Table of Contents
Introduction
Information is an asset of every organization and information management plays a crucial role in an organization’s ability to compete in the marketplace. An important aspect of protecting critical electronic information is to implement appropriate security frameworks because they reduce risk and the organization’s exposure to vulnerabilities. There are a number of industry-specific security standards such as PCI, HIPAA, and GDPR to name a few. The purpose of this case is to categorize the above security models as risk, checklist or hybrid frameworks with the help of examples.
Classification
HIPAA
HIPAA is a Hybrid security framework. Health Insurance Portability and Accountability Act (HIPAA) covers standards related to health insurance coverage and the privacy of health-related information. It is a combination of checklist and risk-based models. It is classified as a Hybrid framework because the healthcare data spans across HIPAA Covered Entities such as – health care providers, insurance companies, law firms, and health care clearinghouses. These are entities that use Protected Health Information (PHI) on a regular basis. Business Associates are also covered by HIPAA. These are entities who provide third-party services and activities for Covered Entities during which these business associates will encounter PHI. Since there are so many types of covered entities that are impacted by HIPAA, there is no standard set of “must-do” checklist for every single entity. Every safeguard of HIPAA is “required” unless there is a justifiable reason not to implement the safeguard.
PCI
PCI is a Checklist framework. The Payment Card Industry (PCI) targets to bolster the payment account data security. Any entity such as a merchant, internet vendor or online retailer that stores or processes cardholder data is required to comply with the PCI Data Security Standard to protect the private information of cardholders during transactions. The PCI data security standard consists of 12 elements that govern the secure transmission of digitally transmitted credit card data. These 12 elements are further broken down into subcategories of requirements and testing procedures to meet the requirements. These requirements are clearly set out in a checklist for entities that process credit card information, regardless of the entity size, structure, or specialty – enabling an organization to meet the compliance needs of their clients. PCI is unique from the other frameworks – while others leave much up to subjective interpretation, PCI is a set of requirements that address actual threats and the identified inherent risk to payment data.
127 our experts are availableright now
GDPR
GDPR falls under the category of a Hybrid security framework. The main focus of GDPR is the protection of personal data and digital privacy of European data subjects. Privacy is a risk-based problem. GDPR has a specific set of broad objectives with guidelines. There is no one-size-fits-all formula for all organizations. GDPR also aims to ensure substantial protection for data subjects against risk with a defined list of guidelines. Hence, GDPR is a hybrid security framework covering both risk and checklist, which proves that compliance is not merely a box-ticking exercise but it is about ensuring that personal data is sufficiently protected.
Examples
HIPAA
With HIPAA’s current hybrid approach, a medical billing/claims processing company working for a hospital can customize their approach to email encryption recommendations to their law firm client. This billing company can work with a vendor that allows the user to choose whether or not their email content contains patient healthcare information and if the user needs to send that particular email encrypted. The same company may be working with a dental office that insists that all email correspondence leaving his office be encrypted as to cover his or her bases with HIPAA compliance. All email at the dental office could then be configured to send encrypted only. Both of these approaches allow scalability to remain compliant under HIPAA’s security standards. The hybrid approach of listing the rules and allowing for scalability allows the claim processing company to research and implement individual client based solutions to meet their HIPAA compliance needs. There is no mandatory checklist which is set in stone for every covered entity to follow.
PCI
PCI DSS directly applies to the protection of payment card data and was founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. For example, if a new clothing store decides to accept American Express (Amex) credit cards in their business, they must meet the 12 PCI DSS requirements across 6 different areas. Once they are compliant with PCI DSS, they need to find their merchant level with Amex (depending upon the number of transactions the merchant processes per year with Amex) and go through the validation process.
GDPR
GDPR compliance requires a checklist of security controls an organization must have in place to be ready for GDPR, but not everything is set in stone. The hybrid framework of GDPR can be understood from an example of pseudonymous data. Pseudonymization is “the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information”. This may include field level encryption in databases, encryption of entire data stores at rest, as well as encryption for data in use and in transit. Pseudonymization is something the GDPR “advises” but doesn’t require. Although pseudonymized data still falls within the scope of the regulation, some provisions are relaxed to encourage controllers to use the technique. E.g. in its PII implementation for GDPR, Microsoft applies de-identification and pseudonymization internally, wherever appropriate, to provide additional privacy safeguards for personal data.
Summary
The choice to use a particular IT security framework can be driven by multiple factors. If an organization processes credit cards then it is required to meet the PCI/DSS controls. If the organization handles electronic Personal Health Information (PHI) then it should meet the HIPAA regulations. The ultimate goal of the GDPR is to facilitate digital economy and build a strong foundation for trust in the Internet. Adopting security frameworks go a long way to help organizations achieve compliance. The key asset that a security framework helps to protect is an organization’s data — and the value of every organization is in its data.
