112 What Every Engineer Should Know About Cyber Security
6.2.1 The Health Insurance Portability and Accountability Act (HIPAA)
HIPAA addresses safeguarding electronically protected healthcare infor-
mation (EPHI). EPHI includes information that a business creates, receives,
maintains, or transmits. EPHI “must be protected against reasonable antici-
pated threats, hazards, and impermissible uses or disclosures” (Scholl et al.
2008). The entities that need to follow HIPAA (healthcare providers, health
plans, healthcare clearinghouses, and Medicare prescription drug sponsors)
need to ensure that the security triad (condentiality, integrity, and avail-
ability) of the electronic healthcare information is maintained. The HIPAA
standards outlined in the National Institute of Standards and Technology
(NIST) special publication 800-66 present all of the considerations when
applying the HIPAA security rule: administrative safeguards, physical safe-
guards, technical safeguards, organizational requirements, policies and
procedures, and documentation requirements. The following list contains
tensteps to HIPAA security (Kibbe 2005):
1. Understand the importance of computer security.
2. Make sure the entire organization understands the seriousness of
securing EPHI.
3. Catalog all the information system components that interact with
EPHI.
4. Prepare so that the security triad is ensured. Do not wait for the
disaster.
5. Secure your network.
6. Update antivirus protection.
7. Consider which communication needs to be encrypted.
8. Consider the “chain of trust”
*
between business partners (insurance
companies, billing services, hospitals, labs, and ISPs).
9. Demand that your vendors (products and services used) understand
HIPAA.
10. Have a plan with your goals and needs in mind.
6.2.2 The Payment Card Industry Data Security Standard (PCI-DSS)
The goal of PCI-DSS is to optimize the security of debit and credit card trans-
actions by reducing fraud and protecting the personal identity information
of the card holders. The PCI Security Standards Council is responsible for
maintaining the PCI security standards. The PCI-DSS applies to any entity
that is involved in payment card processing. The “high-level overview”
provided by PCI is as follows (PCI Security Standards Council 2010):
*
“Chain of trust” is a term referring to the fact that each entity sharing the EPHI has the neces-
sary security protections to ensure the HIPAA requirements.