Information security and personal privacy have been hot-button issues in 2018. The fallout from the Facebook/Cambridge Analytica controversy sparked the privacy debate in the United States. Meanwhile, in the EU, the General Data Protection Regulation (GDPR) was officially enforced on May 25, 2018. The GDPR protects European citizens data privacy. It also fundamentally changes how organizations handle consumer information. While the United States doesn’t have an all-encompassing law protecting data and privacy for the public, there are regulations on the books that oversee how specific industries handle personal information. Today we look at a few of those industries and how you can prepare your business to comply with a variety of regulatory agencies.
We’ll start with an industry with some of the tightest regulations, healthcare. The way in which providers and insurers handle a patient’s medical information is highly regulated and with good reason. Medical information is the most personal information a person possesses. There is no reason for anyone other than the provider, insurer, or patient to have this information. The most well-known healthcare regulation in the United States is the Health Insurance Portability and Accountability Act (HIPAA). HIPAA was created to protect confidential healthcare data as new systems of transfer and insurances practices were being implemented.
Of course, all healthcare information isn’t handled the same. Different organizations oversee different aspects of the healthcare process. For example, the Center for Medicare/Medicaid services protects the patient, while the Occupational Safety and Health Administration (OSHA) works for worker safety. As more agencies become part of the process, it becomes difficult to determine which practices are the proper way to keep every party involved protected.
The abundance of regulations has been particularly stressful for healthcare providers. They need to walk a fine line between keeping information available to provide quality care, while not letting rising costs hurt their practice. As policy continually shifts, healthcare providers must establish methods that work to mitigate redundancy.
Financial Services Regulations
Another highly regulated industry is financial services. With the volatility of the financial sector over the past decade, organizations are under a more watchful eye, from both the government and citizens. To provide relief, financial companies are looking to IT to help speed up operations, cut costs, and manage their businesses more accurately. With the recent rollback of a portion of the Dodd-Frank Act, financial companies now have three major regulations to be concerned about: the Gramm-Leach-Bliley Act (GLBA), the Sarbanes-Oxley Act (Sox), and the Payment Card Index (PCI DSS).
Even with the rollbacks, some larger organizations still follow Dodd-Frank, but smaller banks and lenders are now able to operate free from limiting oversight. Here is how each of the remaining regulations works regarding data security:
- GLBA – Puts in place a mandate that financial services organizations need to identify, adjust, and test their data protections systems to ensure that customer information isn’t being misused or misallocated.
- SOx – Works to require accurate and responsible accounting, and puts an onus on large businesses to increase the transparency of profits.
- PCI DSS – Functions to protect cardholder data, and provide strong controls, reporting, and testing of payment card systems.
The primary financial regulatory agencies in the United States are the Federal Trade Commission (FTC), the Consumer Financial Protection Bureau (CFPB), and the Securities and Exchange Commission (SEC). When necessary, these agencies step into levy fines and other punishments. In most cases, they take advisory roles when it comes to data security, as anything more could be seen as being above their mandate. The agencies work to keep trade, practices, and markets fair, not protect personal data and information.
Even with proactive oversight, financial organizations keep their practices to a certain standard, as outlined by the Federal Financial Institutions Examination Council (FFIEC-IT) handbook. The FFIEC-IT handbook lays out precisely what is needed to keep a compliant and secure IT infrastructure for financial services. All the information anyone would need is available on the FFIEC-IT website.
Creating a Plan
No matter the industry, security standards will follow the same basic principles. They will talk about the need for accurate reporting and frequent assessment. Building a strategy like this will work in the provider’s favor. They can outline what will work for the types of organizational oversight that they must operate under. Setting up a static security management plan (SMP) creates a workflow for the organization to follow. For an SMP to work, it must be readily accessible and simple to understand.
A typical SMP will include the following information:
- An organizational security mission statement.
- A static hierarchy of authority with the organization’s reporting structure.
- Identification of areas that need to be secured.
- A general outline of individual duties and activities under the SMP.
- The static documentation system that has to be used to keep things compliant.
- An organizational training program or interface to keep staff up-to-date on shifts in the SMP.
- A roadmap on how to incorporate liaison sites.
- A top-to-bottom security organizational chart.
- A copy of SMP evaluations and a plan for improvement, if needed.
Now that you have the SMP in place, now comes the fun part. It will take time and effort, but you’ll want to apply the SMP to every part of your organization. You’ll need to consider all data and information that must be secure. Once you have all this information, keeping your organization compliant will be much easier and efficient.
Using the information in the SMP, you’ll be able to implement proper security measures to continue to stay compliant. It will take some time, and will require the help of an IT professional, but once everything is working together, you’ll have everything you need to prove compliance to regulators.
If you need help designing, implementing, and support of compliance strategies, look no further than IT Support Guys. Our network security and backup and recovery solutions are tailored to your specific needs ensuring you’ll be complying, no matter the industry or regulations. To learn more, call and speak with an IT Support Guys’ specialist today at 855-4IT-GUYS (855-448-4897).