Guide to Data Security Regulatory Requirements: HIPAA, PCI and ISO 27001
HIPPA, PCI and ISO 27001 are the three most common compliance standards for information security. For professionals and organizations new to drafting or implementing Information Security Management System (ISMS), it could be puzzling to know which standard to be in compliance with. In this quick guide you’ll understand which standard is for you and how you can get certified.
HIPAA & HITECH Compliance
HIPAA & HITECH are US laws that work hand in hand to protect the health information of data subjects. HIPAA (Health Insurance Portability and Accountability Act) was enacted to ensure the health care coverage of individuals in between jobs. However, the law also requires healthcare organizations to use electronic data for patient’s health history and information. As such, the law also imposed a data privacy and security rules to protect individuals.
HIPAA, therefore is a compliance requirement for organizations and enterprises that handle patient health information. This includes hospitals, insurance companies, medical clearinghouses and other businesses that deal with medical data in one way or another. HIPAA compliance is mandatory for organizations in the US. Violators or non-compliant organization can be penalized with $50,000 fine and a maximum penalty of up to $1.5 million per year.
HITECH (Health Information Technology for Economic and Clinical Health Act) on the other hand, is a complementary law that widens the scope and enforcement of HIPAA. It imposed more stringent standards for organizations holding or processing medical information.
How do I become compliant?
To be a HIPAA compliant, you need to address the administrative side of protecting health information of patients along with the technical and physical safeguards you have for your organization. Thus, you need to provide HIPAA awareness training to your employees. Secondly, you need to roll out security risk assessment and implement necessary controls stipulated in the HIPAA policy. And next, you have to train an officer who will be responsible in implementing security procedures and policies and will make sure that your organization is compliant.
PCI-DSS (Payment Card Industry Data Security Standards) is a mandatory credential created by a council in payment card industry to protect consumer cardholder information. It applies to any businesses that use, handle, assess, store, and transmit cardholder data. As it pertains to information security, PCI requires that such organization has a compliant IT infrastructure including outsourced servers and software. This means, it not only requires your business to be compliant, but also requires your outsourced network monitoring server, software and hosting provider to be PCI compliant.
This mandatory standard only concerns the cardholder information, and not all electronic data. And as a mandatory standard, it penalizes non-compliant organization. A fine of up to $500,000 is imposed on a non-compliant organization per security breach incident.
How do I get certified?
According to the PCI Security Standards Council, compliance involves three steps.
The first is Assess. It includes the inventory of cardholder data and security risk assessment. Second is Remediate. This step involves resolving vulnerabilities and the filtration of cardholder data–only retaining those that are absolutely necessary. And the last is Reporting compliance status to the proper payment card brand.
Compared to HIPAA and PCI, ISO 27001 is not mandatory, hence holds no penalty for non-compliance, and does not pertain to health information or cardholder data. However, it is the most widely accepted, international standard that concerns with general information security of any type of organization. This set of standards defines the information security management system (ISMS) of an organization. Thus, for your organization to be an ISO 27001 certified, it must be a cut above the rest as it signifies that your IT infrastructure, information security policies and processes are above-grade and are doing a great job in protecting information in general.
But one more caveat: an ISO 27001 works hand in hand with ISO 27002 which details how an organization can be compliant to the first. ISO 27002, however is not a management standard from which to get another certification. You cannot be ISO 27002 certified. Instead it only explains how the controls defined in ISO 27001 should be implemented.
While an internationally acclaimed compliance standard for handling information security, it is not intended as a substitute for HIPAA or PCI compliance.
How do I get certified?
To be certified under ISO 27001, you need to be audited by a certification body accredited by the ISO. The process generally takes two levels of auditing, and a lot of processes and procedures in between. The first audit would be dealing with proper documentation. And the second stage of auditing checks whether your processes, procedures and management are compliant with your documentation and the ISO standard.
Security risk assessment is a crucial step in getting an ISO certification. This comes in before implementing the security controls set by the standard.
What Standard is for My Organization?
Since the three standards vary in their scope, requirement and enforcement, it is possible that you don’t need to be compliant to all three, or at the other extreme you have to be compliant to all three. So how do you choose what standard is for your organization?
The simplest answer is, identify the nature of your organization and the industry it belongs to. This is because the right set of standards you should comply with depends on the nature of your organization. If you’re handling medical information, then you are required to be HIPAA/HITECH compliant. And since most hospitals handle or process credit card information, then PCI-DSS compliance is also required. I put emphasis on these two being mandatory. You can’t go around these two standards if you belong to the aforementioned industry.
How about ISO 27001? While not mandatory, ISO 27001 has been the world standard for information security. For one, it elevates the standard required by PCI-DSS since ISO approaches the controls (which is also found in PCI) more thoroughly. As such, a majority of organizations that require robust IT infrastructure vie to be ISO 27001 certified. Note, however, that being an ISO 27001 certified does not exempt you from PCI-DSS standard. The latter is mandatory for all organizations dealing with credit cards.