Secure Information

Abstract:

A majority of the key points of this research essay is to explain to Sara and Bob the importance of HIPAA and PCI DSS compliance.  Including the legality and regulatory documentation utilized behind the scenes along with it.  Many questions that will be asked during the time of research will be the following.  What is HIPAA and how does it relate to business objectives?  What IT products and/or services help with HIPAA compliance?  What is PCI DSS and how does it relate to business objectives?  What IT products and/or services help with PCI DSS?  Are there legal responsibilities when adopting IT for HIPAA and/or PCI DSS?  Are there ethical responsibilities when adopting IT for HIPAA and/or PCI DSS.  As a way to understand the risks, what happens if HIPAA is violated?  As a way to understand the risks, what happens if there is a credit card breach?  What other acts, laws, regulations, or rules do you need to know?  If your company branches out to other countries, what are the implications?  Participants involved would be the IT Director who is performing the research then the main 3 managers will read over the contents to become familiar with the information. 

Keywords HIPAA, PCI DSS.

Secure Information

Working with hospitals, call centers, software companies, help desks, and many more positions you will come across the need to understand HIPAA compliance.  Even outside the hospital work force, from the nurse, doctors, labs, and other positions.  When it comes to the PCI DSS this policy can be found in numerous positions across the workforce.  Whether they are business owners, help desk, system engineers, and/or one of the few higher in corporation.  Utilizing today’s technology users have the ability to access their medical files directly from their mobile device.  Although, they do recommend having a secure mobile device while doing so, such as not saving passwords on the device.  Install security if possible for the mobile device, and ensure you have a strong enough password before accessing the app or web portal. (Terry, 2015)

Understanding HIPAA

HIPAA is technically the following, (Health Insurance Portability and Accountability Act of 1996), this is a legislation within the United States of America that protects a citizen’s medical privacy (Rouse, 2017).  Also, it was sought out to ensure the patients data would be protected thereafter and secured through provisioning safeguarded medical information. The HIPAA act was signed by President Bill Clinton on August 21, 1996.  Since the health data and business breaches recently were caused by malicious cyberattacks it is best to protect business with information technology security.  Therefore, any business or location that stores health data should ensure protecting the information inside the server, according to the HIPAA compliance laws.  Considering, CARE4ALL Distributors servers contain patient’s data they will need to obtain their business objectives they must abide by HIPAA’s compliance laws. (Jim Q. Chen, 2017)

When it comes to HIPAA compliance there are many products and services within Information Technology that can provide assistance to maintain the compliance’s safety and security.  Such as, the information technology hardware firewall’s setup specifically to not allow incoming or outgoing traffic, except specifically for employee’s only.  Software firewall’s that are setup the same way, except they would have a bit of extra security since the employee’s will be working from home.  Anti-virus/malware programs to avoid being infected by any type of malicious software.  An Information Technology policy that would strictly prohibit any type of unauthorized usage onsite or offsite; all the while containing the entire HIPAA compliance law agreement.  Including letting anyone other than themselves use their computers, even when they are at home.  Any information of which they may see while working is confidential and should not be repeated no matter the costs.  Even if they may know the person and they think this person should know the information they saw, it should not be repeated to them at all. (Spandorfer, 2016)

Understanding PCI DSS

When cyber criminals started becoming interested in attacking credit card systems, it was time to start protecting and securing our point of sale terminal systems.  Therefore, the PCI DSS system came into play, which is known as PCI (Payment Card Industry) DSS (Data Security Standard).  In order to stay in compliance with the PCI DSS to avoid vulnerabilities which will allow businesses to protect the cardholder’s data.  There are standards set across the point of sale system (Hardware) and the software system used.  Then when the data is sent from the payment system (credit card terminal), across the network to the merchant they utilize another set of standards to ensure the system is fully operational and secure.  This affects the business objectives as we will need to be sure our system is PCI DSS compliant.  We do not want any of our customers data stolen and used maliciously. (Clapper & Richmond, 2016)

As with staying within the HIPAA compliance, the PCI DSS network will require the same secure network, with little modifications.  Considering, the hardware firewall will be setup at the main business location and configured accordingly to ensure no incoming or outgoing malicious traffic will be allowed.  Such as, prohibiting any type of direct access to the router itself unless you know the specific port number it is hidden on.  Next, we will prohibit employees and anyone on the network access between cardholder data, system components, and the internet.  Each device, including but not limited to computers, laptops, mobile devices, tablets, and cell phones will have a software firewall installed on employee owned devices, to ensure the security of the network.  All equipment supplied by the vendors will need their passwords changed to ensure the strength of their passwords.  Update every device to ensure everything is up to date.  Utilizing strong cryptography encrypt every device on a non-console administrative. (PCI Security Standards Council, 2010)

Legal and Ethical Responsibilities

Depending on the legal responsibilities the business is considering when adopting such information technology for HIPAA and/or PCI DSS.  Considering, if for some reason the data being protected is breached and that information is taken by the hacker.  This hacker has the ability to do what he/she pleases with the information health date or credit card information.  The business is held legally liable for the data that was taken.  These costs can be extremely high and extensive, even when the information remains significant.  Therefore, if it is a large breach and it happens to reach the public by media, then the case would become even costlier.  If the breach seems to be of interest to the federal government, then the FTC (Federal Trade Commission) would then investigate further to ensure the data breach was not the of the company. (Willey & White, 2013)

When a corporation hires an employee, they expect them to follow certain ethical responsibilities as written within the employee handbook.  Considering, any company or corporation that works with specialized data that is covered under HIPAA or PCI/DSS they are responsible for the employee’s actions with that data.  For instance, if the new employee were to gain access to the data and share the information with friends this would be unethical of them.  Especially, if the employee or the employees friend were to use this information for illegal purposes or personal gain.  Although, there are more specialized cases where ethic’s play a larger role, but even the smallest instances can cause a problem.

Potential Risks

There are many potential risks when it comes to HIPAA’s security and overall privacy within a corporation.  If there is any type of violation towards HIPAA there will be an investigation to check the damage of the HIPAA breach.  If for instance the determined breach was reported to be of low probably of any sort of compromise of the data.  Than the corporation will be responsible for patching the breach, replacing any data loss, and would receive a minimum violation fine of $50,000.  Depending on the investigation and the level of the breach with the risks involved the violation fines can be much higher, such as $1.5 million.  There is a specific location called the Office for Civil Rights which they would be responsible for the entire enforcement of HIPAA’s privacy and security rules, including the investigation. (Cascardo, 2014)

Credit card breaches are more likely to happen when the company is a smaller business as the studies have shown.  When there are risks such as a credit card breach within a company it requires further investigation to ensure they did not have a full data breach.  Once they are able to confirm if there was a data breach or if it was specifically one credit card they have to check PCI compliance.  Small merchants have to prove that they are PCI compliant by performing a self-assessment of their entire system.  Larger companies are required to hire a Qualified Security Assessor (QSA) in order to validate their compliance and produce a Report on Compliance (ROC). (Clapper & Richmond, 2016)

Conclusion and Related Topics

Corporations need to be aware of many other regulations, rules, acts, and laws to ensure security and privacy of data.  Also, just as every citizen of the United States of America, businesses have to abide by the same laws and regulations.  Although, there are quite a few more acts and laws that businesses would have to protect the company, employees, and their product/services.  Filing taxes on a yearly basis is another law that businesses have to follow no matter the size of the business or how long they have been in business.  Reporting employee’s information to the IRS with the correct documentation, W2, 1099, and so forth, to ensure their data is reported correctly.

When a company is ready to branch out and expand to other companies to become international.  There are many steps and tons of paperwork in order to fully become an official company that would be considered an international company.  There may be a trademark protection law that would require it to be registered in order to ensure they understood what it meant.  Compliance programs such as the (FCPA) U.S. Foreign Corrupt Practices Act, which is specifically to prohibit the acts of bribery of any foreign government officials and anyone within the public international organizations.  Also, any item imported or exported is subjected to a law regulated through customs.  The U.S. government has restrictions against importing and exporting to certain countries, so keep this in mind.  It is highly suggested to hire someone who is well aware of all the laws and regulations.  Considering, there are substantial consequences and possible suspension of exporting and importing privileges. (Andrew J. Sherman, 2001)

References

Andrew J. Sherman, D. S. (2001, July 16). Expanding Abroad III: Legal Issues. Kauffman , 1. Retrieved November 3, 2017, from https://www.entrepreneurship.org/articles/2001/07/expanding-abroad-iii-legal-issues

Cascardo, D. (2014). HIPAA investigation risks are increasing: Make sure to avoid the "Wall of Shame". Management Briefs, 119-123.

Clapper, D., & Richmond, W. (2016). Small business compliance with PCI DSS. Journal of Management Information and Decision Sciences, 19(1), 54-67.

Jim Q. Chen, A. B. (2017). HIPAA security compliance challenges: The case for small healthcare providers. International Journal of Healthcare Management, 10(2), 135-145.

PCI Security Standards Council. (2010). Understanding the payment card industry. PCI DSS Quick Reference Guide, 34.

Rouse, M. (2017, October 27). HIPAA (health insurance portability and accountability act). Retrieved from Search Health IT Tech Target: http://searchhealthit.techtarget.com/definition/HIPAA

Spandorfer, J. L. (2016). HIPAA compliance and training: A perfect storm for professionalism education? The Journal of Law, Medicine & Ethics, 652-656. doi:10.1177/1073110516684812

Terry, M. (2015). HIPAA and your mobile devices. Podiatry Management, 99-104. Retrieved from www.podiatrym.com

Willey, L., & White, B. J. (2013). Do you take credit cards? Security and compliance for the credit   card payment industry. Journal of Information Systems Education, 24(3), 181-188.

Physical Model

During the process of looking over the logical model, I was able to implement a physical model by hard work and determination.  Utilizing each piece of information used within the logical model and how it is organized allowed me to build a physical model easily.  The physical model shows everything from the first name for each family member to their gender and if they are going to drink any alcohol.  During the process of building the physical model I did decide to remove a few unnecessary fields that I original thought would work from the logical to the physical model.

Within the logical model each entity contained attributes, such as family member being the entity and first name an attribute.  This made it decently easy to put together when building the physical model using the logical model as an example.  Each column is a field from within the logical models entities.  Logically speaking of course, when planning and organizing a family reunion there are only a few things to keep in mind when designing a physical model for a database, family, location, and relaxation.  With those key concerns in mind I was able to identify my main three tables to implementing a physical model, family member, reunion, and cabin.  Each containing important information for planning and organizing the family reunion smoothly.

Depending on the characters being used within the attributes helped me determine what each datatype would be.  For example, first name used a datatype of short text as it can hold up to 255 characters; I used the same datatype for the last name also.  When it comes to the phone number column I chose the short text datatype here, even though a majority of people would believe this should be a number datatype.  Each portion of the phone number is separated by dashes and therefore requires the ability to enter something other than a number, which in turn requires a short text datatype.  The address field used the long text data type, even though there are numerical values being used there are also alphabetical characters which this in turn requires a long text datatype. 

For the gender column I chose the short text data type as it would not exceed 255 characters.  When a family member responds stating they are attending the column for attending uses the datatype yes/no, so it is a simple entry when filling out the form.  When the family member decides to bring guests there is a column using the number datatype to enter the number of guests attending?  Following the guests is the total attending datatype which is also using a number.  Then it comes down to the food they choose to eat while attending the reunion, which is a long text datatype.  Afterwards, is a beverage column to choose which beverage they will drink while attending, which is a long text datatype also.  Last but definitely not least is the alcohol column, which is a yes/no datatype in case they plan to drink alcoholic beverages while attending the family reunion.

Overall, after much consideration I have come to a conclusion the below snapshots of my physical model is a great start.  Although I am sure at some point I will make changes to it whether it be drastic or simplistic, this is definitely not the last of the modifications.  I cannot wait to move forward into implementing this database and possibly using it as a template for future family reunions.

References

Fuller, L. U., & Cook, K. (2013). Access 2013 For Dummis. For Dummies.

Harrington, J. L. (2009). Relational Database Design and Implementation, 3rd Edition. Morgan Kaufmann.