CHAPTER 15: PCI, HIPAA, and SOX – Government Regulatory Compliance
By NICK ESPINOSA
Welcome to the most exciting chapter in this book! Who doesn’t love to discuss government regulatory compliance? As a security fanatic who lives and breathes these standards, I actually enjoy planning, testing, and executing security solutions for PCI, HIPAA, and SOX compliance. Then, I try to break the solutions. It’s real fun for a security nerd!
Recently, one of my clients was part of the pilot program to introduce medical marijuana dispensaries across our state. These facilities are under intense scrutiny. The state is looking for anything to allow them to shutter the dispensaries and the media is eager to report anything on this newly formed industry. The need for strict adherence to HIPAA standards and security is intense and must be thoroughly verified, creating a lot of stress for the owners of these facilities. Owners must rely on their IT support to properly configure and protect their network. Otherwise, they possibly face large fines or even being shut down if the violation is severe enough.
After walking my client through the IT plan to setup and secure their data network, we worked with the contractor who was going to install their alarm system and corresponding multitude of video cameras. We completed the installation and configured the network to adhere to HIPAA and state compliances. After the install, we ran our standard penetration testing to ensure our configuration was correct and protected from the outside world.
We found an issue, a major one. The company who installed the alarm system and video cameras installed a security controller onto the network running an old operating system, one easily breached. Essentially, because this contractor required us to expose the security controller to the Internet, my HIPAA compliant client was now exposed to attack and their video cameras could have been remotely controlled by hackers or their alarm system disabled remotely. Had we not adhered to best practices for HIPAA, this client could have been compromised and we, as the IT security consultants, would have been liable for damages under the law. This experience proves a well-thought out plan, along with execution and testing, is critical to ensure compliance is properly implemented.
Along with HIPAA, PCI and SOX are two other major laws which set standards for government compliance. Each has common themes in terms of security configuration and standards but also very notable differences. All three require planning and implementing a specific IT infrastructure in order to be compliant. There are many other government compliances out there; SEC for financial traders, ITAR for arms trafficking control and on and on. These three compliances, HIPAA, PCI, and SOX, were chosen because they’re broad in scope and also have planning phases that are rather similar to most government compliance standards out there.
To begin with, HIPAA, the “Health Insurance Portability and Accountability Act,” is the governing standard for all medical facilities dealing with patient information. HIPAA was enacted in 1996 and is an umbrella law covering patients’ rights. It was designed to fight discrimination based on health status and to ensure sensitive medical data is protected and under the patient’s control. Traditionally, the government only investigated HIPAA violations when reported to HIPAA’s governing body. That recently has changed. Thanks to the HITECH Act of 2009, there is a new standard for electronic medical records, their storage, and how to protect them. No longer will HIPAA wait for violators to be reported. There is now an army of HIPAA auditors proactively checking on medical practices to ensure proper adherence to the law. As of 2015, medical practices face severe penalties or loss of license for violations.
PCI is the largest in terms of the number of companies falling under the standard. PCI, formally known as PCI DSS, stands for “Payment Card Industry Data Security Standard.” Launched in 2004, PCI’s primary goal is to create a compliance standard to ensure any company accepting credit cards is properly securing the data collected on customers. Any merchant accepting credit cards is required by law to adhere to PCI compliance and is susceptible to audits by the PCI governing body. Penalties can include steep fines and even a revocation of the privilege to accept credit cards. PCI is an evolving standard, with new versions of security software, solutions, and appliances constantly emerging to combat the versatility of hackers. Therefore, constant testing and verification of PCI security standards is vital.
SOX is the smallest of the three compliances, in terms of population of companies required to adhere to the compliance. It also happens to be the most comprehensive and aggressive standard of the three. A former client once told me going through a SOX audit is “the equivalent of having a root canal while being examined by your proctologist.”
SOX is the “Sarbanes-Oxley Act” enacted in 2002 in the wake of the Enron and WorldCom scandals. Primarily, it is directed at publicly-held corporations, though some private corporation provisions are there as well. Both types of corporations are required to create internal standards and procedures for handling and reporting financial information. From an IT perspective, this requires the entire network to be configured in a way that demonstrates compliance to every aspect of SOX. Failure to do so, or failing to have the redundancies needed to ensure mitigation in failure of data retention, will result in millions of dollars of fines and a possible shuttering of the corporation.
Before we dive into how to secure a network or infrastructure, it is important to understand the approach each governing body takes in terms of testing their respective compliance. Though they often look for similar items and configurations, the goal and focus of each is different.
PCI cares less about how the entire network is configured. Instead, it focuses on specific entities which fall under their jurisdiction; the protection of credit card user information. They want to ensure the database storing the information is properly secured from illegal access by users on the network, as well as hackers. Further, they must ensure any public facing entities which accept credit cards are secured and running the latest versions of software and security certificates. The basic testing for PCI compliance includes penetration testing of all public facing entities to ensure the surface area for attack is minimal. SSL/TLS certificates are checked, ecommerce software is checked to ensure there are no known vulnerabilities, and in-transit encryption is verified. A comprehensive PCI test will also include verification of at-rest encryption of the credit card processing database to ensure it cannot be illegally duplicated, as well as looking into the security policy, planning, and management of the systems.
HIPAA focuses on the avenues of user access at a medical practice to patient records and includes things like checking to make sure all users have a unique username and password for auditing purposes and remote access to HIPAA compliant data, how patient records are moved from location to location (physically and virtually), penetration and vulnerability testing, backup encryption verification, and more. Basically, any way a human could accidentally or intentionally disclose protected patient data is investigated. Even conversations between practitioners regarding patients is regulated, as well as how computer monitors are oriented in regards to eavesdropping by non-authorized individuals, such as other patients, within the facility. With new facilities, HIPAA auditing will include all of the above as well as inspections for privacy partitions, how rooms with compliant information are protected from non-authorized personnel, vulnerabilities in the data network, such as weak wireless security or guest access that is not properly isolated from the private network.
SOX is all about the paper trail and history. Because a company is required to create a process for control and data retention, a SOX audit is extremely comprehensive and will focus on how data is being entered, stored, and retained. A SOX audit is like an IRS audit on steroids! An external SOX auditor, not to be confused with a company’s internal staff auditor (or paid contractor in some cases), seeks to verify all data, as it relates to the finances of a corporation, is readily available and verifiable as untampered with from the time of input. Gaps in the data are cause for serious concern and serve as red flags for a SOX audit, so ensuring retention is thorough and highly redundant is a must. Data, or business records, has a very broad definition within SOX and includes not only financial accounting records but any paperwork pertaining to finance,
including email, recorded conversations, and directives to change financial information. SOX also requires the longest length of history in data retention. Similar to SEC compliance, SOX requires all data be archived and retained for no less than seven years. Some records, such as bank statements, charts of accounts, contracts, employee payroll records, legal correspondence, training manuals, and even union agreements must be kept permanently.
Now that you have a thorough overview of PCI, HIPAA and SOX it is time to take action! While it may seem overwhelming, following these eight steps across your network and systems can ensure compliance to PCI, HIPAA, and/or SOX:
1. Create a baseline of understanding of your network status prior to ensuring compliance. There are several testing tools available which allow you to run a basic compliance audit to determine vulnerabilities. These tools go a long way to helping understand just how much, or little, work is needed to bring the network up to code.
2. Have an excellent backup schema, which includes back up and archive of data onsite and offsite, and conduct periodic restore tests. Onsite will ensure quick and easy access to backups and offer the best performance when recovery is needed. Offsite provides disaster recovery in case of catastrophic failure of the infrastructure or destruction of the business site (fire, tornado, flood, etc.). Data loss can be tantamount to malfeasance in the eyes of a government audit, so this step is critical to achieving compliance.
3. Encrypt data, and the platforms it resides on, to protect against loss, theft or malfeasance. A theft or loss of more than fifty HIPAA compliant records constitutes a breach that must be reported to HIPAA, as well as local media and all patients within the practice. Theft of PCI compliant data can result in the loss of ability to accept credit cards. Loss of data in SOX is a violation of the data retention policy and can cost the company the right to conduct business. In each case, it’s possible the business could be liable for millions of dollars in fines and damages, not to mention the loss of reputation.
4. Ensure passwords are unique and complex enough to withstand attack, for all network appliances and servers. Make sure all users on the network, from the janitors to the CEO, have a unique login and are set to be fully audited for any actions performed on the network.
5. Enable Two Factor Authentication (2FA) whenever it is available with no exceptions. This helps to ensure that no one can spoof a user both inside and outside of the network. 2FA uses a security device or cell phone to send a unique code that must be typed in when the user logs in. Don’t have the device or phone in your possession and you cannot login.
6. Maintain a security posture that minimizes the surface area for attack by a hacker. This means closing ports in a firewall that don’t need to be opened, not allowing remote access to network appliance consoles, accessing all data through an IPSec VPN when remote, isolating the public facing servers from the private ones, and creating a Unified Threat Management (UTM) profile for the network so threats and attacks can be analyzed quickly and dealt with in real time.
7. Retain the services of a skilled consultant who is well-versed in the compliance standard your corporation requires. Not all IT consultants are the same, nor do they all have the same breadth of knowledge. Hiring a consultant without a background in compliance means critical pieces of the compliance puzzle could be missed. A good consultant will be well-versed in the regulations that pertain to your business, will be able to develop a complete plan for IT compliance, and make choices throughout their tenure to keep the focus on properly maintaining these compliances.
8. Periodically test adherence to compliances and standards to ensure nothing has changed or been missed. The government loves to add addendums and make changes to the compliances. This can add an ever-increasing level of complexity to an existing network as a once compliant network can change to non-compliant within a short period of time.
While the aforementioned steps apply to all three compliance standards, each compliance standard has specific components requiring specific attention. The following details actions to take in order to comply to PCI, HIPAA, or SOX individually though all these points are good advice for everything.
- Conduct penetration testing of the public-facing web server to identify and close any open firewall ports and holes.
- Ensure SSL/TLS certificates are up to date and running the latest versions. There is no excuse for running an outdated certificate or one which is only secured using SHA-1 instead of the newer SHA-2 standard.
- Ensure public facing software and hosting infrastructure is patched to current, and maintain vigilance in keeping it up to date.
- Restrict physical access to credit cardholder data from employees, except those explicitly authorized to access it. Make sure the legitimate access to information is logged by user ID.
- Enable Full Disk Encryption on all mobile devices with access to HIPAA compliant data.
- Check the physical layout of monitors, computers and kiosks to ensure no un-authorized individuals can view or access HIPAA compliant data.
- Design proper physical structure to protect the on premise equipment from theft or illegal access.
- Identify all data classifiable as “business records” and create a plan to back up and archive it, along with any revisions made to the data. This could potentially mean scanning hand written documents into your network.
- Hire an internal auditor to create and execute a plan to ensure all aspects of SOX are followed. Due to the complexity and broad scope of SOX, an internal auditor is essentially required to bring the business up to compliance. An external auditor is then hired to verify the work of the internal auditor. These auditors should work closely with IT to ensure nothing is left out of the security and compliance policy.
- Create zones of access so employees only have access to what they need. An internal auditor should help to ensure these zones are properly in place and in use.
Good news, you made it to the end of the chapter! That wasn’t so bad, was it? Now you are well on your way to ensuring your PCI/HIPAA/SOX compliant company is up to date and secured in a manner that makes you government-friendly AND ensures your data is safe and secure.
For over 25 years, Nick Espinosa has been on a first name basis with computers. By the time he was twelve, he was building computers and programming in seven different languages. At fifteen, after achieving multiple tech certifications, he landed his first job in the IT field and at nineteen founded Windy City Networks, Inc. After 15 successful years, and numerous compliance certifications, Nick joined forces with BSSi2 as the CIO and Chief Security Fanatic in 2013.
As an expert in security and network infrastructure on every platform, Nick has consulted with clients ranging from a few computers to the Fortune 100 level. He has designed, built, and implemented multinational networks, encryption systems, and multi-tiered infrastructures as well as small business environments. He is passionate about emerging technology and enjoys keeping current by creating, breaking, and fixing test environments.
An industry thought leader, Nick is sought after for his advice on the future of technology and how it will impact every day businesses and consumers. Nick is a public speaker and has been quoted in Forbes, American Express, CIO, EnterpriseTech, ITWorld, ComputerWorld, Solutions Review, InfoSec, CSO and other publications regarding various technology and business leadership topics. He is also a columnist for SmartFile, writing regularly on security, technology and the future.
You can connect with Nick at:
- Email: email@example.com
- Twitter: @NickAEsp
- LinkedIn: /in/nickespinosa
- SmartFile: smartfile.com/blog/author/nespinosa/