Organizations of all kinds are under pressure to secure personal information, systems, and networks. And mistakes happen. Consider the 14 million Verizon customers’ data put at risk when a user mistakenly released a database publicly online.
To raise awareness and try to keep a lid on breaches, industry watchdogs impose added security standards. In this article, we’ll address three of the most common sets of security compliance standards: HIPAA, PCI, and FDIC. We’ll discuss which organizations need to comply and what can be done to better prevent and protect your organization if you fall within one of these categories.
HIPAA Security Rule
Healthcare organizations secure a wealth of personal information, probably more than any other industry save finance. Naturally, the industry is a magnet for hackers, who are drawn to all of the personally identifying information contained in healthcare records. This might include Social Security numbers, insurance information, relationship data, payment processing details and more.
That’s why the Health Insurance Portability and Accountability Act (HIPAA) security rules require regular vulnerability scans to assess for common vulnerabilities or security weaknesses. HIPAA vulnerability assessment requirements call for healthcare entities to prevent, detect, contain, and correct security problems to protect electronic personal health information (ePHI) and manage potential risk exposure.
Any company dealing with protected health information (PHI) must comply with HIPAA’s physical, network, and process security measures. This might mean you if you’re a…
- Covered entity — those who provide treatment, payment and operations in healthcare such as doctors, clinics, psychologists, dentists, chiropractors, nursing homes, health plans, HMOs.
- Business associate— anyone with access to information and providing treatment, payment or operations support such as attorneys, CPAs, medical transcriptionists, pharmacy benefits managers.
Healthcare IT News has tracked multiple HIPAA breaches including:
- Breach of a Michigan Radiology Center computer system impacting just over 106,000 patients
- An LA Medical Center disclosing a ransomware attack involving the health information of 266,123 patients
- Unauthorized access of a Pennsylvania Women’s Health Care group with 300,000 patients’ data.
Learn more about how RedTeam can help ensure your organization is in compliance with HIPAA security standards here.
PCI Security Standards
Merchants, financial institutions, and payment processors worldwide are among the many businesses that must comply with Payment Card Industry (PCI) Security Standards. If you accept payments via debit or credit card, you’re probably included in this category.
These standards are intended not only to protect individual businesses from cyber threats, but to protect the entire payment chain ecosystem. After all, a single breach can cause many negative repercussions not just for one organization but an entire set of organizations or industry.
Possible negative impacts of not complying with PCI Security Standards include:
- Non-compliance penalties
- Compensation costs
- Revenue loss
- Damaged reputation
- Legal action
- Frequent audits
- Terminated business relationships
- Bad publicity
American Express, Discover, JCB International, MasterCard and Visa are among those protecting affiliated payment card account data as members of the PCI Security Standards Council. But any merchant or service provider handling, processing, storing, or transmitting credit card data is subject to these same standards.
Compliance is required regardless of size or number of transactions. For instance, someone processing over 6 million transactions with Visa is considered a Level 1 Merchant, but even those processing fewer than 20,000 e-commerce transactions per year are expected to validate compliance. This also includes businesses that only accept credit cards by phone or using third-party processors.
Don’t let this be you.
In one of the most well-known cases of PCI noncompliance, TJX had to pay out nearly $41 million for a data breach exposing more than 100 million bankcards to risk. In another case, Target was sentenced to $18.5 million for an infringement affecting more than 41 million consumers and leading to $440 million in lost revenue in only the first quarter after the breach.
Are you a merchant seeking to ensure a secure payment ecosystem? Learn more about our PCI compliance services here.
Finally, another high-risk sector: financial institutions. When it comes to data breaches, financial services are hit more than any other industry. That’s why financial organizations are subject to Federal Deposit Insurance Corporation (FDIC) expectations to effectively identify, measure, monitor, and manage potential risk exposure.
Even if the financial institution does not host computer services in-house and relies instead on third-party providers for computer services such as Internet banking, information security is its sole responsibility.
To remain FDIC compliant, financial institutions must maintain administration, technical, and physical safeguards to protect the security, confidentiality, and integrity of their customers’ information.
Whether the information is in paper, electronic, or another form, FDIC Security Standards require that:
- Security and confidentiality of customer information is ensured
- Threats and hazards are not only anticipated but also protected against
- Controls are in place to prevent illicit access of information
- Customer and consumer information is properly disposed.
The risks of not complying range from information disclosure or misuse to alteration or destruction; any of these would have serious compliance implications and cause both financial and reputational damages.
And it doesn’t take a high-tech hacker to bring an organization down. In fact, more than half of financial service breaches are caused by employees. That was the case in 2016 when an employee leaving the FDIC took a personal storage device containing data for 44,000 customers. Although this access was done “inadvertently and without malicious intent” it indicates the ease with which customer data can be placed at risk — even at the agency entrusted with maintaining “public confidence in the nation’s financial system.”
Reports of 54 suspected or confirmed breaches involving Personally Identifiable Information (PII) from January 1, 2015 to December 1, 2016 prompted an investigation into the FDIC by the Office of the Inspector General in 2017.
For more information on how RedTeam can help ensure compliance for financial service organizations, click here.
Penetration Testing & Compliance
Keeping up with industry security regulations can be challenging. It’s an ongoing battle. But penetration testing can help identify vulnerabilities before cybercriminals discover and exploit them.
More in-depth than the high-level automated testing of the vulnerability scan, HIPAA penetration testing confirms through manual and automated testing that the healthcare entity has a secure network and is protecting patient data, managing vulnerabilities, implementing strong access control measures, and regularly monitoring and testing networks.
PCI penetration testing will reveal real-world opportunities hackers might use to compromise POS devices, payment software, firewalls, and more.
FDIC penetration testing ensures prevention measures are evolving with the rapid growth in the Internet and networking technology. This testing discovers any areas where security policies, system architecture, firewalls, or authentic programs could stand improvement. By attempting to exploit vulnerabilities and gain network access, the testers can give financial institutions the insight needed to gain information security confidence.
Penetration Testing with RedTeam Security
Does your company need help meeting compliance regulations in one of these three industry areas? RedTeam Security has trained, qualified testers who can minimize risk and offer expert guidance to remediate any issues found.
RedTeam Security penetration testing simulates real-world attacks to confirm industry security standards compliance by:
- Identifying flaws and vulnerabilities
- Outlining an organization’s level of risk
- Reporting and helping remediate issues
Our experienced penetration testers offer businesses across industries a fresh view of their security postures. Our experts bring both a hacker and an experienced developer mindset to bear on the compliance testing. We leverage the many tools at our disposal to effectively carry out that task — just as would hackers looking to steal identities, blackmail individuals, disrupt services, or install ransomware.
The end result is a detailed report on our findings and a step-by-step walkthrough on each issue uncovered, plus the necessary guidance to effectively remediate vulnerabilities. Further, since RedTeam is committed to providing ongoing customer service, our remediation re-testing is always provided at no additional cost. We know that finding vulnerabilities is only valuable if the business is also positioned to effectively address any potential areas of noncompliance.
Ready to take the next step in improving your organization’s security posture? Answer a few questions and get a customized proposal from RedTeam delivered to your inbox.
10-Point Offensive Security Checklist
Get A Bird's Eye View Of Your Organization's Security Readiness