There are certain industry standards every business firm is expected to meet. Bigger the organization, more it’s global reach means more areas to adhere to the standards and follow a list of bullets to implement. In order to do business and sustain, every organization has some rulebooks which the follow or are compelled to follow. Some of these are just structural norms for uniformity while others may be needed to do business legally and lawfully. There are specific areas that form the target of each of the security and compliance models.
The models that are law binding are much more strict as they may lead to a penalty. On the other hand, the checklist or the rule-based approach is more of a structural placeholder which can be generic and broad and the organization can customize them to match their requirements after implementing the minimum required components. The purpose of this case is to analyze the Health Insurance Portability and Accountability Act(HIPAA), Payment Card Industry Standard (PCI) and EU GDPR security and compliance models, to justify by relevant information, and differentiate them as risk, checklist or hybrid model.
HIPAA a complex law is designed to protect patient privacy, as well as the integrity of the medical practice. The Health Insurance Portability and Accountability Act (HIPAA) of came into force in the year 1996. It contains the following 3 main elements Medicaid Integrity Program/Fraud, and Abuse, Administrative Simplification, and Portability. HIPAA is a compliance that protects the patient’s sensitive data.
The HIPAA Security Rule has 3 components namely the physical safeguards, the administrative safeguards, and the technical safeguards. It operates in the Health Care sector and is regulated by the government. It is a compliance-based model. Security and risk tools like HHS Security Risk Assessment Tool, NIST Cyber Security Framework for HIPPA, FTC guidance on Medical Identity theft are used by HIPAA. The entities which are in the HIPAA are known as Covered Entities and include any organization that provides treatment, payment, and health care operations.
Covered Entities include doctors and their offices, hospitals, pharmacies, insurance companies, HMOs, and business associates. Some common violations of HIPAA are practices like posting patient photos on social media, hospital staff accessing patient information when they are not authorized, and mishandling of patient records. The federal fines for noncompliance huge and can range from $100 to $50,000 per violation (or per record), with a maximum penalty of $1.5 million per year for each violation. They are based on the level of perceived negligence found within the organization at the time of the HIPAA violation. Hence HIPAA is a compliance-based structure. The regulator set HIPAA as compliance based because it has serious repercussions and privacy breach if not followed. Payment Card Industry Security Standards Council established and maintains the Payment Card Industry Data Security Standards (PCI DSS) to combat the astounding fraud and theft in all trading that deal with sensitive digital payment information for consumer transactions.
This may include processing, storing, and transmitting the data. PCI DSS provides guidance for maintaining security. The technical and operational specification for businesses processing or receiving payment transactions is set by these guidelines. It also caters to the software developers and manufacturers of applications and devices used in the payment transactions. PCI is a checklist or rule-based category security compliance. It operates in the e-commerce and banking sectors. The regulators as earlier mentioned is the Payment Card Industry Security Standards Council. It has the includes twelve checklist steps with the following goals maintaining a vulnerability management program, protecting cardholder data, implementing strong access control measures, regularly monitoring and testing networks, building and maintaining secure networks and systems, and maintaining an Information Security Policy. The idea behind the creation of this compliance is that the regulators wanted a set of guidelines for protecting their as well as the customer interests.
The main reason for the creation of the PCI DSS is to protect payment card data from criminal threats and to minimize data breach risk to merchants of all sizes and prevent potential liabilities. The PCI DSS covers examples like loss of customer confidence in secure payments leading to loss of sales, reducing the cost of reissuing payment cards, minimizing fraud loss caused by payment card data being compromised, reducing legal costs, settlements and judgments and fines and penalties. PCI DSS is set as a checklist based framework because maintaining payment security is serious business and hence is vital that there be a common rulebook that every entity involved in the transaction follow diligently. In the year 2012, there were plans to create data protection reforms across the European Union by the European Commission. One of the key reforms of this was the introduction of the introduction of the General Data Protection Regulation (GDPR). EU GDPR affects every sector where digital data is handled right from Healthcare, ECommerce, to Banking. It is a hybrid model of risk compliance and check-list models.
It is not only applicable for business in EU, but it is also applicable beyond in other countries as the same data may be channeled by the business across the globe. The regulators of GDPR compliance are the European Parliament and Council of the European Union i.e. the government. The regulation applies if the data controller or the data subject (person) is based in the EU. In certain conditions, the regulation also applies to business based outside the EU if they use the personal data of a person living in the EU. The regulation does not apply to the processing of data by a person for a private reason and has no connection to any business whatsoever. Structurally the GDPR consists of 99 articles, grouped into 11 chapters, and an additional 171 recitals with explanatory remarks. Since it has a framework as well as a checklist it fits into a hybrid compliance model. Since it is for a majority of the industries and not limited to few, it makes more sense to put this as a hybrid model. It then enforces certain regulations but at the same time also gives a scope for the organizations to appropriately add more of their rules as deemed fit to cater to their business sectors.
The case study here started with elaboration, structure, and sectors of each of the security models, HIPAA, PCI, and EU GDPR. While HIPAA is legally binding in its respective domains of healthcare, the PCI is more of an industry standard that has come about as a need for reducing legal, operational and sales costs and driving customer confidence by payment card industry. EU GDPR, on the other hand, is for the protection of sensitive data and does not adhere to one particular sector. In fact, their website says that it is valid in any sector where there is an involvement of data. In HIPAA there are many risk-based frameworks available to assess and manage risk and implement controls and policies for information security. EU GDPR has tools and templates that need to be adhered by the businesses. PCI DSS provides specific and clear guidelines, essentially a checklist and is much easier to implement and audit.