Compliance

 

First let’s cover compliance. The job of network compliance is to make sure that the network devices such as switches and routers are running the configurations that meet the policies set by the organization. For example, some What's the compliance problem organizations may not want to run certain protocols on any of their devices. As another example, we were recently talking to one customer who wanted to make sure that every single configuration line met the compliance check.

 

Configuration issues can be very problematic. One of our customers recently had a device running a bad configuration that caused a major outage in their environment. After the problem they needed to make sure that correct configurations were defined so that such a mistake would not repeat, so the configuration of the devices always meets their policies.

 

Another aspect of compliance is auditing, making sure you have the correct software and configurations, and knowing who changed a device, what they changed and when.

 

One aspect of network security is organizations running proper configurations to meet the security standards that apply to them so there won’t be any negative effects to the network. These can be internal or external standards such as HIPAA (Health Insurance Portability and Accountability Act) or SOX (Sarbanes–Oxley Act). The security standards apply to all levels of networking such as firewalls, routers, switches, and so on.

 

Knowing and keeping up on regulations and compliance can be a full-time task. There are many agencies and governing bodies that regulate almost every industry and process. Having a group dedicated to this is the most cost effective and efficient way to make sure you stay in compliant with you industry standards. Some of the agencies include:

 

  • PCI DSS (Payment Card Industry - Data Security Standard
  • FISMA (Federal Information Security Management Act)
  • SOX (Sarbanes-Oxley)
  • HIPAA (Health Information Portability and Accountability Act)
  • GLBA (Gramm-Leach-Billey Act)
  • ISO 27001 (Information Security Management System)

Some Questions to Ask:

 

  1. How secure is the passwords that your are using?
  2. Is the information on your computer screen visible to others when you are away from your computer?
  3. Are you sending emails about patients securely?
  4. Large corporations are being hacked for information, do you have the same level of security to protect your clients?
  5. Is your policies and procedures for securing data documented in case of an audit?
  6. Are you aware of the HIPAA Omnibus rule that was implemented in September 2013?
  7. Is the data on your patients backed up and encrypted?
  8. Do you have an off-site backup, if so, how is it stored?

 

These are just a few of the questions that hospital, clinics, and many other facilities are required to follow to protect the information on their clients. HIPAA is not just for medical personnel. Lawyers and others are required to follow these same rules. Contact us today to have an analysis done on your company .

 

What is HIPAA Compliance?

 

HIPAA, the Health Insurance Portability and Accountability Act, sets the standard for protecting sensitive patient data. Any company that deals with protected health information (PHI) must ensure that all the required physical, network, and process security measures are in place and followed.

 

This includes covered entities (CE), anyone who provides treatment, payment and operations in healthcare, and business associates (BA), anyone with access to patient information and provides support in treatment, payment or operations. Subcontractors, or business associates of business associates, must also be in compliance.

 

The HIPAA Privacy Rule addresses the saving, accessing and sharing of medical and personal information of any individual, while the HIPAA Security Rule more specifically outlines national security standards to protect health data created, received, maintained or transmitted electronically, also known as electronic protected health information (ePHI).

 

If you are hosting your data with a HIPAA compliant hosting provider, they must have certain administrative, physical and technical safeguards in place, according to the U.S. Department of Health and Human Services. The physical and technical safeguards are most relevant to services provided by your HIPAA compliant host as listed below, with detail on what constitutes a HIPAA compliant data center.

 

Physical safeguards include limited facility access and control, with authorized access in place. All covered entities, or companies that must be HIPAA compliant, must have policies about use and access to workstations and electronic media. This includes transferring, removing, disposing and re-using electronic media and electronic protected health information (ePHI).

Technical safeguards require access control to allow only the authorized to access electronic protected health data. Access control includes using unique user IDs, an emergency access procedure, automatic log off and encryption and decryption.

Audit reports, or tracking logs, must be implemented to keep records of activity on hardware and software. This is especially useful to pinpoint the source or cause of any security violations.

Technical policies should also cover integrity controls, or measures put in place to confirm that ePHI hasn’t been altered or destroyed. IT disaster recovery and offsite backup are key to ensure that any electronic media errors or failures can be quickly remedied and patient health information can be recovered accurately and intact.

Network, or transmission, security is the last technical safeguard required of HIPAA compliant hosts to protect against unauthorized public access of ePHI. This concerns all methods of transmitting data, whether it be email, Internet, or even over a private network, such as a private cloud.

 

A supplemental act was passed in 2009 called The Health Information Technology for Economic and Clinical Health (HITECH) Act which supports the enforcement of HIPAA requirements by raising the penalties of health organizations that violate HIPAA Privacy and Security Rules. The HITECH Act was formed in response to health technology development and increased use, storage and transmittal of electronic health information.

 

PCI DSS Compliance

 

The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that process, store or transmit credit card information maintain a secure environment. Essentially any merchant that has a Merchant ID (MID).

 

The Payment Card Industry Security Standards Council (PCI SSC) was launched on September 7, 2006 to manage the ongoing evolution of the Payment Card Industry (PCI) security standards with focus on improving payment account security throughout the transaction process. The PCI DSS is administered and managed by the PCI SSC (www.pcisecuritystandards.org), an independent body that was created by the major payment card brands (Visa, MasterCard, American Express, Discover and JCB.).

 

It is important to note that the payment brands and acquirers are responsible for enforcing compliance, not the PCI council.

 

PCI Compliance applies to any and all companies that handle, store, or transmit credit card information on computers or terminals.

 

There are 4 levels that a merchant falls under for compliance:

 

  1. Any merchant — regardless of acceptance channel — processing over 6M Visa transactions per year. Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system.
  2. Any merchant — regardless of acceptance channel — processing 1M to 6M Visa transactions per year.
  3. Any merchant processing 20,000 to 1M Visa e-commerce transactions per year.
  4. Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants — regardless of acceptance channel — processing up to 1M Visa transactions per year.

 

Making sure data is not compromised is not easy to accomplish. Give us a call or submit a service request to review your status.

 

 

Advanced Computer & Data Communicatons Inc.

 

We are not your typical Computer repair company. Most IT companies focus on one area or product. ACD Communications is your one-stop location to meet all your IT needs. We make sure you can come to us for everything from computer repair to security  to television services. We only deal with the best . Our personal attitude toward our customers means you don't have to worry about  getting the run around or not knowing what to expect. Come see us to find out more.

How we can help

 

Between out staff and our affiliate partners, we will make sure to guide you in the right area to meet all your IT and technology needs.

 

We're here for you

Our mission is to treat all our customers just as we would treat our own mother or grandparents. Our personal attitude will always leave you with a smile and coming back for more. Leave the hard thinking to us.

© 2016 Advanced Computer & Data Communications Inc. All rights reserved.

1925 Youngstown Road SE

Warren, Ohio 44484

330-469-6972