Return to site

Data Security & Compliance:

HIPPA, GDPR, PCI-DSS

Whether we like it or not, our personal data is constantly being gathered and—often stored—electronically. The recent scandal around Facebook and Cambridge Analytica highlights just how vulnerable our personal data is and the importance of it being handled and used responsibly.

Three notable examples of laws and regulations have been put in place by governments and by industry to protect personal data are HIPAA, GDPR, and PCI-DSS. This blog will look at these data security and privacy regulations and how Axilient’s Velocity Platform​ can help supporting their compliance.

 

HIPAA Privacy and Security Rules

The main motivation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) was to improve health care efficiency and patient care outcomes by encouraging the free flow of health information in the US. At the same time, these HIPAA compliance requirements mandated national standards to secure the privacy of personal health information. Compliance with HIPAA’s final Privacy Rule has been compulsory since April 2003, and with its final Security and Enforcement Rules since April 2005.

HIPAA rules and regulations apply to all “covered entities”—health plans, health care providers, and health care clearinghouses who transmit health information in electronic, oral or written form. It also applies to the business associates of covered entities, i.e., individuals or organizations who are contracted to provide services but are not part of the covered entity’s workforce.
The Privacy Rule is somewhat broader than the Security Rule in that it protects all "individually identifiable health information" that is either transmitted or held by a covered entity or its business associate, in any form or media—electronic, paper, or oral. This protected health information (PHI) includes information related to the individual’s physical or mental health or condition, health care provided to the individual, or payment for the provision of health care to the individual. PHI also includes basic identifying information such as a patient’s name, their date of birth, SSN, and home address. In order to encourage health care research, the Privacy Rule places no restrictions on the use or transmission of de-identified health information.
The Security Rule focuses solely on PHI that is held or transmitted electronically, or e-PHI. As worded in the Security Rule, covered entities must implement appropriate administrative, physical and technical measures to:
 

  • Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit.
  • Identify and protect against reasonably anticipated security threats.
  • Protect against reasonably anticipated, impermissible uses or disclosures.
  • Ensure compliance by their workforce and business associates.

All these have to be satisfied for HIPAA-compliant cloud storage. The Office For Civil Rights (OCR) oversees HIPAA compliance. It can impose civil monetary penalties (CMP) for non-compliance with the law that range from $100 to $50,000 per affected PHI record, up to a maximum of $1.5 million per incident. In February of this year, for example, Fresenius was fined $3.5 million by the OCR for five incidents in which it failed to comply with HIPAA’s risk analysis and risk management rules.
 

GDPR Data Protection

The General Data Protection Regulation (GDPR) was enacted by the European Union to deepen and harmonize personal data protection regulations. Now in effect as of May 25, 2018, it is a comprehensive and clear set of guidelines that acknowledges that different “flavors” of personal data require different levels of protection. Sensitive data, such as health, biometrics, genetic, or criminal history are subject to the highest levels of protection. The quantity of data also counts, with companies that regularly collect and process large volumes of personal data having to register with government-appointed Data Protection Authorities.

GDPR applies to all companies, no matter where they are based, who collect and process personal data on EU residents. Non-EU companies have to appoint a GDPR representative and will be liable for all fines and sanctions.
Some of the key requirements of the GDPR are:
 

  • Consent: Organizations must get consent to collect personal data, with the level of consent varying according to the type of personal data being collected.
  • Data minimization: Responding to years of gratuitous collection of personal data by apps, with no clear purpose in mind, the GDPR stipulates that organizations can only collect personal data that is clearly related to a well-defined business objective. If an organization gathers personal data for one purpose but then decides it wants to use it for another purposes (such as consumer profiling), that could be considered non-compliance.
  • Individual rights: Another key feature of the GDPR is the very clear rights that it gives data subjects (i.e., the individuals whose personal data is being collected) to understand why their data is being collected and how it is being processed. They have the right to object, to correct—and they have the right to be erased/forgotten. They also have the right to be notified (individually) if their personal data has been breached in a way that could endanger their freedoms and rights.

One of the most unique aspects of the GDPR is its “teeth”—very stiff penalties for non-compliance (up to €10 million or 2% of worldwide annual turnover, whichever is higher) and breaches (up to €20 million or 4% of worldwide annual turnover, whichever is higher). Just as painful is the right of Data Protection Authorities to prevent a company from collecting or processing personal data while a suspected non-compliance or breach is being investigated.

 

PCI-DSS Requirements

Payment Card Industry Data Security Standards (PCI-DSS) is a set of security standards developed by the major credit card companies to help protect sensitive cardholder data. Unlike HIPAA and GDPR requirements, which are based on governmental regulation, PCI-DSS compliance requirements are contractual commitments maintained and enforced by the Payment Card Industry Security Standards Council (PCI SSC), an independent global body established in 2006.


PCI-DSS applies to all merchants or organizations that accept, transmit or store cardholder data. However, there are different PCI-DSS compliance levels depending on the quantity of payment transactions that a merchant/organization has handled over the previous twelve months. The PCI-DSS describes six categories of control objectives:


1. Build and Maintain a Secure Network and Systems
2. Protect Cardholder Data
3. Maintain a Vulnerability Management Program
4. Implement Strong Access Control Measures
5. Regularly Monitor and Test Networks
6. Maintain an Information Security Policy

It is the merchant/organization that is held responsible for the security of the cardholder data that it collects and holds, even if they use a third-party company to handle credit card payments. There are two ways that the merchant/organization is expected to validate its PCI-DSS compliance:
Quarterly vulnerability scans: Any merchant/organization that electronically store cardholder data after a payment is authorized must submit once per quarter to a vulnerability scan run by an Approved Scanning Vendor. The merchant’s internet applications and networks are remotely reviewed by a non-intrusive scan. This scan seeks to identify vulnerabilities in operating systems, apps, and devices that could be used to gain unlawful access to the company’s network.
Annual assessment: Merchants that process less than six million transactions per year must submit an annual Self-Assessment Questionnaire (SAQ) or a Report on Compliance (ROC). Merchants that process more than six million transactions per year must be audited on-site by a Qualified Security Assessor (QSA) certified by the PCI SCC.
PCI-DSS regulations non-compliance can result in fines to the acquiring bank of $5,000-100,000 per month, with the banks usually seeking to pass the fine along to the merchant. In addition, the bank could terminate the relationship with the merchant or raise the transaction fees considerably. Should the data breach become public knowledge, the merchant may also have to bear indirect costs related to damage to its reputation.