Compliance

Nuspire has a unique approach to assisting clients with governance, risk, and compliance challenges. This provides an unprecedented amount of transparency into all engagements while ensuring client expectations are satisfactorily met each step of the way. In addition, numerous resources are made available to the client to include an experienced project manager, and additional engineering consultants. Nuspire’s approach is to partner with the client in the ongoing security efforts across a company.

Compliance Graphic

Nuspire's compliance services are comprised of the above six phases:

PCI-DSS 3.2

Nuspire aims to be an organization’s security partner in recognizing various GRC concerns such as business impact, infrastructure policy, and security direction.

Risk Management and Compliance
The Governance, Risk Management, and Compliance service (GRC) is about striking an appropriate balance between the value of information being protected and how much risk an entity is willing to accept. A mature GRC practice encompasses an integrated approach, combining many facets of business to include compliance programs, incident management solutions, and risk management. For any organization accepting credit cards, the consideration of the Personal Cardholder Industry (PCI) standards is essential for a comprehensive GRC program.

PCI Compliance Services
As a Nuspire partner, security posture starts with a diagnosis of your organization's current infrastructure.  Nuspire delves into why an organization’s network was designed the way it was, and what the design is intended to do from a business perspective.

The Nuspire assessment process minimizes the impact on business operations by providing a structured approach, emphasizing productivity and network efficiency. While each engagement is unique, the basic services and process are structured below:

  • Managed Gateway, IPS and Vulnerability Assessment Systems
  • Unified Threat Management to protect against intrusion attempts, viruses, trojans, key loggers, SPAM, phishing, data compromise, etc.
  • Managed Network Solutions
  • Content Filtering
  • Incident Response
  • System Information Event Management (SIEM) and Device Log Reporting
  • Desktop Policy Enforcement/Lockdown

PCI Data Security Standard – High Level Overview

Build and Maintain a Secure Network and Systems

1. Install and maintain a firewall configuration to protect cardholder data

2. Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

3. Protect stored cardholder data

4. Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

5. Protect all systems against malware and regularly update anti-virus software or programs

6. Develop and maintain secure systems and applications

Implement Strong Access Control Measures

7. Restrict access to cardholder data by business need-to-know

8. Identify and authenticate access to system components

9. Restrict physical access to cardholder data

Regularly Monitor and Test Networks

10. Track and monitor all access to network resources and cardholder data

11. Regularly test security systems and processes

Maintain an Information Security Policy

12. Maintain a policy that addresses information security for all personnel

 

PCI DSS Applicability Information

PCI DSS applies to all entities involved in payment card processing, including merchants, processors, acquirers, issuers, and service providers. PCI DSS also applies to all other entities that store, process, or transmit cardholder data and/or sensitive authentication data.

Account Data

Cardholder data includes:

  • Primary Account Number (PAN)
  • Cardholder name
  • Expiration date
  • Service code

Sensitive authentication data includes:

  • Full track data (magnetic-stripe data or equivalent on a chip)
  • CAV2/CVC2/CVV2/CID
  • PINs/PIN blocks

Scope of PCI DSS Requirements

These security requirements apply to all system components included in or connected to the cardholder data environment. The cardholder data environment (CDE) is comprised of people, processes, and technologies that store, process, or transmit cardholder data or sensitive authentication data. “System components” include network devices, servers, computing devices, and applications. Examples are:

  • Systems that provide security services (authentication servers, for example), facilitate segmentation (internal firewalls, for example), or may impact the security of (name resolution or web redirection servers, for example) the CDE
  • Virtualization components such as virtual machines, virtual switches/routers, virtual appliances, virtual applications/desktops, and hypervisors
  • Network components including but not limited to firewalls, switches, routers, wireless access points, network appliances, and other security appliances
  • Server types including but not limited to web, application, database, authentication, mail, proxy, Network Time Protocol (NTP), and Domain Name System (DNS)
  • Applications including all purchased and custom applications, including internal and external applications
  • Any other component or device located within or connected to the CDE

To confirm the accuracy of the defined CDE, perform the following:

  • The assessed entity identifies and documents the existence of all cardholder data in their environment, to verify that no cardholder data exists outside of the currently defined CDE
  • Once all locations of cardholder data are identified and documented, the entity uses the results to verify that PCI DSS scope is appropriate
  • The entity considers any cardholder data found to be in the scope of the PCI DSS assessment and part of the CDE. If the entity identifies data that is not currently included in the CDE, such data should be securely deleted, migrated into the currently defined CDE, or the CDE redefined to include this data

Use of Third-Party Service Providers/Outsourcing

A service provider or merchant may use a third-party service provider to store, process, or transmit cardholder data on their behalf, or to manage components such as routers, firewalls, databases, physical security, and/or servers.

Parties should clearly identify the services and system components that are included in the scope of the service provider’s PCI DSS assessment, the specific PCI DSS requirements covered by the service provider, and any requirements that are the responsibility of the service provider’s customers to include in their own PCI DSS reviews.

Service providers are responsible for demonstrating their PCI DSS compliance, and may be required to do so by the payment brands.

There are two options for third-party service providers to validate compliance:

  1. Annual assessment: Service providers can undergo an annual PCI DSS assessment/s on their own and provide evidence to their customers to demonstrate their compliance
  2. Multiple, on-demand assessments: If they do not undergo their own annual PCI DSS assessments, service providers must undergo assessments upon request of their customers and/or participate in each of their customer’s PCI DSS reviews, with the results of each review provided to the respective customer/s

Best Practices for Implementing PCI DSS into Business-as-Usual Processes

  1. Monitoring of security controls, such as firewalls, IDS/IPS, file integrity monitoring, antivirus, access controls, etc., to ensure they are operating effectively and as intended.
  2. Ensuring all failures in security controls are detected and responded to in a timely manner. Processes to respond to security control failures should include:
  • Restoring the security control
  • Identifying the cause of failure
  • Identifying and addressing any security issues that arose during the failure of the security control
  • Implementing mitigation, such as process or technical controls, to prevent a reoccurring failure
  • Resuming monitoring of the security control, perhaps with enhanced monitoring for a period of time, to verify the control is operating effectively

Determine the potential impact to PCI DSS scope

Identify PCI DSS requirements applicable to systems and networks affected by the changes

Update PCI DSS scope and implement security controls as appropriate

  1. Changes to organizational structure resulting in formal review of the impact to PCI DSS scope and requirements

Build & Maintain a Secure Network & Systems

  1. Install & maintain a firewall configuration to protect cardholder data
  2. Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

  1. Protect stored cardholder data
  2. Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

  1. Protect all systems against malware and regularly update antivirus software or programs
  2. Develop and maintain secure systems and applications

Implement Strong Access Control Measures

  1. Restrict access to cardholder data by business need to know
  2. Identify and authenticate access to system components
  3. Restrict physical access to cardholder data

Regularly Monitor and Test Networks

10. Track and monitor all access to network resources and cardholder data

11. Regularly test security systems and processes

Maintain an Information Security Policy

12. Maintain a policy that addresses information security for all personnel

 

Nuspire can help customers concerned with PCI compliance overcome challenges around the three-tiered approach to network security by unilizing Nuspire services such as Cyber Threat Monitoring, Network MonitoringConsulting, and Security Analytics.  Fill out the form below to learn more.  


www.pcisecuritystandards.org

PCI

GLBA

The Gramm-Leach-Bliley Act (GLBA) was enacted in November 1999. Under this Act, a financial institution was defined as any business that engages in financial activities ranging from insurance brokerage to data processing to automobile financing or leasing. Included in this act is a set of rules commonly referred to as the “Safeguards Rule.” The Safeguards Rule is intended to protect the financial institution’s customers from identity theft and other harm - such as misappropriation, alteration, or tamper - by requiring that data information be protected.

Introduction

The GLBA governs the treatment of nonpublic personal information about consumers by financial institutions. Financial institutions are prohibited from disclosing nonpublic personal information about a consumer to nonaffiliated third parties, unless:

  • The institution satisfies various notice and opt-out requirements, and
  • The consumer has not elected to opt out of the disclosure.

Financial institutions are required to provide a notice of privacy policies and practices to its customers.

Nonpublic personal information is generally any information that is not publicly available and that:

  • A consumer provides to a financial institution to obtain a financial product or service from the institution
  • Results from a transaction between the consumer and the institution involving a financial product or service
  • A financial institution otherwise obtains about a consumer in connection with providing a financial product or service

Financial Institutions and Customer Information: Complying with the Safeguards Rule

HOW TO COMPLY

The Safeguards Rule requires companies to develop a written information security plan that describes their program to protect customer information. The plan must be appropriate to the company’s size and complexity, the nature and scope of its activities, and the sensitivity of the customer information it handles. As part of its plan, each company must:

  • Designate one or more employees to coordinate its information security program;
  • Identify and assess the risks to customer information in each relevant area of the company’s operation, and evaluate the effectiveness of the current safeguards for controlling these risks;
  • Design and implement a safeguards program, and regularly monitor and test it;
  • Select service providers that can maintain appropriate safeguards, make sure your contract requires them to maintain safeguards, and oversee their handling of customer information; and
  • Evaluate and adjust the program in light of relevant circumstances, including changes in the firm’s business or operations, or the results of security testing and monitoring.

The requirements are designed to be flexible. Companies should implement safeguards appropriate to their own circumstances. For example, some companies may choose to put their safeguards program in a single document, while others may put their plans in several different documents — say, one to cover an information technology division and another to describe the training program for employees. Similarly, a company may decide to designate a single employee to coordinate safeguards or may assign this responsibility to several employees who will work together. In addition, companies must consider and address any unique risks raised by their business operations — such as the risks raised when employees access customer data from their homes or other off-site locations, or when customer data is transmitted electronically outside the company network.

SECURING INFORMATION

The Safeguards Rule requires companies to assess and address the risks to customer information in all areas of their operation, including three areas that are particularly important to information security: Employee Management and Training; Information Systems; and Detecting and Managing System Failures. One of the early steps companies should take is to determine what information they are collecting and storing, and whether they have a business need to do so. You can reduce the risks to customer information if you know what you have and keep only what you need.

Depending on the nature of their business operations, firms should consider implementing the following practices:

Employee Management and Training. The success of your information security plan depends largely on the employees who implement it. Consider:

  • Checking references or doing background checks before hiring employees who will have access to customer information.
  • Asking every new employee to sign an agreement to follow your company’s confidentiality and security standards for handling customer information.
  • Limiting access to customer information to employees who have a business reason to see it. For example, give employees who respond to customer inquiries access to customer files, but only to the extent they need it to do their jobs.
  • Controlling access to sensitive information by requiring employees to use “strong” passwords that must be changed on a regular basis. (Tough-to-crack passwords require the use of at least six characters, upper- and lower-case letters, and a combination of letters, numbers, and symbols.)
  • Using password-activated screen savers to lock employee computers after a period of inactivity.
  • Developing policies for appropriate use and protection of laptops, PDAs, cell phones, or other mobile devices. For example, make sure employees store these devices in a secure place when not in use. Also, consider that customer information in encrypted files will be better protected in case of theft of such a device.
  • Training employees to take basic steps to maintain the security, confidentiality, and integrity of customer information, including:
    • Locking rooms and file cabinets where records are kept;
    • Not sharing or openly posting employee passwords in work areas;
    • Encrypting sensitive customer information when it is transmitted electronically via public networks;
    • Referring calls or other requests for customer information to designated individuals who have been trained in how your company safeguards personal data; and
    • Reporting suspicious attempts to obtain customer information to designated personnel.
  • Regularly reminding all employees of your company’s policy — and the legal requirement — to keep customer information secure and confidential. For example, consider posting reminders about their responsibility for security in areas where customer information is stored, like file rooms.
  • Developing policies for employees who telecommute. For example, consider whether or how employees should be allowed to keep or access customer data at home. Also, require employees who use personal computers to store or access customer data to use protections against viruses, spyware, and other unauthorized intrusions.
  • Imposing disciplinary measures for security policy violations.
  • Preventing terminated employees from accessing customer information by immediately deactivating their passwords and user names and taking other appropriate measures.
  • Information Systems. Information systems include network and software design, and information processing, storage, transmission, retrieval, and disposal. Here are some suggestions on maintaining security throughout the life cycle of customer information, from data entry to data disposal:
  • Know where sensitive customer information is stored and store it securely. Make sure only authorized employees have access. For example:
    • Ensure that storage areas are protected against destruction or damage from physical hazards, like fire or floods.
    • Store records in a room or cabinet that is locked when unattended.
    • When customer information is stored on a server or other computer, ensure that the computer is accessible only with a “strong” password and is kept in a physically-secure area.
    • Where possible, avoid storing sensitive customer data on a computer with an Internet connection.
    • Maintain secure backup records and keep archived data secure by storing it off-line and in a physically-secure area.
    • Maintain a careful inventory of your company’s computers and any other equipment on which customer information may be stored.
  • Take steps to ensure the secure transmission of customer information. For example:
    • When you transmit credit card information or other sensitive financial data, use a Secure Sockets Layer (SSL) or other secure connection, so that the information is protected in transit.
    • If you collect information online directly from customers, make secure transmission automatic. Caution customers against transmitting sensitive data, like account numbers, via email or in response to an unsolicited email or pop-up message.
    • If you must transmit sensitive data by email over the Internet, be sure to encrypt the data.
  • Dispose of customer information in a secure way and, where applicable, consistent with the FTC’s Disposal Rule. For example:
    • Consider designating or hiring a records retention manager to supervise the disposal of records containing customer information. If you hire an outside disposal company, conduct due diligence beforehand by checking references or requiring that the company be certified by a recognized industry group.
    • Burn, pulverize, or shred papers containing customer information so that the information cannot be read or reconstructed.
    • Destroy or erase data when disposing of computers, disks, CDs, magnetic tapes, hard drives, laptops, PDAs, cell phones, or any other electronic media or hardware containing customer information.
    • Detecting and Managing System Failures. Effective security management requires your company to deter, detect, and defend against security breaches. That means taking reasonable steps to prevent attacks, quickly diagnosing a security incident, and having a plan in place for responding effectively. Consider implementing the following procedures:
  • Monitoring the websites of your software vendors and reading relevant industry publications for news about emerging threats and available defenses.
  • Maintaining up-to-date and appropriate programs and controls to prevent unauthorized access to customer information. Be sure to:
    • check with software vendors regularly to get and install patches that resolve software vulnerabilities;
    • use anti-virus and anti-spyware software that updates automatically;
    • maintain up-to-date firewalls, particularly if you use a broadband Internet connection or allow employees to connect to your network from home or other off-site locations;
    • regularly ensure that ports not used for your business are closed; and
    • promptly pass along information and instructions to employees regarding any new security risks or possible breaches.
  • Using appropriate oversight or audit procedures to detect the improper disclosure or theft of customer information. It’s wise to:
    • keep logs of activity on your network and monitor them for signs of unauthorized access to customer information;
    • use an up-to-date intrusion detection system to alert you of attacks;
    • monitor both in- and out-bound transfers of information for indications of a compromise, such as unexpectedly large amounts of data being transmitted from your system to an unknown user; and
    • insert a dummy account into each of your customer lists and monitor the account to detect any unauthorized contacts or charges.
  • Taking steps to preserve the security, confidentiality, and integrity of customer information in the event of a breach. If a breach occurs:
    • take immediate action to secure any information that has or may have been compromised. For example, if a computer connected to the Internet is compromised, disconnect the computer from the Internet;
    • preserve and review files or programs that may reveal how the breach occurred; and
    • if feasible and appropriate, bring in security professionals to help assess the breach as soon as possible.
  • Considering notifying consumers, law enforcement, and/or businesses in the event of a security breach. For example:
    • notify consumers if their personal information is subject to a breach that poses a significant risk of identity theft or related harm;
    • notify law enforcement if the breach may involve criminal activity or there is evidence that the breach has resulted in identity theft or related harm;
    • notify the credit bureaus and other businesses that may be affected by the breach. See Information Compromise and the Risk of Identity Theft: Guidance for Your Business; and
    • check to see if breach notification is required under applicable state law

FTC's Privacy Rule and Auto Dealers

Auto dealers that extend credit, arrange financing or leasing, or give financial advice must notify customers about the information they collect, who they share it with, and how they protect it. Are you following the rules of the road?

The Federal Trade Commission (FTC) has developed these additional FAQs to help auto dealers comply with the Gramm-Leach-Bliley Act and the FTC’s Privacy Rule. The following questions and answers show how the Privacy Rule applies to specific situations that auto dealers may face. Before reading this, you may want to familiarize yourself with the FTC’s small business guide, How To Comply with the Privacy of Consumer Financial Information Rule of the Gramm-Leach-Bliley Act, and the Frequently Asked Questions for the Privacy Regulation. Other business guidance is available on the FTC’s Gramm-Leach-Bliley Act page.

Please note that this information does not address possible legal obligations you may have under the FTC Safeguards Rule, the Fair Credit Reporting Act, or other federal and state laws.

Does the Privacy Rule apply to me?

The Privacy Rule applies to car dealers who:

Extend credit to someone (for example, through a retail installment contract) in connection with the purchase of a car for personal, family, or household use;

Arrange for someone to finance or lease a car for personal, family, or household use; or

Provide financial advice or counseling to individuals.

If you engage in these activities, any personal information that you collect to provide these services is covered by the Privacy Rule. Examples of personal information include someone’s name, address, phone number, or other information that could be used to identify them individually. The Privacy Rule applies if you collect personal information about someone in connection with the potential financing or leasing of a car, even if that person does not fill out a formal application. The Privacy Rule does not apply to you if a person buys a car with cash or arranges financing on their own through another lender.

Nuspire can help customers concerned with GLBA compliance overcome challenges around the three-tiered approach to network security by unilizing Nuspire services such as Cyber Threat Monitoring, Network MonitoringConsulting, and Security Analytics.  Fill out the form below to learn more.  

 

https://www.ftc.gov/tips-advice/business-center/privacy-and-security/gramm-leach-bliley-act

GLBA

HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) was enacted by the U.S. Congress in 1996. According to the Centers for Medicare and Medicaid Services (CMS) website, Title I of HIPAA protects health insurance coverage for workers and their families when they change or lose their jobs. Title II of HIPAA, known as the Administrative Simplification (AS) provisions, requires the establishment of national standards for electronic healthcare transactions and national identifiers for providers, health insurance plans, and employers. This is intended to help people keep their information private, though in practice, it is normal for providers and health insurance plans to require the waiver of HIPAA rights as a condition of service.

The Administration Simplification provisions also address the security and privacy of health data. The standards are meant to improve the efficiency and effectiveness of the nation's healthcare system by encouraging the widespread use of electronic data interchange in the U.S. healthcare system. In an effort to assist clients with meeting these Rules, Nuspire has a set of services designed to assist client’s efforts for each element.

Summary of the HIPAA Privacy Rule

This is a summary of key elements of the Privacy Rule including who is covered, what information is protected, and how protected health information can be used and disclosed.  Because it is an overview of the Privacy Rule, it does not address every detail of each provision.

Introduction

  • The Standards for Privacy of Individually Identifiable Health Information (“Privacy Rule”) establishes, for the first time, a set of national standards for the protection of certain health information. The U.S. Department of Health and Human Services (“HHS”) issued the Privacy Rule to implement the requirement of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).1 The Privacy Rule standards address the use and disclosure of individuals’ health information—called “protected health information” by organizations subject to the Privacy Rule — called “covered entities,” as well as standards for individuals' privacy rights to understand and control how their health information is used. Within HHS, the Office for Civil Rights (“OCR”) has responsibility for implementing and enforcing the Privacy Rule with respect to voluntary compliance activities and civil money penalties.

    A major goal of the Privacy Rule is to assure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public's health and well being. The Rule strikes a balance that permits important uses of information, while protecting the privacy of people who seek care and healing. Given that the health care marketplace is diverse, the Rule is designed to be flexible and comprehensive to cover the variety of uses and disclosures that need to be addressed.

    This is a summary of key elements of the Privacy Rule and not a complete or comprehensive guide to compliance. Entities regulated by the Rule are obligated to comply with all of its applicable requirements and should not rely on this summary as a source of legal information or advice. To make it easier for entities to review the complete requirements of the Rule, provisions of the Rule referenced in this summary are cited in the end notes. Visit our  Privacy Rule section to view the entire Rule, and for other additional helpful information about how the Rule applies. In the event of a conflict between this summary and the Rule, the Rule governs.

Statutory and Regulatory Background

  • The Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, was enacted on August 21, 1996. Sections 261 through 264 of HIPAA require the Secretary of HHS to publicize standards for the electronic exchange, privacy and security of health information. Collectively these are known as the Administrative Simplification provisions.

    HIPAA required the Secretary to issue privacy regulations governing individually identifiable health information, if Congress did not enact privacy legislation within three years of the passage of HIPAA. Because Congress did not enact privacy legislation, HHS developed a proposed rule and released it for public comment on November 3, 1999. The Department received over 52,000 public comments. The final regulation, the Privacy Rule, was published December 28, 2000.

In March 2002, the Department proposed and released for public comment modifications to the Privacy Rule. The Department received over 11,000 comments.The final modifications were published in final form on August 14, 2002.

Who is Covered by the Privacy Rule

The Privacy Rule, as well as all the Administrative Simplification rules, apply to health plans, health care clearinghouses, and to any health care provider who transmits health information in electronic form in connection with transactions for which the Secretary of HHS has adopted standards under HIPAA (the “covered entities”).

Summary of the HIPAA Security Rule

This is a summary of key elements of the Security Rule including who is covered, what information is protected, and what safeguards must be in place to ensure appropriate protection of electronic protected health information.  Because it is an overview of the Security Rule, it does not address every detail of each provision.

Introduction

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) required the Secretary of the U.S. Department of Health and Human Services (HHS) to develop regulations protecting the privacy and security of certain health information. The Privacy Rule, or Standards for Privacy of Individually Identifiable Health Information, establishes national standards for the protection of certain health information. The Security Standards for the Protection of Electronic Protected Health Information (the Security Rule) establish a national set of security standards for protecting certain health information that is held or transferred in electronic form. The Security Rule operationalizes the protections contained in the Privacy Rule by addressing the technical and non-technical safeguards that organizations called “covered entities” must put in place to secure individuals’ “electronic protected health information” (e-PHI). Within HHS, the Office for Civil Rights (OCR) has responsibility for enforcing the Privacy and Security Rules with voluntary compliance activities and civil money penalties.

Prior to HIPAA, no generally accepted set of security standards or general requirements for protecting health information existed in the health care industry. At the same time, new technologies were evolving, and the health care industry began to move away from paper processes and rely more heavily on the use of electronic information systems to pay claims, answer eligibility questions, provide health information and conduct a host of other administrative and clinically based functions. 

Today, providers are using clinical applications such as computerized physician order entry (CPOE) systems, electronic health records (EHR), and radiology, pharmacy, and laboratory systems. Health plans are providing access to claims and care management, as well as member self-service applications. While this means that the medical workforce can be more mobile and efficient (i.e., physicians can check patient records and test results from wherever they are), the rise in the adoption rate of these technologies increases the potential security risks.

A major goal of the Security Rule is to protect the privacy of individuals’ health information while allowing covered entities to adopt new technologies to improve the quality and efficiency of patient care. Given that the health care marketplace is diverse, the Security Rule is designed to be flexible and scalable so a covered entity can implement policies, procedures, and technologies that are appropriate for the entity’s particular size, organizational structure, and risks to consumers’ e-PHI. 

This is a summary of key elements of the Security Rule and not a complete or comprehensive guide to compliance. Entities regulated by the Privacy and Security Rules are obligated to comply with all of their applicable requirements and should not rely on this summary as a source of legal information or advice.

Statutory and Regulatory Background

  • The Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA, Title II) required the Secretary of HHS to publish national standards for the security of electronic protected health information (e-PHI), electronic exchange, and the privacy and security of health information.

HIPAA called on the Secretary to issue security regulations regarding measures for protecting the integrity, confidentiality, and availability of e-PHI that is held or transmitted by covered entities. HHS developed a proposed rule and released it for public comment on August 12, 1998. The Department received approximately 2,350 public comments. The final regulation, the Security Rule, was published February 20, 2003.2 The Rule specifies a series of administrative, technical, and physical security procedures for covered entities to use to assure the confidentiality, integrity, and availability of e-PHI.

Who is Covered by the Security Rule

  • The Security Rule, like all of the Administrative Simplification rules, applies to health plans, health care clearinghouses, and to any health care provider who transmits health information in electronic form in connection with a transaction for which the Secretary of HHS has adopted standards under HIPAA (the “covered entities”). 

Business Associates

  • The HITECH Act of 2009 expanded the responsibilities of business associates under the Privacy and Security Rules. HHS is developing regulations to implement and clarify these changes.

 

Submitting Notice of a Breach to the Secretary

A covered entity must notify the Secretary if it discovers a breach of unsecured protected health information.

A covered entity’s breach notification obligations differ based on whether the breach affects 500 or more individuals or fewer than 500 individuals. If the number of individuals affected by a breach is uncertain at the time of submission, the covered entity should provide an estimate, and, if it discovers additional information, submit updates in the manner specified below. If only one option is available in a particular submission category, the covered entity should pick the best option, and may provide additional details in the free text portion of the submission.

If a covered entity discovers additional information that supplements, modifies, or clarifies a previously submitted notice to the Secretary, it may submit an additional form by checking the appropriate box to indicate that it is an addendum to the initial report, using the transaction number provided after its submission of the initial breach report.

Breaches Affecting 500 or More Individuals

If a breach of unsecured protected health information affects 500 or more individuals, a covered entity must notify the Secretary of the breach without unreasonable delay and in no case later than 60 calendar days from the discovery of the breach. The covered entity must submit the notice electronically by clicking on the link below and completing all of the required fields of the breach notification form.

Breaches Affecting Fewer than 500 Individuals

If a breach of unsecured protected health information affects fewer than 500 individuals, a covered entity must notify the Secretary of the breach within 60 days of the end of the calendar year in which the breach was discovered. (A covered entity is not required to wait until the end of the calendar year to report breaches affecting fewer than 500 individuals; a covered entity may report such breaches at the time they are discovered.) The covered entity may report all of its breaches affecting fewer than 500 individuals on one date, but the covered entity must complete a separate notice for each breach incident. 

Nuspire can help customers concerned with HIPAA compliance overcome challenges around the three-tiered approach to network security by unilizing Nuspire services such as Cyber Threat Monitoring, Network MonitoringConsulting, and Security Analytics.  Fill out the form below to learn more.  

 

SOX

Sarbanes-Oxley (SOX) legislation came into force in 2002 and introduced major changes to the regulation of financial practice and corporate governance. Named after Senator Paul Sarbanes and Representative Michael Oxley, its main architects, iSOX also set a number of deadlines for compliance. The Sarbanes-Oxley Act is arranged into eleven titles. As far as compliance is concerned, the most important sections within these are often considered to be 302, 401, 404, 409, 802 and 906.

Sarbanes-Oxley Compliance 
Compliance with SOX legislation need not be a daunting task. Like every other regulatory requirement, it should be addressed methodically via proper analysis and study. Additionally, some sections of the act are more pertinent to compliance than others.

To assist those seeking to meet the demands of this act, the following pages cover the key Sarbanes-Oxley sections:

Turn to Nuspire to assist with technology requirements around network security monitoring, incident response, documentation, and remediation activities with the Nuspire Security Analytics Team (SAT).  

SOX

FISMA

The Federal Information Security Management Act (FISMA) of 2002 requires program officials, and the head of each agency, to take specific measures to mitigate cybersecurity risks. The Department of Homeland Security monitors and reports agency progress to ensure the effective implementation of this guidance.

Overview

OMB Memos 10-15 (PDF, 27 pages - 274 KB) and 10-28 (PDF, 2 pages - 38.6 KB) outline Department of Homeland Security responsibilities for FISMA. M-10-15 states that the Department of Homeland Security will provide additional operational support to federal agencies in securing federal systems. The Department will monitor and report agency progress to ensure the effective implementation of this guidance. This memo also outlines the new FISMA process that follows a three-tiered approach:

  • Data feeds directly from security management tools
  • Government-wide benchmarking on security posture
  • Agency-specific interviews

This three-tiered approach is a result of the task force established in September 2009 to develop new, outcome-focused metrics for the information security performance of federal agencies. This task force concentrated on developing metrics that would advance the security posture of agencies and departments.

M-10-28 outlines and clarifies the respective responsibilities and activities of the Office of Management and Budget (OMB), the Cybersecurity Coordinator, and the Department of Homeland Security, in particular with respect to the federal government's implementation of the Federal Information Security Management Act of 2002 (FISMA; 44 U.S.C. §§ 3541-3549).

The Department will exercise primary responsibility within the executive branch for the operational aspects of federal agency cybersecurity with respect to the federal information systems that fall within FISMA under 44 U.S.C. §3543. In carrying out this responsibility and the accompanying activities, the Department shall be subject to general OMB oversight in accordance with section 3543(a), and the Department shall be subject to the limitations and requirements that apply to OMB under Section 3543(b)-(c).

Department of Homeland Security activities will include (but will not be limited to):

  • Overseeing the government-wide and agency-specific implementation of and reporting on cybersecurity policies and guidance;
  • Overseeing and assisting government-wide and agency-specific efforts to provide adequate, risk-based and cost-effective cybersecurity;
  • Overseeing the agencies' compliance with FISMA and developing analyses for OMB to assist in the development of the FISMA annual report;
  • Overseeing the agencies' cybersecurity operations and incident response and providing appropriate assistance; and
  • Annually reviewing the agencies' cybersecurity programs.

Nuspire can help customers concerned with FISMA compliance overcome challenges around the three-tiered approach to network security by unilizing Nuspire services such as Cyber Threat Monitoring, Network Monitoring, Consulting, and Security Analytics.  Fill out the form below to learn more.  

 

FISMA

STAR

Nuspire Networks, as a participating member of the STAR (Standards for Technology in Automotive Retail) organization, has facilitated the process of crafting a common set of Dealer Infrastructure Guidelines (DIG).

The DIG is a comprehensive document that outlines industry best practices to be used as a reference by dealers to verify network and infrastructure needs. Dealerships of any size must employ internal network administrators or IT managers to be responsible for reviewing the guidelines, checklists, and tips to ensure their dealership has implemented a safe, secure, and robust solution, one in which is able to meet both the needs of the customer and the dealership team.

These guidelines provide recommendations on dealership hardware, software, Local Area Network (LAN), internet bandwidth, and security. They are intended as a guide to support effective data integration, data protection, system reliability and efficient business processes. The DIG represent a first step in a strategy to provide guidance for retail distribution outlets in managing technology within their respective disciplines and providing a secure environment as opposed to simply maintaining compliance.

To view the DIG in its entirety, CLICK HERE.

Nuspire can help customers concerned with STAR compliance overcome challenges around the three-tiered approach to network security by unilizing Nuspire services such as Cyber Threat Monitoring, Network Monitoring, Consulting, and Security Analytics.  Fill out the form below to learn more.  

 


Nuspire Insights






Nuspire Infographic


Contact Us

Leave this empty: