The two biggest market segments that suffer the most data breaches are public sector entities and small and medium sized businesses. The federal government is continually attempting to address cyber issues through regulations and spends $15 billion a year on cybersecurity.
There are three main data protection laws at the federal level; the Health Insurance Portability and Accountability Act (HIPAA); the Federal Information Security Management Act (FISMA) and; the Gramm-Leach-Bliley Act (GLBA). The legislature, however, has continued to supplement and amend the laws in place to further bolster cyber regulations as the times change.
Also known as the Financial Services Modernization Act of 1999, GLBA was passed to repeal part of the Glass-Steagall act to reduce restrictions on banking, securities, and insurance companies. Specifically, the law was meant to make mergers between these entities easier. GLBA also added data protection regulations that require financial institutions to have policies in place that protect the personal information of consumers.
What is Required?
There are three main compliance components to GLBA; Financial Privacy Rule; Safeguards Rule; Pretexting protection. Taken together, the rules require that financial institutions establish a baseline for protecting consumer data.
The Financial Privacy Rule first requires that financial institution must give notice to consumers that engage with them about the entities’ information collection and sharing practices. The notices must also give consumers the option to opt out of data collection.
The Safeguards Rule then requires that financial institutions have a written information security plan. The security plan must at a minimum do the following:
- Designate at least one employee to coordinate the information security program
- Identify threats through a risk assessment
- Design and implement a safeguards program
- Regularly monitor safeguards
- Ensure that service providers can maintain safeguard standards
- Evaluate and adjust the program based on circumstances
Finally, pretexting protection refers to the requirement that financial institutions account for possible social engineering attacks in their information security plans. Social engineering attacks, especially phishing attacks, are the most commonly used methods for breaching a network.
Who Does this Apply to?
The term financial institution encompasses much more than just banks. Financial institutions are defined as companies that offer consumers financial products including the following:
- Professional Tax Preparers
- Debt collectors
- Real estate settlement services providers and appraisers
- Certain Financial or Investment Advisers
This definition applies to many businesses that may not define themselves as financial institutions. For instance, check-cashing businesses, mortgage brokers, non-bank lenders, courier services, and payday lenders could all be subject to GLBA.
The GLBA includes a fairly extensive list of examples of financial institutions. Below is a list of entities that could be subject to the requirements of GLBA.
- Retailers that issue credit cards
- Car dealers
- Career counselors that specialize in serving those in financial organizations
- A business that prints and sells checks
- Wire transfer company
- Businesses that operate a travel agency in connection with financial services
Health Insurance Portability and Accountability Act (HIPAA)
HIPAA is best known for modernizing how healthcare providers manage patient health information. While most people cite HIPAA when they are trying to obtain their own medical records, few realize that there are requirement that specifically pertain to protecting the creation, use, transfer, and maintenance of electronic personal health data.
What is Required?
HIPAA has a slew of technical requirements for covered entities. The general requirements mandate that covered entities must ensure the confidentiality and integrity of protected health information that is created, sent, received, or maintained. They must also protect against reasonably expected threats to security or information.
While these requirements are seemingly nebulous, HIPAA also includes specific administrative and technical safeguard specifications. HIPAA distinguishes between “required” and “addressable,” where addressable rules allow for some flexibility. That is, if an entity decides an addressable specification is a reasonable security measure for that entity, then it must implement it.
- Risk Analysis – Covered entities must conduct a thorough assessment of potential vulnerabilities to electronically stored health data.
- Risk Management – After vulnerabilities and risks are identified, measures must be implemented to mitigate risks to a reasonable level.
- Sanction Policy – Employees who fail to comply with security policies and measures must have appropriate sanctions levied against them.
- Information System Activity Review – Procedures must be put into service to regularly review system activity, including access logs and security incident reports.
What is below is not an exhaustive list of all addressable specifications but it is a good sample of the type of measures that may make sense to a covered entity.
- Automatic Logoff
- Electronic Authentication of Health Information
- Integrity Controls
What is a covered entity?
Not all institutions that collect health information must follow HIPAA regulations but there are three entity types that must abide by HIPAA. There are certain things that you would expect such as hospitals and clinics but there are some entities that may be surprised to find out that they are subject to HIPAA.
- Covered Entities – HIPAA defines a covered entity as health plans, health care clearinghouses, and health care providers. Examples include hospitals, physicians, diagnostic care, rehabilitative care, counseling services, pharmacists and academic medical centers.
- Hybrid Entities – If an entity performs both covered and noncovered functions then it can elect to be a hybrid entity. Only the parts of the business that are performing a covered function will fall under HIPAA rules. The entity would have to designate which parts of the business are a healthcare component otherwise the entire entity would be subject to HIPAA. For instance, if a university has a hospital, the entire school would have to follow HIPAA rules unless the university hospital is designated as the healthcare component. In that case, only the hospital would be subject to HIPAA.
- Business Associates – If a business performs or assists a covered entity in a way that involves the use or disclosure of health information they are considered a covered business associate. Examples of business associates include people or entities that perform data analysis, administration, claims processing, legal, accounting, consulting, actuarial, or quality assurance.
The Federal Information Security Management Act (FISMA) created requirements for federal agencies to develop and implement information security systems. FISMA not only applies to government agencies but also to private companies that contract with the government.
FISMA creates a framework that must be followed by government agencies and contractors to manage information security. Below is only a portion of the requirements.
- Inventory and Categorize Information Systems – FISMA requires that covered entities must have an inventory of their information systems and the interfaces between systems. It is also required that information systems be categorized based on risk level.
- Security controls – Every organization, regardless of regulation, should establish a baseline for security. FIPS 200 under FISMA mandates the selection of minimum security requirements. Agencies and contractors must choose security controls from the NIST Special Publication 800-53 and the security controls must include a security control baseline.
- Risk Assessment – After selecting and implementing the minimum standards, it is required that covered entities perform a risk assessment to determine if there are any threats and vulnerabilities. The minimum security requirements may not be enough and even if not required by law, every organization should perform a risk assessment to find gaps in network security before an attacker does.
- System Security Plan – Government agencies and contractors must establish a policy for the cybersecurity planning process. The System Security Plan establishes a plan and timeline for implementing security systems that must be periodically reviewed and modified.
- Certification and Accreditation – After the above steps are implemented, a senior agency official must review, certify that the security system is working as intended and authorize it for use. The official that accredits the system becomes accountable and responsible for the impact of a breach.
- Continuous Monitoring – Obviously, a cybersecurity system is no good if it is not constantly monitored and updated. If a system is updated or modified it should trigger an updated risk assessment.
Even though only government agencies and contractors are subject to FISMA, its requirements are what every organization should be doing to protect themselves from cyber attacks.