Questions? Call (855) 670-8780 or email security@compliancepoint.com   Visit us on LinkedIN  

8 Recent PCI Changes You Don’t Want to Miss!

 

May 26, 2016

 

 

It's that time of year again… time for the PCI Council to flip the industry on its head and create a lot of buzz around the new changes within the PCI Security Standard. So, what’s new?

Well, according the powers that be, don’t expect version 4.0 to be out anytime soon. In fact, most changes to the Standard (for the foreseeable future) will be incremental in nature. Thus, we are presented with PCI DSS 3.2. That’s good news for the industry… right?

Let’s take a look at 8 of the most impactful changes within the newest version of the Standard that you don’t want to miss:

    • Service providers must document and maintain a description of their architecture as it relates to cryptographic functions. (PCI DSS – 3.5)
Read More

Topics: PCI, MERCHANTS, PCI DSS,, PCI COMPLIANCE, PCI DSS 3.2, SERVICE PROVIDERS, PCI SECURITY STANDARD

Has PCI Got You Down?

 

April 21, 2016

 

 

It's a great morning, the sun is shining, you have an awesome career in information technology/security and life is good. You arrive at work to find a new project on your desk. Your business minded company executive has decided that your company needs to become PCI compliant! Ominous background music plays as the clouds roll in and you ponder if you need to make a career change.

You can spell PCI, and perhaps you even know what PCI stands for, but your knowledge of the Payment Card Industry (PCI) Data Security Standard (DSS) is very limited. Your spare time is even more limited and you’ve got to make this a successful project so that you can maintain your good standing as the subject matter expert in the company. So, what do you do?

Like any technology expert worth their salt, you head over to your extensive research library, also known as the Internet, and begin to research what PCI DSS is all about. 

Read More

Topics: Cardholder Data, PCI, Data Security Standard, DSS, Payment Card Industry, Credit card Data

Will Hackers Hold You Hostage?

 

March 22, 2016

 

 

Ever get the sinking feeling that something has just gone horribly wrong? That innocuous pop-up screen informs you that all your precious data is now "protected." Upon inspection, all of your files might have a new extension on them, like '.mp3' and are completely unusable. It's likely that you've become the latest victim of ransomware and now have a new "business partner" holding your data hostage for a ransom.

That's right, the criminals want to sell you back your own data that you've worked so hard to create. They're even so kind as to allow you to decrypt a couple files for free to prove they are trustworthy new "partners." The question that begs to be asked is whether you have implemented proper security controls to protect yourself or will you be paying a ransom to your new "partner" to retrieve that data?

This type of attack has been around for a while, but has recently become more prevalent with the proliferation of anonymous payment channels like bitcoin. New variants of Cryptolocker, Lockey, Teslacrypt, and other ransomware malware are getting tougher to detect. Traditional AV and spam/web filters are being bypassed easily. Antivirus is easily defeated by many variants of ransomware (and other malware), even when the signature files are current.

Read More

Topics: Ransomware, Teslacrypt, RaaS, Malvertising, Lockey, Phishing, Cryptolocker, Malware, Bitcoin, Vulnerabilities

Healthcare Data Breaches: What Preventative Solutions Do We Have?

 

February 25, 2016

 

 

In our last blog post, we discussed the prominence of data breaches in the healthcare industry. With so much of the attention being paid to breaches after-the-fact, what can a Covered Entity or Business Associate do to help prevent a data breach in the first place?

For many organizations that have had a breach occur in the past year, realization of their inadequacy of security controls around how they manage healthcare information, internally and externally, has come too late. Many times not happening until after OCR delivers their OCR Resolution Agreement, in which their investigations reveals findings around the occurrences and the settled resolution between OCR and the breached party. By the time this agreement is delivered/received and agreed to by all the affected parties, the damage has already been done. Monetary fines have been imposed and the breached party’s reputation has been tarnished.

The breached party has to implement the specifications relayed by the OCR in the agreement. These specifications have strict timelines, forcing the organization to enter into re-act mode immediately. The organization is now charged with running a business while containing and mitigating the effects of the breach, and at the same time remediating all deficiencies found by the OCR. With resources many times already being limited for these work efforts, the pressure on the breached organization becomes real.

Read More

Topics: Protected Health Information, Covered Entities, Business Associates, Privacy, PHI, HIMSS, Data Breach, Security, OCR, Security Framework, Breach, Healthcare Information, Data, ePHI

Violación de Datos Médicos: QUE SOLUCIONES PREVENTIVAS TENEMOS?

 

February 25, 2016

 

 

En nuestra última publicación (last blog post), hablamos de la importancia de las violaciones de datos en la industria de la salud.  Gran parte de la atención se presta en las violaciones después de que ocurren; que puede hacer una Entidad Cubierta o Afiliados Comerciales para ayudar a prevenir las violaciones de datos en el primer lugar?

Para muchas organizaciones, en las que han ocurrido violaciones de datos durante el último año, darse cuenta que sus controles de seguridad inadecuados respecto al manejo de la información médica, interna y externamente, ha llegado demasiado tarde. Muchas veces no ocurre hasta después que la  OCR hace entrega del Acuerdo de Resolución de OCR , que revela los hallazgos de sus investigaciones en torno a las ocurrencias y la resolución establecida entre el OCR y la parte vulnerada . Para cuando el acuerdo es entregado / recibido y aceptado por todas las partes afectadas, el daño ya está hecho. Multas monetarias pueden ser impuestas y la reputación de la parte vulnerada puede verse empañada.

Read More

Topics: Protected Health Information, Covered Entities, Business Associates, Privacy, PHI, HIMSS, Data Breach, Security, OCR, Security Framework, Breach, Healthcare Information, Data, ePHI

Healthcare Data Breaches: When & How Often Do Data Breaches Occur?

 

February 10, 2016

 

 

 

Attention to how medical information is treated by Covered Entities and Business Associates has been heightened in the information security field over the last couple of years. With 2014 dubbed the “Year of the Mega Breach”, much of the concentration of information security, or lack thereof, has revolved around companies like Target and Home Depot.

With so much attention paid to these types of organizations, their security framework and how card holder data is protected, it was an unexpected surprise for all in the medical field when healthcare data breaches started occurring at the same rate the following year.

Ultimately, 2015 will be known as the “Year of the Healthcare Security Breach”, focusing both on Covered Entities and Business Associates.

Before the first half of 2015 was over, five of the eight largest ever security breaches in the medical sector had occurred. An astonishing 34% of compromised records, compared to 0.63% between 2011 and 2014, has led to a state of panic between both Covered Entities and Business Associates.

More and more Americans are becoming victims of health

Read More

Topics: HIPAA, Covered Entities, Business Associates, Health Information, Privacy, PHI, HITECH, Data Breach, Security, HIMSS16, card holder data, security breach, medical information, HHS, healthcare, information security

Violación de Datos Médicos: CUANDO Y CON QUE FRECUENCIA OCCURREN VIOLACIONES DE DATOS?

 

February 10, 2016

 

 

 

Atención a cómo la información médica es tratada por las Entidades Cubiertas y Afiliados Comerciales ha aumentado en el campo de seguridad de la información en los últimos dos años. Con 2014 conocido como el " Año de la Mega Brecha “, gran parte de la concentración de la seguridad de la información, o falta de ella, ha girado en torno a empresas como Target y Home Depot.

Con tanta atención prestada a este tipo de organizaciones, su marco de seguridad y cómo se protegen  los datos de los titulares de las tarjetas, fue una sorpresa inesperada para todos en el campo médico, cuando las violaciones de datos de salud comenzaron a ocurrir en la misma proporción el año siguiente.

En última instancia, 2015 será conocido como el "Año de Brechas de Seguridad de Datos Médicos”, centrándose tanto en Entidades Cubiertas y Afiliados Comerciales.

Read More

Topics: HIPAA, PHI, HITECH, HIMSS16, Entidades Cubiertas, Información Medica, Afiliados Comerciales, Violación de datos, Información de Seguridad, Datos de Titular de Tarjeta, Seguridad, Privacidad, Violación de Seguridad

Healthcare Data Breaches: Who are the Key Players Enforcing PHI Requirements?

 

February 5, 2016

 

 

 In this blog series thus far, we’ve addressed the following questions:

  1. Who Needs PHI to Conduct Business?
  2. Who Wants PHI?
  3. What PHI IS Beyond the Scope of HIPAA?

In today’s post, I’d like to address who the key players are actively enforcing the requirements surrounding protected health information (PHI). One of these may surprise you!

First, we have The United States Department of Health and Human Services (HHS), also known as the Health Department. It is a cabinet-level department of the U.S. federal government tasked with protecting the

Read More

Topics: Protected Health Information, HIPAA, Health Information, Privacy, PHI, HITECH, Security, HIMSS16, FTC, OCR, Office for Civil Rights, HHS, Federal Trade Commission, Unfair and Deceptive Act, Health Breach Notification Rule

Healthcare Data Breaches: PHI beyond the Scope of HIPAA

 

January 20, 2016

 

 

In quick summary of the discussions through the blog series so far, PHI is individually identifiable health information that is held or transmitted by a Covered Entity or Business Associate. PHI can be any form or medium: electronic, paper, or oral and can include demographic information and relate to an individual’s past, present, or future physical or mental health or condition, the individual’s health care services received, or the payment status for those health care services.

Now, let’s discuss what PHI falls outside the scope of the HIPAA/HITECH requirements.

Although the HIPAA/HITECH requirements only apply to Covered Entities and Business Associates, it’s important to note that PHI may be redefined as personally identifiable information (PII) that applies to MANY different types of entities and different scenarios in which this information is used or disclosed for business purposes.

Exclusions to the definition of PHI as stated above, are education records (covered by the Family Educational Rights and Privacy Act), records as described at 20 U.S.C. 1232g(a)(4)(B)(iv), and employment records held by a Covered Entity in its role as an employer.

PHI also ceases to be considered PHI, and thus not protected under HIPAA, when certain elements are removed from this sensitive information. This is called de-identification of protected health information. There are two scenarios in which this occurs:

Read More

Topics: Protected Health Information, HIPAA, Covered Entities, Business Associates, Health Information, Privacy, PHI, HITECH, Data Breach, Security, HIMSS16, Personally Identifiable Information, De-identification, Health care, PII

Violación de Datos Médicos: PHI más allá del alcance de HIPAA

 

January 20, 2016

 

 

En resumen rápido de los debates de la serie del blog, hasta ahora, PHI es información de salud individualmente identificable que se lleva a cabo o se transmite por una Entidad Cubierta o Afiliado Comercial. PHI puede ser cualquier forma o medio: Electrónico, papel, o verbal y puede incluir información demográfica y relacionarse con la condición médica o salud mental pasada, presente o futura de un individuo, servicios de atención médico recibidos por un individuo, o el estado de pago de dichos servicios médicos.

 

Ahora, vamos a discutir que PHI queda fuera del alcance de los requisitos HIPAA / HITECH.

Aunque los requisitos HIPAA / HITECH sólo se aplican a Entidades Cubiertas y Afiliados Comerciales, es importante tener en cuenta que PHI puede ser redefinida como información de identificación personal (PII) que se aplica a MUCHOS tipos de  entidades y escenarios en los que esta información es utilizada o divulgada para fines comerciales.

Read More

Topics: HIPAA, PHI, HITECH, HIMSS16, Entidades Cubiertas, Cuidado de la Salud, Violación de datos, Des-identificación, Información de Identificación Personal, PII, Información de Salud, Seguridad, Privacidad, Información protegida de salud

Subscribe to Our Blog Via Email

Recent Posts