A Guide To Data Security Compliance Standards
As more and more of today’s society relies on technology, it is becoming more common for personal information to be shared digitally. This means that it is important for companies to ensure that people’s information is protected against hacking and data breaches. This article looks at three areas of data protection in today’s society: GDPR, HIPAA, and PCI DSS. A Guide To Data Security Compliance Standards
GDPR (General Data Protection Regulation) is a regulation in the European Union (EU) designed for privacy and data protection for individuals within the EU. Specifically, it regulates the exportation of data out of the EU so citizens have control over their data. It operates as a protection against business uses of data. The regulation will be enforceable in May 2018.
This type of regulation is important because of the increased emphasis on globalization in business. Since so much business is done online, it is easy for companies to work with customers and other companies all over the world. It can be tempting to use citizens’ data to the advantage of the company, such as selling personal information to third parties. Since the regulation protects data security, compliance is necessary for companies to do business in the EU.
The advantage of the regulation is that it provides one set of standards for all data usage. This standard set of regulations ensures that all businesses are using the same high-quality protocols to protect information. There are no questions about what protocols are used or whether or not organizations are following the regulation appropriately. This is useful for countries like the United States, who do business with multiple countries in the EU and must balance multiple sets of regulations.
However, the regulations are not only in place as a gesture to protect the people. Since they are government-implemented regulations, they are enforceable. As a result, companies not compliant with the security measures are subject to hefty fines and other potential consequences. These consequences ensure that citizens’ data is protected by all companies and not just those that opt to comply with the security measures.
HIPAA (Health Insurance Portability and Accountability Act) is legislation that protects the privacy of patients’ medical and personal information when used by healthcare facilities.
It is because of HIPAA that patients must provide permission for their records to be shared with other doctors. HIPAA has become even more important in recent years because more hospitals and clinics are using electronic health records to store patient information.
Even though HIPAA puts regulations in place for managing data security, there were numerous recent breaches of security. These breaches emphasize the need for compliance with security protocols.
- A breach occurred at Henry Ford Health in October 2017, which led to the theft of data of more than 18,000 patients.
- Within one year, the Augusta University Medical Center was hit twice by a phishing attack, even if the second attack breached only less than one percent of patients’ data.
- In July 2017, more than 100,000 patients were impacted by a cyber attack. The cyber attack breached medical files, images, and patient details.
- Pacific Alliance Medical Center, based in Los Angeles, was hit by a ransomware attack in June. This resulted in the breach of information of more than 250,000 patients.
- Many more attacks occurred, breaching the data of millions of patients in the United States.
It is clear from these attacks that there is a need for greater security to protect patients’ data.
The purpose of HIPAA is protection. But the data breaches indicate that the regulations put in place to protect digital data may not be enough. The HITECH (Health Information Technology for Economic and Clinical Health) Act is designed to promote the meaningful use of information technology in healthcare. This includes electronic health records. However, without the appropriate security protocols and compliant care providers, patient data is still vulnerable to breaches. Since technology is now integral to health care, it is likely that future developments will include stricter fines for violations of HIPAA.
PCI DSS (Payment Card Industry Data Security Standard,) is a set of policies used to protect information transmitted when payment cards are used. This includes debit card, credit card, and cash card transactions. The policies were created in 2004 by four major credit card companies: American Express, Discover, MasterCard, and Visa.
The policies have six major objectives that denote compliance with PCI DSS:
- Secure networks must be used for transactions
- Storage of cardholder information must be secure
- Protection against hackers and malicious users must be updated regularly
- Access to information must be controlled and restricted
- Networks must be monitored and tested regularly
- A clear information security policy must be used by the entities involved
As technology has advanced, there have been updates to the policies in order to more effectively protect cardholders’ data. For example, one way that companies have increased security in payment cards is the use of chips in the cards. This has been used in Europe for many years but is recent to the United States. The chips are more secure than the magnetic strips typically used, which protects against skimming at the transaction site.
It should be noted that federal law does not require business entities to be compliant with these policies. However, there are laws that refer to PCI DSS or measures similar to it, which suggests that it is beneficial for companies to comply with the policies.
Ultimately, the policies are designed to protect cardholder information. However, when businesses are compliant with the policies, they can be protected, as well. If a malicious user breaches security and accesses cardholder information, one of the first questions asked is whether the company was protecting against hackers. Adhering to the standards of PCI DSS shows that the company was doing what was necessary to protect cardholders. It may not absolve the company of all responsibility but shows that they were not negligent.
Without appropriate security, including regular updates, people’s data is vulnerable. Since technology is an essential part of society, security must be, too. Through widespread policies and protocols, businesses and other organizations can protect people’s information so that technology can continue to make life easier.