BUSINESSCOMPUTINGEDUCATIONELECTRONICSENGINEERINGENVIRONMENTGAMINGHEALTHINTERNETMOBILEMONEYMULTIMEDIAPARENTINGSCIENCEHUBFOLIO
Linux Mac Windows Hardware Computer Security Enterprise

Security Planning: Regulatory Considerations

Article by Tom Olzak, CISSP (6,821 pts ) , published Aug 9, 2009
Leave a comment

In this section, I’ll step through—at a high level—four common U.S. regulations which affect what controls you’ll design into your network. We’ll end with a short converstaiton about the PCI DSS, which forms the basis for the remaining sections of this manual.

In the previous sections covering security planning, we looked at understanding the business and the information it stores, processes, and shares. In this section, I’ll step through—at a high level—four common U.S. regulations which affect what controls you’ll design into your network. We’ll end the section with a short conversation about the PCI Data Security Standard, which forms the basis for the remaining sections of this manual.

HIPAA

The HIPAA (Health Insurance Portability and Accountability Act of 1996) is a Federal law regulating privacy of individual health information. The Department of Health and Human Services (DHHS), the agency responsible for HIPAA enforcement, provides a set of simple flow charts to help determine if your business is a “covered entity,” an entity which must adhere to HIPAA standards and guidelines. A sample chart is shown below.

CE Flow Chart

In general, you’re a covered entity if you meet one of the following criteria:

  • You are a health care provider that conducts certain transactions in electronic form
  • You are a health care clearinghouse
  • You are a health plan.

The HIPAA seeks to protect individual privacy by regulating both the release of non-electronic and electronic Protected Health Information (PHI). PHI is defined as,

“Individually identifiable health information” is information, including demographic data, that relates to

    • the individual’s past, present or future physical or mental health or condition,
    • the provision of health care to the individual, or
    • the past, present, or future payment for the provision of health care to the individual,

and that identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual. Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number) (Summary of the HIPAA Privacy Rule, DHHS, 2003).

Standards and guidelines for compliance fall into one of two rules: the Privacy Rule and the Security Rule. They clearly define what is expected of covered entities to protect the confidentiality, integrity, and availability of PHI. If you’re a covered entity, NIST SP 800-66 is a good resource for understanding required information security controls.

1
23next
A Security Manual for Small/Medium Businesses
A how-to manual for implementing reasonable and appropriate security in small/medium business, using clear, non-technical explanations of how to integrate emerging standards (PCI DSS, HIPAA, etc.) into security spending decisions.
Top Related Articles
Find More Results
Search
Featured Articles
Most Popular
Must Read
Subscribe to Computer Security
RSS
Get free weekly updates, directly to your inbox.
Subscribe
Topics
Browse Computer Security
Bright Hub - Science & Technology Articles, Buyer's Guides, How-To Tips and Software Reviews
Become Bright Hub Writer