT
Director who is performing the research then the main 3 managers will read over
the contents to become familiar with the information.
Keywords HIPAA, PCI DSS.
Secure Information
Working with hospitals,
call centers, software companies, help desks, and many more positions you will
come across the need to understand HIPAA compliance. Even outside the hospital work force, from
the nurse, doctors, labs, and other positions.
When it comes to the PCI DSS this policy can be found in numerous positions
across the workforce. Whether they are
business owners, help desk, system engineers, and/or one of the few higher in
corporation. Utilizing today’s
technology users have the ability to access their medical files directly from
their mobile device. Although, they do
recommend having a secure mobile device while doing so, such as not saving
passwords on the device. Install
security if possible for the mobile device, and ensure you have a strong enough
password before accessing the app or web portal. (Terry, 2015)
Understanding HIPAA
HIPAA is technically the
following, (Health Insurance Portability and Accountability Act of 1996), this
is a legislation within the United States of America that protects a citizen’s
medical privacy (Rouse, 2017). Also, it was sought out to ensure the
patients data would be protected thereafter and secured through provisioning
safeguarded medical information. The HIPAA act was signed by President Bill
Clinton on August 21, 1996. Since the
health data and business breaches recently were caused by malicious
cyberattacks it is best to protect business with information technology
security. Therefore, any business or
location that stores health data should ensure protecting the information
inside the server, according to the HIPAA compliance laws. Considering, CARE4ALL Distributors servers
contain patient’s data they will need to obtain their business objectives they
must abide by HIPAA’s compliance laws. (Jim Q. Chen, 2017)
When it comes to HIPAA
compliance there are many products and services within Information Technology
that can provide assistance to maintain the compliance’s safety and
security. Such as, the information
technology hardware firewall’s setup specifically to not allow incoming or
outgoing traffic, except specifically for employee’s only. Software firewall’s that are setup the same
way, except they would have a bit of extra security since the employee’s will
be working from home. Anti-virus/malware
programs to avoid being infected by any type of malicious software. An Information Technology policy that would
strictly prohibit any type of unauthorized usage onsite or offsite; all the
while containing the entire HIPAA compliance law agreement. Including letting anyone other than
themselves use their computers, even when they are at home. Any information of which they may see while
working is confidential and should not be repeated no matter the costs. Even if they may know the person and they
think this person should know the information they saw, it should not be
repeated to them at all. (Spandorfer, 2016)
Understanding PCI DSS
When cyber criminals
started becoming interested in attacking credit card systems, it was time to
start protecting and securing our point of sale terminal systems. Therefore, the PCI DSS system came into play,
which is known as PCI (Payment Card Industry) DSS (Data Security Standard). In order to stay in compliance with the PCI
DSS to avoid vulnerabilities which will allow businesses to protect the
cardholder’s data. There are standards
set across the point of sale system (Hardware) and the software system
used. Then when the data is sent from
the payment system (credit card terminal), across the network to the merchant
they utilize another set of standards to ensure the system is fully operational
and secure. This affects the business
objectives as we will need to be sure our system is PCI DSS compliant. We do not want any of our customers data
stolen and used maliciously. (Clapper & Richmond, 2016)
As with staying within
the HIPAA compliance, the PCI DSS network will require the same secure network,
with little modifications. Considering,
the hardware firewall will be setup at the main business location and
configured accordingly to ensure no incoming or outgoing malicious traffic will
be allowed. Such as, prohibiting any
type of direct access to the router itself unless you know the specific port
number it is hidden on. Next, we will
prohibit employees and anyone on the network access between cardholder data,
system components, and the internet.
Each device, including but not limited to computers, laptops, mobile
devices, tablets, and cell phones will have a software firewall installed on
employee owned devices, to ensure the security of the network. All equipment supplied by the vendors will
need their passwords changed to ensure the strength of their passwords. Update every device to ensure everything is
up to date. Utilizing strong
cryptography encrypt every device on a non-console administrative. (PCI Security
Standards Council, 2010)
Legal and Ethical Responsibilities
Depending on the legal responsibilities
the business is considering when adopting such information technology for HIPAA
and/or PCI DSS. Considering, if for some
reason the data being protected is breached and that information is taken by
the hacker. This hacker has the ability
to do what he/she pleases with the information health date or credit card
information. The business is held
legally liable for the data that was taken.
These costs can be extremely high and extensive, even when the
information remains significant.
Therefore, if it is a large breach and it happens to reach the public by
media, then the case would become even costlier. If the breach seems to be of interest to the
federal government, then the FTC (Federal Trade Commission) would then
investigate further to ensure the data breach was not the of the company. (Willey &
White, 2013)
When a corporation hires
an employee, they expect them to follow certain ethical responsibilities as
written within the employee handbook.
Considering, any company or corporation that works with specialized data
that is covered under HIPAA or PCI/DSS they are responsible for the employee’s
actions with that data. For instance, if
the new employee were to gain access to the data and share the information with
friends this would be unethical of them.
Especially, if the employee or the employees friend were to use this
information for illegal purposes or personal gain. Although, there are more specialized cases
where ethic’s play a larger role, but even the smallest instances can cause a
problem.
Potential Risks
There are many potential
risks when it comes to HIPAA’s security and overall privacy within a
corporation. If there is any type of
violation towards HIPAA there will be an investigation to check the damage of
the HIPAA breach. If for instance the
determined breach was reported to be of low probably of any sort of compromise
of the data. Than the corporation will
be responsible for patching the breach, replacing any data loss, and would
receive a minimum violation fine of $50,000.
Depending on the investigation and the level of the breach with the
risks involved the violation fines can be much higher, such as $1.5
million. There is a specific location
called the Office for Civil Rights which they would be responsible for the
entire enforcement of HIPAA’s privacy and security rules, including the
investigation. (Cascardo, 2014)
Credit card breaches are
more likely to happen when the company is a smaller business as the studies
have shown. When there are risks such as
a credit card breach within a company it requires further investigation to
ensure they did not have a full data breach.
Once they are able to confirm if there was a data breach or if it was
specifically one credit card they have to check PCI compliance. Small merchants have to prove that they are
PCI compliant by performing a self-assessment of their entire system. Larger companies are required to hire a
Qualified Security Assessor (QSA) in order to validate their compliance and
produce a Report on Compliance (ROC). (Clapper & Richmond, 2016)
Conclusion and Related Topics
Corporations need to be
aware of many other regulations, rules, acts, and laws to ensure security and
privacy of data. Also, just as every
citizen of the United States of America, businesses have to abide by the same
laws and regulations. Although, there
are quite a few more acts and laws that businesses would have to protect the
company, employees, and their product/services.
Filing taxes on a yearly basis is another law that businesses have to
follow no matter the size of the business or how long they have been in
business. Reporting employee’s
information to the IRS with the correct documentation, W2, 1099, and so forth,
to ensure their data is reported correctly.
When a company is ready
to branch out and expand to other companies to become international. There are many steps and tons of paperwork in
order to fully become an official company that would be considered an international
company. There may be a trademark
protection law that would require it to be registered in order to ensure they
understood what it meant. Compliance
programs such as the (FCPA) U.S. Foreign Corrupt Practices Act, which is
specifically to prohibit the acts of bribery of any foreign government
officials and anyone within the public international organizations. Also, any item imported or exported is
subjected to a law regulated through customs.
The U.S. government has restrictions against importing and exporting to
certain countries, so keep this in mind.
It is highly suggested to hire someone who is well aware of all the laws
and regulations. Considering, there are
substantial consequences and possible suspension of exporting and importing privileges. (Andrew J.
Sherman, 2001)
References
Andrew J. Sherman, D. S. (2001, July 16). Expanding Abroad
III: Legal Issues. Kauffman , 1. Retrieved November 3, 2017, from https://www.entrepreneurship.org/articles/2001/07/expanding-abroad-iii-legal-issues
Cascardo, D. (2014). HIPAA investigation risks are
increasing: Make sure to avoid the "Wall of Shame". Management
Briefs, 119-123.
Clapper, D., & Richmond, W. (2016). Small business
compliance with PCI DSS. Journal of Management Information and Decision
Sciences, 19(1), 54-67.
Jim Q. Chen, A. B. (2017). HIPAA security compliance
challenges: The case for small healthcare providers. International Journal
of Healthcare Management, 10(2), 135-145.
PCI Security Standards Council. (2010). Understanding the
payment card industry. PCI DSS Quick Reference Guide, 34.
Rouse, M. (2017, October 27). HIPAA (health insurance
portability and accountability act). Retrieved from Search Health IT Tech
Target: http://searchhealthit.techtarget.com/definition/HIPAA
Spandorfer, J. L. (2016). HIPAA compliance and training: A
perfect storm for professionalism education? The Journal of Law, Medicine
& Ethics, 652-656. doi:10.1177/1073110516684812
Terry, M. (2015). HIPAA and your mobile devices. Podiatry
Management, 99-104. Retrieved from www.podiatrym.com
Willey, L., & White, B. J.
(2013). Do you take credit cards? Security and compliance for the credit card
payment industry. Journal of Information Systems Education, 24(3),
181-188.