Let’s discuss. 

What is a HITRUST Self-Assessment Questionnaire?

To achieve full compliance with the HITRUST CSF, you will need to complete more than just a Self Assessment. But the Self-Assessment Questionnaire is a valuable tool for getting started with implementation — it is also an excellent tool for saving time and money on the journey toward Certification, as it makes later testing easier for you and your (required) third-party assessors.

This article will break down everything you need to know, including:

• A deep dive into HITRUST Self-Assessment and other forms of assessment
• A comprehensive overview of what it takes to implement all HITRUST controls

By the time we’re done, you’ll be ready to self-assess or fully verify your HITRUST compliance. But first, let’s address the elephant in the room: does your business even need to comply?

Does Your Company Need to Self-Assess?

There is no legal requirement for HITRUST compliance anywhere in the US. However, in many cases, businesses may face de facto requirements with respect to industry standards or client expectations. HITRUST offers optimum protection against a wide variety of risks, so compliance can provide a competitive advantage over other companies that don’t implement its safeguards.

Moreover, depending on the nature of your business, several elements of HITRUST are required for legal operation. For example, businesses in the healthcare industry need to comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). And any such companies that also process credit card transactions need to comply with the Payment Card Industry Data Security Standard. Mapping across these and others can create challenges.

HITRUST combines these and other frameworks into one. It might not be a strict requirement for your business, but it can offer an efficient solution for all your other compliance obligations.

Understanding HITRUST Self-Assessment

Overall, HITRUST Self Assessment involves far more than just completion of the HITRUST Self- Assessment Questionnaire. The primary requirement comprises signing up for the MyCSF tool, the platform from which you’ll fill out the questionnaire, score your Assessment, and browse analytical insights into your readiness for full Certification. However, all that visibility doesn’t come cheap. Registration costs $2500 per 90 days, and the test itself costs $3750.

Another important cost factor to keep in mind is that Assessment, even just Self-Assessment, can be expected to last well over 90 days, meaning multiple registrations may be required.

Self-Assessment itself is straightforward — it requires simply testing the extent to which all Control References are installed and maintained (see below). Importantly, your Self-Assessment thereof doesn’t validate these practices. For that, you’ll need external verification for full Certification.

Other Levels of HITRUST CSF Assessment

For companies seeking full compliance with the HITRUST CSF, completing the Self-Assessment Questionnaire process is far from the last step. Full compliance periods require CSF validation or certification, depending upon scores. Typically, they last for one or two years. To achieve them, the other primary forms of CSF Assessment, per HITRUST, include the following:

• Validated Assessment – An Authorized External Assessor tests the implementation of all controls, then reports findings to HITRUST for a Quality Assurance Review; Certification is granted for two years, pending an Interim Assessment after one year
• Interim Assessment – An Authorized External Assessor tests implementation and maintenance of controls at the one-year mark of Certification, extending it for a year

Besides, another important form of assessment has been adopted via the “Bridge” program to facilitate coverage for businesses struggling to meet recertification deadlines due to COVID-19:

• Bridge Assessment – An Authorized External Assessor performs a special Bridge Assessment for qualifying companies, extending a form of Certification for 90 days following the end of the last period (to be subtracted from the next Certified period)

Across these assessment methods, the core of compliance still requires implementing and maintaining all of the HITRUST CSF controls. So, let’s take a look at what exactly that entails.

Implementing the HITRUST Approach

The most important parts of a HITRUST Self-Assessment checklist are the Control Categories (14), Objective Names (49), and Control References (156) that make up the CSF. Your Self — and eventually Validated — Assessment depends primarily on implementing the following:

• Control Category 0.0: Information Security Management –
  • One Objective Name governing top-level controls for policy maintenance
  • One Control Reference specifying requirements for policy and implementation
• Control Category 0.1: Access Control Security –
  • Seven Objective Names restricting access to data through authentication
  • 25 Control References specifying password strength, session length, etc.
• Control Category 0.2: Human Resources Security –
  • Four Objective Names governing general approach to personnel management
  • Nine Control References specifying approaches to recruitment, hiring, etc.
• Control Category 0.3: Risk Management Policy –
  • One Objective Name governing programmatic approach to risk mitigation
  • Four Control References specifying monitoring and analytical requirements
• Control Category 0.4: Security Policy –
  • One Objective Name governing baseline definitions of security and privacy
  • Two Control References specifying requirements for timely updates to the policy
• Control Category 0.5: Information Security Organization – 
  • Two Objective Names governing organization of internal and external parties
  • 11 Control References defining respective responsibilities, privileges, etc.
• Control Category 0.6: Regulatory Framework Compliance –
  • Three Objective Names governing approaches to legal and audit requirements
  • Ten Control References specifying controls for individual compliance rules
• Control Category 0.7: Asset Management Security –
  • Two Objective Names governing inventory control and responsibilities
  • Five Control References setting rules for classification, ownership, etc.
• Control Category 0.8: Physical and Environmental Security –
  • Two Objective Names restricting physical and proximal access to sensitive data
  • 13 Control References defining boundaries and use of devices and spaces
• Control Category 0.9: Communications and Operations Security –
  • Ten Objective Names governing requirements for secure wireless network traffic 
  • 32 Control References specifying controls to monitor and control communications
• Control Category 0.10: Information Systems Management –
  • Six Objective Names governing overall hardware and software security
  • 13 Control References establishing controls for apps, encryption, etc.
• Control Category 0.11: Security Incident Management –
  • Two Objective Names governing detection and response to events
  • Five Control References specifying defense protocols, contingencies, etc.
• Control Category 0.12: Business Continuity Management – 
  • One Objective Name ensuring the seamless continuation of services
  • Five Control References defining testing and planning to that end
• Control Category 0.13: Privacy Security Practices –
  • Seven Objective Names governing personal accountability standards
  • 21 Control References specifying individual practice requirements

Implementing the CSF and other Risk Management Frameworks in the HITRUST Approach can be highly challenging. 

That’s where we can help. 

Professional Assessment and Cyberdefense with RSI Security 

RSI Security is an Authorized External Assessor ready to work with you on HITRUST implementation and compliance elements. Our comprehensive suite of HITRUST services includes everything from tailored planning and implementation of required controls to robust training and analysis for your staff. 

Additionally, we help with guidance through Self and Validated Assessment itself. 

We know firsthand how vital, albeit challenging, compliance can be. But we also know that it’s hardly the end of your cybersecurity journey — instead, it’s just the start of your cyberdefense. We can help with everything it takes to keep your stakeholders safe, whether it’s HITRUST Self Assessment Questionnaire or a new cybersecurity architecture. Contact RSI Security today!

The post What is a HITRUST Self-Assessment Questionnaire? appeared first on RSI Security.

Guide to HITRUST Password Requirements

Targeted cyberattacks can lead to guessing, hacking, cracking, or even theft of passwords. Users cannot be trusted to make their account credentials strong on their own accord. Your company needs to guarantee safety with robust minimum requirements and frequent updates, along with other password safeguards. HITRUST’s framework offers uniform standards to optimize them.

This guide breaks down everything you need to know into two primary sections:

• A full explainer of HITRUST password requirements, including all relevant controls
• Other password security best practices, including helpful resources

By the end of this blog, you’ll be well equipped to secure your passwords up to HITRUST standards and well beyond. But first, let’s take a quick look at the broader HITRUST framework.

What is HITRUST and Who Needs to Comply?

The HITRUST Alliance, formerly known as the “Health Information Trust Alliance,” endeavors to protect companies in the healthcare industry through the HITRUST Approach. This includes adopting several risk management and cybersecurity frameworks, most notably the Common Security Framework (CSF). The CSF integrates controls from various regulatory texts, such as HIPAA, HITECH, and PCI-DSS, simplifying the adoption of all of them simultaneously.

HITRUST compliance is not a legal requirement for any organization. But the inputs for the CSF are legally required for many organizations in specific contexts. Healthcare organizations need to be HIPAA compliant, and all businesses that process card payments need to be PCI-DSS compliant. HITRUST offers efficiency, as well as optimal security.

Let’s take a close look at the HITRUST password requirements, as they appear in the CSF.

HITRUST Requirements for Passwords

The core of the HITRUST CSF comprises 156 “Control References.” These spread across 49 “Objective Names,” which themselves are housed in 14 “Control Categories.” Across the HITRUST CSF, the primary requirements that deal directly with passwords are the following:

• HITRUST password length requirements and strength requirements include a minimum of eight characters for a given password or 15 characters for accounts with the most privileged access. Complexity measures include at least one number and/or special character and at least one letter in upper and lower case for privileged accounts.
• HITRUST password history requirements vary in range, depending on the level of security required for a given user. For the most highly privileged accounts, passwords must be changed every 60 days, and no combinations from the previous 12 passwords may be used. For accounts with fewer access privileges, none of the previous six passwords may be used.
• HITRUST encryption requirements intersect with user credentials concerning user account management and access to the cloud or remote servers. Storing sensitive information, including passwords, also requires encryption to protect them even if stolen.

Other requirements related to user credentials, accounts, and access include multi-factor authentication for specific accounts and the Category of “Access Control.”

Breakdown of Access Control Requirements

There is only one Control Category related directly to password length, strength, and other qualities: “Control Category 01.0, Access Control.” Coincidentally, this is also a Category with some of the most Objectives (seven) and Control References (25). Let’s take a closer look at them:

• Objective 01.01: Business requirement for access control 

• • • Reference 01.a: developing a strong access control policy

• Objective 01.02: Authorized access to information systems 

• • • Reference 01.b: control registration of all user accounts
    • Reference 01.c: manage access privileges of user accounts
    • Reference 01.d: manage users’ passwords and accounts
    • Reference 01.e: regularly review users’ rights of access

• Objective 01.03: User responsibilities 

• • • Reference 01.f: govern users’ use of passwords and accounts
    • Reference 01.g: account for user equipment left unattended
    • Reference 01.h: require clean and secure workstations

• Objective 01.04: Network access control 

• • • Reference 01.i: create policy restricting access to networks
    • Reference 01.j: authenticate access via an external connection
    • Reference 01.k: identify all equipment connected to networks
    • Reference 01.l: monitor and protect remote and port access points
    • Reference 01.m: implement segregation of and within networks
    • Reference 01.n: control connections to, from, and across networks
    • Reference 01.o: control routing of and to internal and external networks

• Objective 01.05: Operating system access control 

• • • Reference 01.p: ensure secure procedures for logging into accounts
    • Reference 01.q: implement authentication and identification of users
    • Reference 01.r: implement a robust password management system
    • Reference 01.s: monitor and control all use of system utilities
    • Reference 01.t: require automatic session time-out for inactivity
    • Reference 01.u: limit duration of access sessions, within reason

• Objective 01.06: Application and information access control 

• • • Reference 01.v: restrict access to sensitive information
    • Reference 01.w: logically isolate sensitive information

• Objective 01.07: Mobile computing and teleworking 

• • Reference 01.x: monitor and control mobile access
  • Reference 01.y: implement telework security measures

While only a few of these Objectives and References deal directly with passwords specifically, access control’s overall Category offers broader protection through other measures. This is true of HITRUST’s framework, as well as in other regulatory texts (HIPAA, PCI-DSS, etc.).

Other Password Security Best Practices

Besides the baseline password requirements for HITRUST compliance, there are many other security measures your company can take to keep its user credentials safe. For example, many cybersecurity experts recommend utilizing a passphrase rather than a password. Splitting up the credential into two or more distinct strings of characters makes it more difficult to guess.

A more advanced approach involves two or multi-factor authentication, which authorizes access through a username and password or phrase, in addition to some combination of:

• Something the user owns, such as a secondary device used to confirm the identity
• Something the user knows, such as a security question only they can answer
• Something the user is, such as a biometric scan of a retina, fingerprint, etc.

All these methods help to keep passwords safe from guessing, cracking, and theft. But if passwords are compromised, robust encryption can help ensure that hackers cannot view or use the credentials. RSI Security’s identity and access management services include all of these measures, alongside powerful analytics and management.

Professional Compliance and Cybersecurity

Here at RSI Security, we know how critical compliance is for companies within the healthcare industry. We also understand the value HITRUST offers in simplifying all the controls you need for HIPAA compliance. 

Our suite of HITRUST compliance services builds upon this value, helping to make HITRUST implementation and compliance a simple, straightforward process. Our experts will work with your internal IT to determine gaps, report on patches, and even help you develop them.

Contact RSI Security today for help implementing HITRUST password requirements and all other controls. We’re also happy to help integrate these and other regulatory requirements into the fabric of your company, optimizing your broader cybersecurity architecture and keeping your stakeholders safe. No matter the needs and means of your company, we have you covered.

The post A Guide to HITRUST Password Requirements and Best Practices appeared first on RSI Security.

Read on to learn more!

What is the HIPAA Enforcement Rule?

HIPAA enforcement falls under the US Department of Health and Human Services (HHS) jurisdiction, along with other governmental agencies. Below, we’ll walk through everything you need to know about HIPAA enforcement across two main sections:

• A comprehensive look at the HIPAA Enforcement Rule, including tiers of non-compliance penalties and the investigation processes for identifying noncompliance violations
• An overview of the remaining HIPAA rules, including principles of the Privacy Rule, safeguards of the Security Rule, and reporting for the Breach Notification Rule

By the end of this blog, you’ll be well equipped to avoid the HIPAA enforcement rule’s penalties for non-compliance altogether. 

Enforcement Rule: Penalties and Procedures

The HIPAA Enforcement Rule involves strict monitoring for and enforcement of the Privacy Rule since 2003 and the Security and Breach Notification Rules since 2009. The HHS reserves the right to hold businesses accountable with fines and other penalties for noncompliance:

• Civil money penalties – Companies may be fined up to $1,500,000 over a year across all individual fines, which break down into four categories:
  • $100 – $50,000 dollars if the entity committed a violation but “did not know”
  • $1,000 – $50,000 dollars if the entity had “reasonable cause” for violation
  • $10,000 – $50,000 dollars for companies’ “willful neglect” with correction
  • $50,000 dollars flat for companies’ “willful neglect” without correction
• Criminal penalties – Companies may be subject to criminal penalties for the most heinous instances of intentional noncompliance and fraud violations. These include:
  • $50,000 dollars and up to one-year imprisonment for intentional misuse of (e)PHI
  • $100,000 dollars and up to five years imprisonment if false pretenses are involved
  • $250,000 dollars and up to ten years imprisonment for violations for personal gain

Aside from the basic thresholds detailed just about, the severity of the fine or penalty incurred depends on numerous factors. The HHS may exercise discretion to resolve an issue without assessing a fine, for instance, or apply a lower-tier fine to what should be a higher-tier offense.

Enforcement Process: Ensuring Compliance

To determine which fines or penalties a violation deserves, the HHS follows a strict Enforcement process. The process begins with the Office of Civil Rights (OCR) and stays within the OCR for civil penalties cases. Where criminal activity is suspected, the OCR works in conjunction with the US Department of Justice. Altogether, the process has three main stages:

• Intake and review – The OCR determines whether an immediate resolution is appropriate (an obvious non-violation) or if there is a potential civil or criminal violation, leading into…
• Investigation(s) – The OCR and DOJ begin a thorough auditing process to determine if and how one or more violations have occurred and the entity’s accountability, leading to…
• Resolution – The OCR and DOJ may find that no violation has occurred, reach an agreement regarding voluntary corrective action, or issue a formal finding.

Depending on what the OCR and DOJ decide, a company may face civil and criminal penalties for a particularly egregious violation. HHS publishes a list of relevant Case Examples that break down the reasoning behind some past cases (anonymized for security).

Covered Entities: Who Needs to Comply?

Given the stark penalties detailed above, avoiding enforcement is extremely important for all companies who need to comply. But which companies are these, exactly? The HHS maintains a (non-exhaustive) list of HIPAA Covered Entities, of which there are three main categories:

• Healthcare providers, such as doctors, hospitals, nursing homes, and pharmacies
• Health insurance plans, including insurance providers and coordinating companies 
• Healthcare clearinghouses, or companies that process (non)standard health data

These companies aren’t the only ones who need to worry about enforcement. As of 2009, covered entities’ business associates also need to comply with HIPAA. Failure to do so can have significant consequences for both the business associate and the covered entity. Template business associate contracts can help account for this and keep all parties in the clear.

What are the Other HIPAA Rules?

As noted above, four main rules make up the core of HIPAA for professionals — the three non Enforcement Rules define the prescriptive regulations a company must follow to protect PHI. However, this was not always the case. At first, HIPAA included only the Privacy Rule, with the Security Rule added shortly afterward to protect electronic PHI (“ePHI”).

Major changes came to HIPAA following the passing of the H.R.1 – American Recovery and Reinvestment Act (ARRA) in 2009. HITECH, a key component of ARRA, added the Breach Notification Rule to HIPAA and significantly increased the penalties of Enforcement, and broadened the scope of covered entities to include business associates. HIPAA Enforcement is thus synonymous with HITECH Enforcement — let’s take a look at all the rules it has.

Privacy Rule: Authorized Use and Disclosure

The HIPAA Privacy Rule exists to define rights and requirements regarding PHI. It designates what constitutes an appropriate (permitted or required) use of PHI and the conditions under which it can be accessed. The HHS’s Privacy Rule summary comprises two significant principles:

• • Uses and disclosures of PHI are prohibited unless required (expressly requested by the subject of the PHI or by a government agency) or permitted (disclosures to the subject or a representative, uses undertaken in the public interest, and incidental disclosure, etc.)
  • All permitted disclosures, except certain required cases, need to be limited in scope to the minimum necessary amount that satisfies the permitted or required use case
  • The HIPAA Privacy Rule is enforced by assessing the extent to which these principles are operationalized across a company’s cybersecurity architecture, personnel, and practices.

Security Rule: Confidentiality, Integrity, Availability

The HIPAA Security Rule exists to extend the Privacy Rule principles out across a covered entity’s security architecture. The HHS’ Security Rule summary specifies three safeguards covered entities must implement to ensure confidentiality, integrity, and availability of (e)PHI:

• Administrative safeguards, including management of security processes and personnel, identification and access, workforce training, and regular assessment or evaluation
• Physical safeguards, including restrictions of access to physical spaces and devices
• Technical safeguards, including robust access, audit, and integrity controls, as well as regular monitoring, analysis, and corrective measures for transmission security

The HIPAA Security Rule is enforced by assessing how effectively these safeguards contribute to the company’s risk analysis and management, proactively preventing threats to ePHI.

Breach Notification Rule: Reporting Security Events

Finally, the HIPAA Breach Notification Rule exists as part of a contingency plan to follow if a data breach happens. A data breach is defined as any use not permitted by the Privacy Rule (with some exceptions). Should this occur, covered entities need to provide:

• • Individual notice to all impacted parties, delivered by mail or email without unreasonable delay (within 60 days), in addition to a statement on the company’s home page (select cases)
  • Secretary notice to the HHS via Breach Reporting form, annually for breaches impacting fewer than 500 people, and within 60 days for violations affecting more than 500 people
  • Media notice to a prominent local or national media outlet, within 60 days, for any breach that impacts more than 500 people within the defined geographic location of that outlet

HIPAA’s Privacy and Security rules are enforced by assessing a company’s security practices at rest, but Breach Notification enforcement analyzes a company’s response after a security event.

How to Avoid HIPAA Enforcement

To avoid the penalties of Enforcement, it’s crucial not to garner any complaints that would initiate the Enforcement Process detailed above. Your best option is working with a service provider to achieve and maintain compliance across your whole organization. To that end, RSI Security’s suite of HIPAA compliance services comprises everything you need to implement all the HIPAA rules and fully secure your clients’ PHI. 

Whatever you need, we have it covered.

The most important thing to understand about the HIPAA Enforcement Rule is how to ensure it never affects your organization. To see just how simple this process can be and how strong your company’s overall cyberdefenses can become, contact RSI Security today!

The post What is the HIPAA Enforcement Rule? appeared first on RSI Security.

Complete CMMC Assessment Guide

CMMC is a publication of the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD-A&S). It simplifies the adopting practices required by the Defense Federal Acquisition Regulation Supplement (DFARS), including all of Special Publication 800-171.

Implementing and assessing all requirements for compliance can be highly complex. In this guide, we’ll walk you through everything you need to know to be fully compliant, including:

• The general focus of each level, including practice and process maturity goals
• A detailed breakdown of every control required at each level
• Some resources to help you achieve compliance at all levels

By the time we’re done, you’ll be well prepared to get started with assessment and certification or move on to the next stage in your cybersecurity journey. But first, let’s cover some basic CMMC definitions.

CMMC Framework Basics: Levels and Domains

At the CMMC’s core are 17 “Domains.” Each targets several “Capabilities” (43 total) across its “Practices,” or controls (171 total). These controls are implemented gradually across five “Maturity Levels.” These elements of the CMMC core break down as follows:

Maturity Levels:

• Maturity Level 1 – Safeguarding Federal Contract Information (FCI)
• Maturity Level 2 – Transitioning into Level 3 (and protection of CUI)
• Maturity Level 3 – Protecting CUI (controlled unclassified information)
• Maturity Level 4 – Finalizing CUI protection and preparing for APTs
• Maturity Level 5 – Preventing APTs (Advanced Persistent Threats)

At each Level, new and existing Practices are held to “process maturity” standards, measuring how integrated it is across the company. Practices must be revisited and upgraded at each successive level.

Cybersecurity Domains:

• Access and Control (AC)
• Asset Management (AM)
• Audit and Accountability (AU)
• Awareness and Training (AT)
• Configuration Management (CM)
• Identification and Authentication (IA)
• Incident Response (IR)
• Maintenance (MA)
• Media Protection (MP)
• Personnel Security (PS)
• Physical Protection (PE)
• Recovery (RE)
• Risk Management (RM)
• Security Assessment (CA)
• Situational Awareness (SA)
• Systems and Communications Protection (SC)
• System and Information Integrity (SI)
  

Now, let’s discuss all of the Levels’ general focuses, practice and process maturity goals, and the control breakdowns to prepare for assessment at every level. All content in the sections below is sourced directly from CMMC V1.02, unless otherwise noted.

CMMC Level 1 Overview: Safeguarding FCI

The first CMMC Maturity Level focuses on safeguards for federal contract information (FCI), one of the two types of data CMMC is designed to protect. Its Practice goals constitute “basic Cyber hygiene,” and Processes at Level 1 must be merely “performed” (not measured).

In total, CMMC Level 1 comprises 17 practices, encompassing six Domains. This is the second-fewest Practices of any Level, and combined with the relatively lenient Process goal, CMMC basic assessment at Level 1 is designed for accessibility. Let’s take a closer look at what it entails.

Breakdown of Level 1 Controls by Domain

The 17 Practices added at Level 1 break down as follows:

• Level 1 AC – Fundamental controls to authenticate access to sensitive FCI (four Practices)
• Level 1 IA – Basic parameters further defining authentication methodology (two Practices)
• Level 1 MP – A principle for deleting traces of FCI stored on hardware and software before reuse, repurpose, recycle, sale, or other disposals thereof (one Practice) 
• Level 1 PE – Basic controls for monitoring physical and proximal access (four Practices)
• Level 1 SC – Basic controls for network traffic within defined borders (two Practices)
• Level 1 SI – Fundamental protocols for regular monitoring of systems (four Practices)

CMMC Level 2 Overview: Preparing for CUI

The second CMMC Maturity Level focuses less on any inherent goal and more on a transitional one, preparing for complete protection of controlled unclassified information at Level 3. Its Practices’ goals constitute “intermediate cyber hygiene,” and Processes must be performed and “documented.”

Level 2 adds 55 new Practices, the second most of any Level, for a running total of 72. Since all these Practices need to be documented, this is the first Level at which Process Maturity requires official measurement and CMMC assessment tools. Let’s take a closer look.

Breakdown of Level 2 Controls by Domain

The 55 Practices added at Level 2 break down as follows:

• Level 2 AC – Stronger access controls, including the application of “least privilege” principle and individual session management (ten Practices)
• Level 2 AU – Initial controls to guarantee regular auditing and audit logging (four Practices)
• Level 2 AT – Initial controls specifying training requirements for all staff (two Practices)
• Level 2 CM – Initial controls requiring immediate deletion and replacement of default security settings installed by the manufacturer on hardware, software, etc. (six Practices)
• Level 2 IA – Stronger requirements for length and complexity of credentials (five Practices)
• Level 2 IR – Initial protocols for management of incidents as they occur (five Practices)
• Level 2 MA – Initial controls specifying regular intervals for maintenance and the need for special service after updates, attacks, and other relevant events (four Practices)
• Level 2 MP – Stronger restrictions on access to FCI and CUI media (three Practices)

• • Level 2 PS – Initial controls integrating cybersecurity into recruiting, hiring, onboarding, promoting, firing, and other personnel movement procedures (two Practices)
  • Level 2 PE – Physical controls extending beyond perimeter protections (one Practice)
  • Level 2 RM – Initial controls for systematic management of risks or threats (three Practices)
  • Level 2 CA – Initial controls for regular assessment of security architecture (three Practices)

• Level 2 SC – Stronger network communications controls, such as encryption protocols and restriction of remote access to networks containing FCI and CUI (two Practices)
• Level 2 SI – Stronger controls to guarantee integrity, including immediate corrective response to identified flaws and weaknesses in system architecture (three Practices)

CMMC Level 3 Overview: Protecting CUI

The third CMMC Maturity Level focuses on the full protection of CUI, which coincides with the implementation of all NIST SP 800-171 controls. Practices goals for Level 3 constitute “good cyber hygiene,” and Processes at Level 3 must be documented and actively “managed.”

Level 3 adds 58 new Practices, the most of any Level, making the running total now 130. Plus, the management of all 130 controls makes Level 3 a milestone in compliance and security. The final two Levels will move far beyond cyber hygiene and into advanced proactive measures.

Breakdown of Level 3 Controls by Domain

The 58 Practices added at Level 3 break down as follows:

• Level 3 AC – Stronger methods for access restriction, including limitations of what capabilities are afforded to accounts with privileged access status (eight Practices)

• • Level 3 AM – Initial definitions of CUI-specific asset handling requirements (one Practice)
  • Level 3 AU – Greater specificity for audits and audit logging controls, including the safeguarding, monitoring, and recovery of logged audit data (seven Practices)
  • Level 3 AT – More targeted training controls, focusing on internal threats (one Practice)
  • Level 3 CM – Stronger controls of device configurations beyond removing defaults, including “black-” or “white-listing” of individual settings for security (three Practices)

• Level 3 IA – Final controls for user accounts, such as multi-factor authentication (MFA) and limitations on recycling of previously used credentials (four Practices)
• Level 3 IR – Stronger internal and external incident reporting protocols (two Practices)
• Level 3 MA – Final requirements for routine and special maintenance (two Practices)Level 3 MP – Stronger media protections, including tight restrictions on transport and transmission of sensitive data, as well as strong encryption (four Practices)

• • Level 3 PE – A final extension of physical protections irrespective of location (one Practice)
  • Level 3 RE – Specifications for performance and maintenance of backups (one Practice)
  • Level 3 RM – Stronger risk analysis targeting areas lacking vendor support (three Practices)
  • Level 3 CA – Assessment controls targeting internally developed apps (two Practices)
  • Level 3 SA – Initial controls for analysis and sharing of threat intelligence (one Practice)

• Level 3 SC – Significantly stronger and broader controls for all elements of network communication, including encryption and VoIP safeguards (15 Practices)
• Level 3 SI – Stronger filtering and response protocols for identified flaws (three Practices)

CMMC Level 4 Overview: Preparing for APT

The fourth CMMC Maturity Level focuses on further optimizing CUI protection and moving into proactive measures to counteract advanced persistent threats. Its Practice goals constitute “proactive” measures, and Processes at Level 4 must be managed and “reviewed.”

Level 4 adds on 26 Practices. Practices’ running total is now 156, all of which now require a deeper level of regular institution-wide review and corrective action to ensure ongoing security.

Breakdown of Level 4 Controls by Domain

The 26 Practices added at Level 4 break down as follows:

• Level 4 AC – Stronger monitoring for and restrictions on the flow of information (three Practices)
• Level 4 AM – A final control facilitating analysis of inventoried assets (one Practice)
• Level 4 AU – Stronger controls enabling automation and analysis of stored audit log information, as well as logging and security of audit analyses (two Practices)
• Level 4 AT – Final training specifications focused on advanced social engineering and other scams specifically targeting uninformed personnel (two Practices)
• Level 4 CM – Smoother configuration management through “white-listing” (one Practice)
• Level 4 IR – Stronger, proactive analytics for preventing incidents, including mobilization of intelligence on past attacks and establishment of a 24/7 response center (two Practices)
• Level 4 RM – Stronger, predictive analytical controls including the use of threat profiles and the management of one or more risk monitoring supply chains (four Practices)
• Level 4 CA – Final controls for ongoing improvement of security processes (three Practices)
• Level 4 SA – Final controls specifying “threat hunting” capabilities (two Practices)
• Level 4 SC – Stronger controls for isolating and protecting network communications, as well as analyzing potentially harmful code in communications infrastructure (five Practices)
• Level 4 SI – Protocols for integrating external and internal intelligence (one Practice)

CMMC Level 5 Overview: Preventing APT

The fifth and final CMMC Maturity Level focuses almost entirely on the most advanced protections for APT available. The final stage of Practices constitute advanced and progressive measures, and Processes at Level 5 must be reviewed and continuously “optimized.”

Level 5 adds only 15 new Practices, the fewest of any level, bringing the final total to 171. But the final Process goal includes keeping Practices up to date and actively seeking out ways to improve and perfect them over time. Let’s take a look at the final slate of Practices.

Breakdown of Level 5 Controls by Domain

The 15 Practices added at Level 5 break down as follows:

• Level 5 AC – A final protection for risks related to wireless access points (one Practice)
• Level 5 AU – A final control for identifying and correcting oversights in audit (one Practice)
• Level 5 CM – A final control for validating the integrity of security settings on software and hardware identified as critical or otherwise essential to the business (one Practice)
• Level 5 IR – Final controls specifying proactive, preventative measures for incidents, such as in-depth analysis of forensic data and unannounced exercises (four Practices)
• Level 5 RE – A final control for continuity, redundancy, and availability (one Practice)
• Level 5 RM – Final controls for an annual review of risk management architecture and periodic updates to exception protocols for non-whitelisted software (two Practices)
• Level 5 SC – Final controls specifying a port and commercial precautions (three Practices)
• Level 5 SI – Final controls for analysis of both systems and personnel (two Practices)

Professional Compliance and Cybersecurity

Across all of these levels, implementing and assessing all required controls can be challenging, especially for smaller to medium-sized companies with more modest IT budgets. RSI Security offers a suite of CMMC compliance advisory services to help your company achieve certification. This CMMC assessment guide is far from the only resource we offer; contact RSI Security today to see how easy CMMC compliance can be!

The post Your Complete CMMC Assessment Guide  appeared first on RSI Security.

Let’s take a closer look.

What is a HITRUST Bridge Assessment?

HITRUST CSF compliance is exceptionally comprehensive. Even previously certified institutions may struggle to meet validation deadlines — especially given the pandemic and its aftermath. Bridge assessments aren’t a replacement for full compliance. Instead, they are available to help these organizations extend their window and eventually achieve complete recertification.

In this blog, we’ll break down everything you need to know about the HITRUST bridge assessment and overall HITRUST CSF compliance. Topics covered below include:

• What the bridge assessment is, along with how (and why) to take advantage of it
• Where the bridge assessment leaves off, or what you’ll need for full compliance
• Why and how to verify or certify full compliance

By the time we’re done, you’ll be well-positioned to move forward into bridge assessment in the short term, then full compliance in the long term. But first, let’s review what exactly HITRUST is.

What is HITRUST, and Why is it Important?

Companies’ concerns about “HITRUST” usually refer to compliance with the HITRUST CSF specifically. But the CSF itself is just one part of the overall HITRUST Approach, a much more holistic system or program of data protection, information risk management, and compliance.

The HITRUST Approach includes all solutions HITRUST offers (the CSF, Risk Management Frameworks, etc.). Its principles constitute a cyclical set of steps toward robust cybersecurity:

• Identify and Define – Focused on monitoring for, defining, and analyzing risks
• Specify – Focused on determining which solutions are appropriate for defined risks
• Implement and Manage – Focused on mitigation and resolution of security incidents
• Assess and Report – Focused on logging, analyzing, and correcting vulnerabilities

This approach is crucial, not least because of its simplicity. As you’ll see below, implementing the HITRUST frameworks themselves can be complex and challenging. Simplicity at the top level allows for a streamlined approach without compromising the quality and integrity of security.

Similarly, the Bridge Assessment program is a means toward simplification to make recertification slightly more accessible, especially in the crisis many companies are facing.

Leveraging HITRUST Bridge Assessment

HITRUST implemented the Bridge Assessment early in 2020 to assist companies struggling to achieve timely reassessment. HITRUST’s press release for the Bridge program notes that, due to the immediate and long-term impacts of the COVID-19 pandemic, many businesses have had trouble submitting their CSF Validated Assessments before deadlines.

Companies facing these troubles are prone to many other consequences. 

On the one hand, HITRUST is a primary means by which many companies comply with other legally mandated frameworks. On the other hand, a lapse in compliance often portends lax cybersecurity as a whole, meaning these companies are at risk of being exposed to the dangers of cybercrime.

The Bridge Assessment and resulting HITRUST CSF Bridge Certificate comprise an ideal solution for companies in a bind. It is not an “extension” of existing certification, nor is it a “replacement” for traditional certification. Due to the less intensive assessment procedure, Bridge Certification provides a lesser level of assurance. It’s a means to prove companies’ controls are unlikely to have degraded after certification, and full compliance is soon to come.

But Bridge Assessment is by no means simple to achieve. Let’s take a close look at the process and requirements through which companies can accomplish CSF Bridge Certification.

How the HITRUST Bridge Assessment Works

Companies may be eligible for Bridge Assessment (and Certification) for 90 days after the expiration of their previous CSF Certification period. Furthermore, according to HITRUST’s guide to the Bridge Assessment, the Bridge Certification process breaks down as follows:

• Step 1 – Obtaining a HITRUST CSF Bridge Assessment object within the myCSF toolkit; this requires registration at an initial cost of $3,000 (and later fees in some cases)

• Step 2 – Assessment from a HITRUST Authorized External Assessor, comprising a selection of 19 requirement statements selected from the overall HITRUST controls

• • • If the controls had already been tested for validated assessment, they might count toward Bridge Assessment without requiring a retest (with restrictions)

• Step 3 – The company’s management and the Authorized External Assessor must confirm three criteria:

• • • Confirm no reportable breaches have occurred since the previous CSF Certification
    • Confirm no significant changes to security since the previous CSF Certification
    • Confirm intention to complete full CSF Certification before Bridge expires

• Step 4 – Performance of a “fast track” Quality Assurance Review, by a first-party HITRUST official, on the assessment submitted by the Authorized External Assessor

• Step 5 – Issuance of official HITRUST CSF Bridge Certificate to the organization

• Step 6 – Submitting a completed, validated assessment to HITRUST before the end of the Bridge Certificate’s expiration date (90 days after the prior Certificate’s expiration date)

• • Any time covered by Bridge Certification is subtracted from the subsequent HITRUST CSF Certification (i.e., three months of the entire 24-month period)

Ultimately, the relationship between the Bridge Certification and CSF Certification is forgiving in some ways and demanding in others. Having CSF controls firmly established facilitates Bridge Assessment and bypasses rigorous analysis. But taking advantage of Bridge Certification won’t net you any “extra” month of coverage since they are subtracted from your next period.

Understanding HITRUST CSF Certification

As noted above, Bridge Certification is not an extension or replacement for compliance. You’ll still need to implement all CSF controls beyond the 19 assessed for the Bridge Certificate. Colloquial nicknames for the Bridge Assessment, such as “HITRUST gap assessment,” belie the importance of understanding CSF to avoid gaps in your overall HITRUST coverage.

In total, the HITRUST CSF comprises 156 “Control References” to implement, spread across its 49 “Objective Names” and 14 “ Control Categories.” These are influenced by, and often directly adapted from, the requirements of other compliance frameworks. The NIST Cybersecurity Framework, HIPAA, HITECH, and PCI Data Security Standard are some of the primary sources.

The full text of the CSF is available for free download, but only for organizations that sign a qualifying license agreement. In practice, this means few organizations have access to the text itself. But don’t worry: below, we’ll provide a synopsis of all the controls your business will need to implement for compliance, sourced directly from HITRUST CSF v.9.4.1.

Breakdown of the HITRUST CSF Framework

While the HITRUST framework also provides Specifications, Mapping, and other guidance for each Reference, the References themselves are most analogous to individual Controls. All in all, the Control Categories, Objective Names, and Controls References break down as follows:

• Control Category 0.0: Information Security Management – Governing top-level controls for effective security management, across one objective and one Control Reference
• Control Category 0.1: Access Control Security – Governing measures taken to restrict access to sensitive information, across seven Objectives and 25 Control References
• Control Category 0.2: Human Resources Security – Governing approaches to personnel management and security, across four Objectives and nine Control References
• Control Category 0.3: Risk Management Policy – Governing approaches to monitoring, analyzing, and mitigating risks, across one Objective and four Control References
• Control Category 0.4: Security Policy – Governing minimum required specifications for maintaining a robust security policy, across one Objective and two Control References
• Control Category 0.5: Information Security Organization – Governing management of internal and external data, across two Objectives and 11 Control References
• Control Category 0.6: Regulatory Framework Compliance – Governing mapping and implementation of all required controls, across three Objectives and ten Control References
• Control Category 0.7: Asset Management Security – Governing management of inventory and related responsibilities, across two Objectives and five Control References
• Control Category 0.8: Physical and Environmental Security – Governing restrictions for access to devices and entire areas, across two Objectives and 13 Control References
• Control Category 0.9: Communications and Operations Security – Governing security precautions for network traffic, across ten Objectives and 32 Control References
• Control Category 0.10: Information Systems Management – Governing acquisition, maintenance, and development of IT, across six Objectives and 13 Control References
• Control Category 0.11: Security Incident Management – Governing security incident reporting, response, and recovery, across two Objectives and five Control References
• Control Category 0.12: Business Continuity Management – Governing processes implemented for continuity of services, across one Objective and five Control References
• Control Category 0.13: Privacy Security Practices – Governing general principles and approaches to privacy at all levels, across seven Objectives and 21 Control References

Implementation of all controls across all Categories is not enough to guarantee complete verification or certification. Your business will need to submit a self-assessment (in addition to third-party validation), depending on the target level of compliance assurance sought by the company.

Achieving Full HITRUST Certification

Compliance requires reporting on (and potentially verifying) your implementation of all CSF controls. At the most basic level, and outside of Bridge-related compliance, companies can choose to self-assess their performance by submitting the Self-Assessment Report, available from HITRUST directly or through subscription to the MyCSF toolkit. In addition, other self-service tools include the HITRUST Academy and HITRUST Readiness Assessment.

 There are two levels to consider to achieve full compliance: validation and certification.

According to HITRUST’s guide to CSF Assessments, both require working with an Authorized External Assessor. Both also require submitting a HITRUST CSF Validated Assessment Report. If the Report meets HITRUST’s score requirements, your company may qualify for Certification. If it doesn’t, you may still be eligible for Validation. Validation lasts for one calendar year, while certification lasts for two years (pending the submission of an Interim Assessment after one year).

Unlike the Bridge Assessment, a HITRUST CSF Interim Assessment does not subtract or in any other way negatively impact the total number of months your certification lasts.

How Compliance Advisory Services Can Help

As noted above, full compliance (verification or certification) requires a third-party’s assistance for at least the final assessment stage. Given the challenges of implementing all the necessary controls, it’s in many organizations’ best interests to work with a service provider from the first touchpoint of the process. 

To that end, here at RSI Security, we offer a suite of HITRUST advisory services, including:

• Guidance with and facilitation of HITRUST Self Assessment
• HITRUST gap assessment to identify weaknesses or oversights
• Comprehensive Verification, Interim, Bridge, and full Certification
• Troubleshooting and long-term maintenance of CSF implementation
• Marketing support for publishing and capitalizing on compliance
• Integrated third-party risk management (TPRM) program
• Targeted healthcare and health adjacent advisory
• Mapping to other cybersecurity frameworks

With over a decade of experience helping companies achieve HITRUST compliance, as well as compliance with other regulatory frameworks, we are well-positioned to help you get Certified.

Professional Certification and Cyberdefense

The talented team of experts here at RSI Security is happy to help your company with all of its compliance and cybersecurity planning and implementation — no matter the nature and size of your business. We’ll tailor a suite of IT and security services to meet your needs and means.

For many companies, compliance with a robust regulatory framework like HITRUST is a one-size-fits-all solution to their cybersecurity concerns. For many others, however, compliance is just the start of the cybersecurity journey. 

And for all cybersecurity needs, there’s us. 

To see how valuable a HITRUST bridge assessment can be for your company, contact RSI Security today!

The post What is a HITRUST Bridge Assessment? appeared first on RSI Security.

Essential Patient Data Rights Under HIPAA

The US Department of Health and Human Services (HHS) developed HIPAA to distinguish data on health and payment records as “protected health information” (PHI). Later, the HITECH Act expanded the definition to account for electronic PHI (ePHI). Together, both acts grant patients fundamental rights. Below, we break down everything you need to know about them, including:

• Rights of privacy and accessibility granted directly by the HIPAA Privacy Rule
• Other de facto rights related to the remaining HIPAA rules
• Ways companies can accommodate their patients’ rights and needs

By the end of this blog, you’ll know your patients’ rights and expectations, and how to meet and exceed their expectations. We’ll end with resources to help you ensure compliance.

Primary HIPAA Patient Rights

The most critical patient rights under HIPAA have to do with patients’ right to access their PHI. Patients are guaranteed unfettered access to all medical records and payment history related to healthcare goods and services purchased. Patients have the right to share this information as they please, provided that they do not infringe upon others’ privacy.

Patients need access to their medical records to make informed decisions about their care. For example, it’s helpful to have all your medical information available when deciding whether or not to proceed with surgery, which treatment options to consider, as well as preventative methods. However, patients also need to know that these records are safe and that other individuals are not accessing them without the patient’s consent. To that effect, the Privacy Rule lays out the exact terms under which use and access are authorized.

Accessibility and Privacy of PHI

The HIPAA Privacy Rule provides patients the right to request access to their individual PHI. This is one of the two cases in which use or disclosure of PHI is not only permitted but specifically required — the other involves a direct request by HHS or other governmental agencies for legal purposes. Per the summary of the Privacy Rule, permitted uses include:

• Uses and disclosures necessary for treatment, payment, and healthcare operations
• Uses and disclosures for which the patient has a reasonable opportunity to object
• Uses and disclosures incidental to other permitted or required uses and disclosures
• Uses and disclosures made in the public interest, such as in public benefit projects
• Uses and disclosures of limited data sets for approved research

Furthermore, patients’ access to their own PHI must be unrestricted. This is not the case for other permitted uses, which must be limited to the minimum necessary requirement.

Other HIPAA Patient Rights

HIPAA laws provide patients with peace of mind, knowing their sensitive information is being protected to the best of the healthcare providers’ abilities. The HIPAA Enforcement Rule ensures that healthcare providers who don’t adequately protect patients’ health records face severe civil and criminal penalties — along with the consequences of cybercrime.

For example, covered entities who neglect HIPAA rules can face fines of up to $50 thousand dollars per violation, totaling up to $1.5 million dollars over the course of a year. In addition, intentional violations can carry fees of up to $250 thousand dollars and up to 10 years of jail time. While these measures don’t enforce security on their own, they do so by threat of penalty. The stringent nature of these penalties is what provides peace of mind to patients.

Let’s take a closer look at the other rules companies have to follow that provide patients rights.

Confidentiality, Integrity, and Availability

Under HIPAA, patients have the right to a reasonable expectation of privacy and security. The Security Rule builds on the baseline protections of the Privacy Rule, defining safeguards that ensure confidentiality, integrity, and availability of PHI through risk analysis and management.

According to HHS’s summary of the Security Rule, its primary protections include:

• Administrative safeguards – Top-level management of security processes and personnel, identity and access protocols, workforce training, and corrective evaluation
• Physical safeguards – Practices and procedures for monitoring and restricting access to physical devices connected to PHI, as well as physical spaces in which PHI is accessible
• Technical safeguards – Specific controls governing access to, auditing of, and integrity throughout cybersecurity infrastructure, especially communications over networks

While these safeguards are not framed as “HIPAA rights,” they constitute the safety precautions a patient can expect.

Security Breach Notifications, Guaranteed

Under HIPAA, patients have the right to know if, when, and how their data was accessed inappropriately. The Breach Notification Rule requires immediate reporting of data breaches to all parties impacted “without unreasonable delay.” In practice, covered entities must notify stakeholders by mail within 60 days of the breach’s discovery. If contact information for ten or more stakeholders is missing, the company must post a notification on its home page.

The Breach Notification Rule also requires two other forms of Breach Reporting:

• Secretary notice – For all data breaches, the covered entity must provide notice to the Secretary of the HHS, within a timeframe determined by the size of the breach:
• • Breaches impacting over 500 people require immediate notice (within 60 days)
  • Breaches impacting less than 500 people require notice within the calendar year
• Media notice – For any data breach that impacts more than 500 people within a given geographic area, the covered entity must notify a prominent media outlet in that area 

Across HIPAA’s four rules, patients’ rights are guaranteed by companies’ willingness and ability to comply. Compliance is essential not just for safety but for upholding patients’ HIPAA rights.

Accommodating Patients’ Rights and Needs

Compliance is the key to guaranteeing patient rights. But maintaining compliance can be challenging, especially for smaller to medium-sized businesses with modest or stressed IT budgets. Enter RSI Security.

Our comprehensive HIPAA and HITECH compliance advisory services include:

• Implementation and testing of Privacy Rule and Security Rule protections
• Auditing and monitoring of Breach Notification infrastructure and readiness
• Thorough risk analysis of your company and its patient data environment(s)
• Internal, external, network, and other forms of compliance penetration testing

Regardless of the challenges, HIPAA implementation can entail, RSI Security will tailor solutions to your company’s exact needs and means. Our expert team has helped companies achieve HIPAA compliance for over a decade. Whatever you need, we have it covered.

Professional HIPAA Compliance Advisory

Here at RSI Security, we know how critical compliance is for businesses in every industry, especially healthcare. We also know that compliance is hardly the end of cybersecurity; in fact, it’s just the beginning.

To fully protect clients, businesses should implement a powerful cyberdefense architecture complete with perimeter security (like web filtering), threat and vulnerability management, detection and response, and robust training and awareness. To see how our suite of managed IT and security services can help you guarantee your clients’ HIPAA patient rights and bolster your overall defenses, contact RSI Security today!

The post Basic Patient Data Rights Under HIPAA appeared first on RSI Security.

Let’s take a close look at what comprises healthcare penetration testing and how it can keep your business safe.

Healthcare Penetration Testing for HIPAA Compliance

The US Department of Health and Human Services (HHS) presides over the HIPAA framework. The HHS collaborates with cybersecurity experts and government agencies to develop requirements that protect healthcare companies, their partner companies, and their patients.

Penetration testing is a method that tests the strength of these requirements, making it an essential element of HIPAA compliance (though it’s not a HIPAA requirement). Below, we’ll walk through everything you need to know on the subject, providing:

• A detailed overview of HIPAA requirements related to penetration testing
• A comprehensive guide to the conventional forms of penetration testing
• A cohesive synthesis of how penetration testing facilitates compliance

By the end of this blog, you’ll know healthcare penetration testing inside and out. But first, let’s address a pressing question: why isn’t pen-testing a requirement of HIPAA compliance?

Penetration Testing: Not Required for HIPAA

Penetration testing is not a named requirement in the HIPAA framework. It would be possible for a company to reach complete HIPAA and HITECH compliance without conducting a single pen-test. However, pen-testing enables some of the most profound and most proactive risk analyses. Companies will have a much easier time complying with HIPAA’s strenuous Privacy and Security Rule protections by leveraging pen-test services.

Since as early as 2008, the National Institute for Standards and Technology (NIST) has recommended penetration testing to satisfy HIPAA’s requirements. Special Publication (SP) 800-66, which guides HIPAA implementation, names penetration testing as a critical measure toward achieving HIPAA Security Rule protections.

Why is healthcare penetration testing so essential? HIPAA doesn’t officially require it, but HIPAA’s efficacy depends upon it heavily.

HIPAA Compliance 101

The HHS first implemented HIPAA to protect the privacy and security of protected health information (PHI). It would later build upon these protections with the HITECH Act, which raised the stakes of enforcement and added a new Breach Notification Rule. But the key areas pen-testing applies to are the original Privacy Rule and Security Rule, detailed below.

HIPAA’s privacy and security protections apply to all of the following covered entities:

• Healthcare providers – Private practices such as doctors, dentists, and psychologists; facilities such as hospitals, nursing homes, and pharmacies; medical employees
• Health insurance plans – Health insurance companies and private companies that distribute health plans; governmental programs such as Medicare, Medicaid, etc.
• Healthcare clearinghouses – Entities that translate non-standard health information to standard formats, including certain service providers, digital platforms, etc.

Additionally, business associates of these parties must also implement HIPAA protections. All parties are responsible for each others’ non-compliance through business associate contracts. In practice, this means penetration testing is a robust business strategy for all parties involved.

Privacy Rule Requirements

The Privacy Rule is the core of HIPAA protections. It was the first finalized rule (in 2000) and established PHI’s initial definitions and the covered entities mentioned above. The Privacy rule also defined initial parameters of Enforcement, which would then become its own rule.

According to the HHS’s Privacy Rule summary, it comprises the following requirements:

• Restricting unauthorized use and disclosure – Covered entities cannot allow access to PHI unless the specific individual’s request for access meets one of the following criteria:

• • • Disclosure by or for treatment payment or operations
    • Disclosure of the individual’s PHI is agreed to by the individual
    • Exposure or use incidental to authorized disclosures or uses
    • Disclosure or use in the public interest or for public benefit
    • Disclosure of a limited data set for approved research

• Limiting authorized uses and disclosures – All use of PHI, except for requests by the individual or governmental agencies, must be limited to the minimum necessary principle

Covered entities can leverage pen-testing to identify unauthorized uses and their risk factors. Pen tests can also help determine if authorized access meets the minimum necessary principle.

Security Rule Requirements

The Security Rule builds on Privacy rule protections, extending them to the realm of electronic PHI (ePHI). Its first form surfaced in 2003 to ensure the confidentiality, integrity, and availability of ePHI through risk analysis and three categories of safeguards.

According to the HHS’s Security Rule summary, it comprises the following requirements:

• Administrative Safeguards – Focused on top-level controls for the whole company:
• • • Security process management focused on analysis and mitigation of risks
    • Security personnel management and designation of critical responsibilities
    • Access and identity management, utilizing the minimum necessary principle
    • Workforce training and development of a workplace culture of awareness
    • Evaluation and assessment of security policies’ and practices’ effectiveness

• Physical Safeguards – Focused on controlling access to devices and areas:
• • • Control of access to and use of facilities through proper authorization
    • Monitoring and control of workstations and devices connected to ePHI

• Technical Safeguards – Focused on technological specifications and settings:

• • Control over remote access to systems containing ePHI
  • Regular auditing, logging, and analysis of logs to correct security flaws
  • Control over proper maintenance, alteration, and destruction of ePHI
  • Control and restriction of access to ePHI via public network transmissions

Across these protections, penetration testing is directly applicable to the evaluation specifications under the Administrative Safeguards. However, pen-tests are also apt for identifying and correcting all confidentiality, integrity, and availability ePHI threats.

Penetration Testing 101

Often referred to as “ethical hacking,” penetration testing involves simulating an attack on your company to study the behavior of the “attacker.” This technique is uniquely apt for addressing HIPAA requirements by unveiling weaknesses and preparing all personnel for an actual attack.

NIST’s SP 800-115: Technical Guide to Information Security Testing and Assessment provides a framework for penetration testing for many situations. It comprises four primary stages:

• Planning – The contracted hacker and the target company negotiate expectations and boundaries for the simulated attack, including special focuses and off-limits data

• Discovering – The hacker scans, inventories, and analyzes the target company’s security infrastructure, including its relative strengths and weaknesses

• Attacking – The hacker launches the attack on the company, seeking to infiltrate a specific target or take control of the whole system as efficiently and covertly as possible

• Reporting – The hacker finishes the attack and “exits” the company’s systems undetected, then reports back on their findings to facilitate corrective action

There are two primary forms of pen-tests: external and internal. Each offers different insights into how a hacker would compromise your defenses and seize your PHI (or other valuable information). Let’s take a close look at each, starting with external pen-testing.

External Penetration Testing

Sometimes referred to as “black hat testing” or “black box testing,” external penetration testing is the most basic and comprehensive way to study an attack “from scratch.” The pen-testing team of ethical hackers is given no inside information (or very little information) to simulate all elements of a potential attack. Typically, an external pen-test goal is to track the exact entry points through which the hacker gains access to the “inside” of your system. These weaknesses are then corrected in collaboration with the hacker team to close all unguarded entry points.

External pen-tests are often conducted from vantage points outside of your company’s premises. Remote attackers begin by identifying weak points in your cloud architecture, wireless networks, and web applications. Simultaneously, they may also engage in social engineering schemes such as general phishing or targeted “spear” phishing campaigns. In some cases, the attack ends once the hacker is spotted. In others, it only ends when the hacker is stopped.

Concerning HIPAA requirements detailed above, external pen-testing is especially beneficial for business associates seeking general awareness of vulnerabilities impacting their ePHI.

Internal Penetration Testing

Also commonly known as “white hat testing” or “white box testing,” internal penetration testing is a more targeted form of ethical hacking. It involves simulating an attack directed by a person with privileged knowledge of the company’s cybersecurity architecture.

An internal pen test’s planning stage is often much more involved than an external pen test. It includes negotiating what precisely the attacker has access to, such as:

• Physical access to a computer or smart device connected to private servers
• User account credentials, current or old, with privileged status and access
• Enough knowledge of private network details to override safeguards

Since the hacker already begins “inside” the company’s systems, in one way or another, the goal of an internal pen-test is not to study how they infiltrate barriers. Instead, the analysis focuses on exactly how the hacker behaves once inside, how quickly they seize control of the whole system, or how they approach targeting a specific protected dataset (ePHI).

Like external pen-testing, internal pen-tests are extremely valuable for the business associates of covered entities. Pen-tests are also one of the best tools to analyze the largest and most complex stashes of ePHI, such as those presided over by healthcare providers themselves.

HIPAA Penetration Testing 101

Many companies utilize a hybrid “grey hat testing” or “grey box testing” approach to optimize penetration testing for covered entities and business associates. For example, RSI Security’s pen testing services include external and internal pen-testing elements applied to all areas of a company’s cybersecurity infrastructure. Some individual tests we offer include:

• Firewall penetration testing for your company’s outermost web filtering layers
• Network security penetration testing focused on wireless networking devices
• Cloud computing penetration testing for AWS and other shared servers
• Web application, mobile application, and mobile device penetration testing

All of our pen testing services are highly customizable. We’ll tailor our simulated attack, report, and analysis to your compliance and general cyberdefense needs. This includes mapping onto HIPAA-specific requirements and any other regulatory frameworks.

Comprehensive HIPAA Advisory

As powerful a tool as penetration testing is and as apt as it can be in facilitating full HIPAA implementation and compliance, it’s far from the only cybersecurity service you’ll need. For more comprehensive coverage, RSI Security offers a suite of HIPAA compliance services. We’ll work with internal IT personnel to plan your cybersecurity architecture from scratch. We can also analyze your existing measures and generate a patch report on your architecture gaps (and how to fix them).

Wherever you are in your journey toward complete HIPAA and HITECH compliance, we are happy to help get you to the next stage. And penetration testing is just one part of that holistic process. See our HIPAA services datasheet for more information on our compliance package.

Professional Risk Analysis and Compliance

RSI Security’s HIPAA package is just one part of our comprehensive suite of compliance services. We know just how essential HIPAA compliance is for covered entities and business associates. We also know many of these impacted companies work within multiple industries, many of which require their own regulatory contexts: from PCI-DSS to CMMC to HITRUST and beyond.

That’s why HIPAA penetration testing and compliance are just two of the many managed IT and security services we offer. Our team of experts has helped businesses of all sizes bolster their cybersecurity for over a decade. To see just how powerful your cyberdefenses can be beyond compliance requirements, contact RSI Security today!

The post Healthcare Penetration Testing for HIPAA Compliance appeared first on RSI Security.

This article will explore the three components of a cyber hygiene checklist and how you can implement it into your organization. 

Cyber Hygiene Checklist

The cyber hygiene checklist should help your organization develop and adhere to a security routine, maximizing its benefits. This commitment will also help improve the overall cybersecurity posture of the organization.

To make the checklist easier to digest, we have broken it down into three main categories:

1. People 
2. Processes 
3. Technology

These three categories are the building blocks to any organization and are also the main ingredients to a robust cybersecurity architecture.

People

People form the bulk of any organization. They should also form the mainstay of your cyber defense. Unfortunately, this is not the case. Untrained staff tends to do this opposite and are a liability instead of an asset.

Human error remains the number one reason for data breaches. For this reason, the “people” aspect of your business should make up the majority of your cyber hygiene practices.

The “people” hygiene checklist would include:

• Policies to protect against phishing
• Continuous security awareness training
• Correct workstation use
• BYOD policies

Policies to protect against phishing

Attackers are using phishing more, both as a way to scam customers and as a means to gain access to business information systems. Although organizations can stop most phishing attempts by blocking links from being opened, it is still an issue you must address at the human level.

This protection means implementing policies on how to handle emails from unknown sources. It should be standard that employees must never open links from anonymous email addresses on a company workstation or any device connected to the organizational network. 

The hygiene aspect of this policy is to maintain a level of awareness around phishing within the organization. It might mean weekly email reminders to all staff and possibly sending “fake phishing emails” to test organizational readiness.

Continuous Awareness Training to Protect against Social Engineering

Similar to phishing, general security awareness to combat social engineering should form part of your routine.

While phishing is more specific to link baiting, social engineering can cover a wide array of vulnerable access points. This, of course, still refers to the human network of the organization. Social engineering is an excellent way for attackers to exploit a weakness in the human network. And as the saying goes, you are only as strong as your weakest link. Ensure that your organization makes a habit of security awareness training, specifically to combat social engineering. 

Much like phishing, you will need to combat this at the root level. You will only be resilient if the training covers as many scenarios as possible. 

For example, using social media in the workplace might encourage attackers to befriend employees and use that connection as a channel to gather intel on the information system.

Implementing Bring Your Own Device (BYOD) Policies

With the rise of remote working, using personal devices is becoming a mainstay in the work environment. Bring Your Own Device (BYOD) means employees bring their own devices into the workspace.

This method of working has many benefits to employee efficiency and can help reduce operational costs. However, there are some drawbacks. The information systems security can suffer from numerous non-standard devices attaching to the network. Often less of a problem with smaller businesses, but there is a blessing in disguise here. It provides an opportunity to boost your security posture if you implement a BYOD policy.

The policy should cover how individuals should protect themselves from online threats. And as part of the procedure, a “hygiene” routine should be established into the policy, which means employees regularly virus scan their own devices and utilize techniques like Multi-Factor Authentication (MFA) when connecting to organizational networks. 

Using this policy transfers well to remote-working environments and builds a culture of security within your staff. 

Processes

The next category you will want to cover in your cyber hygiene checklist is the processes. The processes are all the procedures that aid in organizational security. There are some reasonably standard processes that you will want to build into your cyber hygiene routine. These processes are often referenced in some reputable cybersecurity frameworks like the NIST 800 and the CIS CSC. Keeping track of these processes can even drastically help reduce the chance of a data breach.

Inventory of software assets

The most basic form of cyber hygiene is inventory management. The first form is keeping an inventory of software assets. Essentially, this means keeping a list of all installed or used software on the information system. This inventory makes it easier for you to identify what systems need updating and those that providers no longer support. 

However, this is a basic example of what keeping a software inventory can do for you. Later on, you will also see that keeping a stock of software assets helps in vulnerability management.

Inventory of hardware assets

Much like the inventory of software assets, the list of hardware assets keeps track of all hardware used on the information system. This stock tracks all the workstations, servers, and devices hooked up to the organizational network. 

Keeping a list of these items helps in threat detection. For example, knowing how many laptops are authorized to access the company wifi means you know when there is one too many. It could indicate that the extra laptop maybe an attacker who has just gained access to the information system.

Vulnerability Management 

One of the more critical undertakings when it comes to cyber hygiene is vulnerability management. If you are trying to build a security-conscious organization, you will need to incorporate a system to scan your information system consistently.  This scanning system identifies any vulnerabilities that an attacker could exploit. The management aspect comes into play when deciding on what to do when you discover a vulnerability.  

Depending on the vulnerability’s risk, your organization might choose to ignore it or patch it. It is usually a balancing act between the available security budget and the opportunity cost of leaving the vulnerability unpatched.

In most cases, it is ok to ignore vulnerabilities that pose a low risk to sensitive data or critical business infrastructure.  

Threat Analysis

Just as essential as vulnerability management, threat analysis should form part of your cyber hygiene repertoire. 

This process requires your organization to stay on top of the threat landscape. Attackers continuously look for new attack avenues, exploit vulnerabilities, and develop new threats, like ransomware and trojans. 

Anti-virus and a strong firewall should be able to deal with the more traditional types of threats. But new threats and exploits spread amongst hacker communities like wildfire. A new threat that targets your industry could be discussed on forums and other channels used by hackers.  

Keep an eye on white-hacker forums and threat-watch boards that will broadcast discovered vulnerabilities and threats that affect widely used operating systems and devices.  

Controlled User Access

Many businesses in the start-up phase or those that have yet to integrate an IT department will often neglect one of the most critical aspects of information system management. And that is controlled user access. Many operating systems have controlled user access or privilege settings built into them. 

This system allows the administrative user to set the privileges of all other users on the network. Controlled user access protocols mean that lower privileged accounts do not have access to sensitive data or business-critical information. 

Attackers can quickly gain access to this type of information by accessing an admin account, which is why you should always enable Multi-Factor Authentication (MFA) on all high-level accounts.

Technology

Although organizations mainly consist of people and management frameworks, you can always employ tools to make your life easier. And with the cyber hygiene checklist, there are some tools of the trade that no cybersecurity professional will leave out of their toolbox. 

There are a wide array of cybersecurity solutions that work for specific industries and situations. However, the ones on this hygiene checklist are tried and tested to implement well in any information system. You should always strive to apply them to your business information system.   

Anti-Malware and Anti-Virus

You can’t take one step out into cyberspace without hearing about malware and viruses. These threats not only attack businesses but are a severe concern for customers too. Thankfully, the security industry has been developing solutions to combat this problem since its inception, anti-malware and anti-virus.

No information system is genuinely safe without this basic defense solution. If you have no security budget, at least invest a little bit into a decent anti-virus program. 

Firewalls

Much like an anti-virus, a firewall is another essential tool for any organization willing to combat cyber threats. Technologically speaking, this is your first line of defense. The firewall will block any troublesome traffic that is trying to access your information system. Most operating systems will come with a built-in firewall. 

But if you can afford it, invest in your security by using a next-gen firewall. These firewalls move beyond just port and protocol inspection and work on the application layer too. Meaning they are better suited to the modern business environment. 

SIEM systems

Security Incidents and Events Management (SIEM) systems are arguably the best technology investment for cyber defense. The SIEM will continuously scan the information system and flag any suspicious events, such as users logging in during out-of-office hours. In terms of good cyber hygiene, your team should be consistently updating and celebrating the SIEM so it can return better results. 

It is one of those cases where the more it is used, the better it gets at doing its job.     

MFA and 2FA

We have mentioned Multi-Factor Authentication (MFA) in a few sections of this article already. But it is a super important tool in combating intrusion that we will go into a bit more detail here; it is technology, after all.  The baby sister of MFA is Two-Factor Authentication (2FA), generally speaking, this is accepted as a standard layer of security on many mainstream platforms. 

For example, if you have a Google account, it will sometimes ask you to verify your login using a code sent to your phone. 

As part of your cyber hygiene routine, you should employ at least 2FA on as many systems as possible. MFA is a more secure form as it adds extra layers like biometric data (think fingerprint unlocking on your smartphone).

Make sure to update staff on MFA use and teach them to be more conscious of how they log into their business accounts.

Closing Remarks

Like brushing your teeth, your information security is consistent practice and will need regular maintenance if you want the best results. This cyber hygiene checklist went over some key aspects to integrate into your security practice, branching over three categories:

• People 
• Processes
• Technology

Some parts of the routine will require more maintenance than others, but the whole practice is applied holistically, where each element helps build on the others.

If you are looking to improve your cybersecurity posture, look no further than RSI Security. The nation’s premier security provider is here to instill the best cyber hygiene practice right for your business. Get in contact with us today, and schedule a consultation here.  

The post Your Complete Cybersecurity Hygiene Checklist appeared first on RSI Security.

Let’s discuss. 

Do I Need A Personally Identifiable Information Policy?

A Personally Identifiable Information (PII) policy is a mechanism for better managing PII within your organization. While you might have an obligation to protect personal data, having a PII policy is not compulsory, unlike a privacy policy, which we will see later on. However, a PII policy will drastically reduce any potential privacy risks before attackers can exploit them, which we explore in this article.

Unlike data mapping and privacy policies, it is not a regulatory requirement for an organization to have a PII policy. It will make life much easier regarding personal data protection, employee security awareness training, and compliance strategy for your organization to go through the process of constructing a PII policy. 

Let’s find out what makes a good PII policy.  

What Is PII 

Before jumping into policy creation, you will need to understand what constitutes personally identifiable information. A few regulations cover PII protection, and most of them share a similar definition of PII.

Essentially, PII is any form of data that, if exposed, allows another entity to identify that data’s producer.

Below you will find some personally identifiable information examples:

• Names and addresses
• Gender or sexual orientation
• Religious or political affiliations
• Identification numbers like SSN
• Financial information: bank numbers, credit card info
• Race
• Telephone numbers
• Government records: criminal, tax, etc.
• Email

You should note that this is not a complete list of PII. Any data that you think could identify a person is PII. For example, in some more advanced cases of attackers can use metadata to steal people’s identity. Like knowing buying habits and hobbies allows the more creative fraudster to spoof identification verification processes.

Regulations That Cover PII

As stated previously, there is a significant shift in the regulatory landscape where governments are pushing companies to adopt a more security and privacy-conscious PII attitude.

The big daddy of data protection law is the GDPR. It’s almost impossible to visit any website nowadays without being bombarded with cookies and privacy policies. Thanks to regulations like the GDPR, businesses need to pay more attention to the handling of individuals’ data. 

The GDPR is not the only regulation, and it also only protects European data subjects. California has stepped forward as a proponent of privacy rights with the California Consumer Privacy Act (CCPA). Conversely, the CCPA only pertains to Californian residents. 

More states and other countries will likely begin adopting data protection laws. The trend is not looking to slow down; it’s better to remain ahead of the curve.

If your organization is processing any Californian consumers or EU data subjects’ data, then a PII policy will help you in your compliance mapping strategy.

Privacy Policy vs. PII Policy

The privacy policy is a term thrown around a lot in online business, and for a good reason. Most data protection laws and those pertaining to Western enterprises require your website or online business to have a privacy policy. 

But there is a distinction to be made between a privacy policy and a PII policy. While both approaches surround the use of personal data, a privacy policy is outward-facing, and a PII policy is inward-facing. 

Privacy policies are for your customers to see. It gives them options on how you can use their data. It lays out how you use their data and how you are complying with regulations. The better privacy policies will also tell customers and data subjects how they can access the data you hold and the process of deleting the data.

However, a PII policy is an organizational policy meant for personnel. The policy dictates how the business’s internal mechanism will handle PII and how staff should conduct their job function if it requires PII processing.

In the coming sections, we will explore in more detail the ingredients that go into the making of a PII policy and, finally, the recipe to an acceptable PII policy.

PII Policy Ingredients

Before developing and implementing a PII policy, you will want to take some time to prepare. Knowing the data you hold, the processes used, the states of data, and understanding the regulatory requirements will help you develop the best policy for your business.

Data Mapping

Some data protection regulations, namely the GDPR, call for your business to employ a data map. Thankfully, if you comply with the law, you will already have a developed data map. 

The data map will significantly help in developing your PII policy. Essentially, a data map, as the name suggests, is a map of all the personal data on your information system. It tracks the journey data takes across the information systems from collection to deletion. We have a wealth of information about data mapping on our blog, which you can check out here. 

But let’s briefly go over the basics of data mapping, later we will see how this will help develop a PII policy.

A data map is relatively simple to conduct; here is a quick step guide to data mapping:

1. Taking Inventory: assess the kind of PII you are processing and see where it is stored. 
   1. Understand its format: on hard drives, in the cloud, on a piece of paper? 
2. Source: where is the personal data being collected? Is it coming from a website portal? A call center?
3. Process: How is the data being used? Is it for sales purposes? Is the organization offering services that require it? Who is allowed access?
4. Destination: where does the data end up? Is the process streamlined? The destination element is different from inventory because the inventory is just to get you started. The destination will end up forming part of the map.
5. Destruction: How is the data being destroyed? Is it being disposed of properly? Does it have a defined life cycle? What happens to the data of inactive users?

Once you have answered these questions, you can begin to build the data map. The completed plan will then help in developing a policy. With it, you have a visual aid and a bird’s eye view of who has access. 

The data map is a significant part of the PII policy; you only want authorized personnel to have access and control.

States of Data

The “states of data” is the next thing you will need to consider when creating a PII policy. Data can be in three different “states”:

• • Data in use: this is any personal data currently being processed, providing a service, or facilitating an employee’s job function.
  • Data at rest: refers to any data stored at the end-points of an information system.
  • Data in motion: this is any data currently in transit, either over internal or external networks.

The three different states of data will play a role in shaping the PII policy. Each segment state will have additional personnel and business partners interacting with them. Understanding the data states will also allow the organization to apply the appropriate data protection measures.

Regulatory Requirements

Your industry might have specific regulations that you will need to factor in when developing a PII policy. Standard regulations are mentioned in this article, such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), either or both of which are likely to apply. However, there are specific laws that pertain to specific industries. For example, if you work in the healthcare industry, you will need to include HIPAA and HITECH in your policy.

Finally, employee data is still PII. And even though consumers are at the forefront of data protection discussion, the critical infrastructure industry still requires PII protection. 

Suppose a business that is part of the bulk energy supply (BES) infrastructure has a data leak, and employee information is leaked. This leak poses a threat to the individual’s privacy and could also be used to attack the energy infrastructure provider. The fallout could have catastrophic effects on thousands of lives. 

Technical Safeguards

The final piece of the puzzle is assessing what technical safeguards will need to be employed. This factor is vital to the policy because some personnel in the organization will not be technically capable.

This means that whatever safeguard you use, the staff will need to understand how to use it properly. For example, if you choose to install and use a PII scanner, anyone connected to the information system will need to train in PII scanning. 

The same goes for all other safeguards, some of which may be:

• Password management tools
• Accounts and user policy tools
• Network security and connectivity software
• Cloud storage security

PII Policy, The Recipe

Continuing to use the cooking analogy, if the preparations were the ingredients, now it’s time to start cooking. The policy is the recipe that the organization will need to follow to make a perfect privacy protection meal. Essentially, these are the rules that the security management will have to implement and that staff will have to address.

Access Controls

The first part of the policy should discuss access controls. Access controls are the technical safeguards implemented on the information system that restricts access to authorized users. When it comes to PII, you will need to restrict access on a job function basis. Because the policy governs the internal mechanisms, some will need to access personal data to complete their job function.

If you use the “data states” as a basis of the policy, it will create access controls that are much more manageable; let’s explore. 

• • Data in rest: data in rest is generally of little use to any organization members actively engaged with customers. The data is static in a storage system; for this reason, it might make sense only to give access controls to the security team or the organization’s data custodians. It will be their job to ensure the secure execution of personal data to genuine users.  
  • Data in use: this data state is a bit trickier to control. It might be flying through various information systems on a busy day, accessed by both the producers (customer) and data processors. The information system must have an active SIEM tool to track the data’s movement and alert the organization if abnormal patterns are detected. As part of the policy, the members who require access for their job function should be the only ones who have access to “data in use,” and they will need training in SIEM detection.
  • Data in motion: this state is another pretty straightforward one. Simply put, it’s for the network guys. “Access” is a strange word to use here because you don’t precisely access data in motion. But there are controls in place that govern movement, where network security specialists will have to take over.

Now that you have decided who gets access to what, it’s time to implement the how. 

Establish Rules Of Access 

The rules of access are how PII can be used and processed within the organization. Setting up access controls shows who can access the data, but you must also develop a policy on how it should be processed. 

Some examples of rules within the policy may be:

• • Time locked access: office hours are generally between 9-5 for most companies. It will make sense to enact a policy that allows authorized employees to access personal data during office hours. This rule will not only make it easier to detect possible breaches (if data access occurs outside office hours), but it will also limit access during remote work. As it encourages job completion, if working from home, to occur during standard office hours. 
  • Password management policy: all authorized accounts will need to follow a password management policy. An approach like this means passwords that access sensitive data will need to have a lifecycle, i.e., replaced every 30 to 90 days. Other rules go into password management, which you can read about here.
  • Transferring personal data: network security plays a significant role in personal data. Many organizations will have some network system, whether local or on the cloud, that manages their data. The PII policy should dictate the rules of transfer. What kind of networks it safe to send it over, and what platforms are allowed (i.e., email or otherwise).
  • Third-party Networks: it is likely, given the global business environment, that your business has an extensive third-party network. Within that network of third parties, personal data may be shared. It is paramount that you bring all business partners and service providers under one risk management umbrella. This requirement is slowly making its way into regulations. It will soon become a legal requirement for organizations, so it is best to be one step ahead and discuss PII management with your network today.

The rules should extend to fit the size and culture of the organization. You should also consider what the needs of your organization are and mold them to the policy.

Conclusion

Don’t let negative public perception hurt your business or reputation. Show your customers that their data and their privacy are your top priority. With a personally identifiable information policy, you can ensure that everyone in your organization instills a sense of privacy by design and default. 

Let us help you design the best personally identifiable information policy for your business. RSI Security is the nation’s premier cybersecurity provider, and with the experience under our belt, you can ensure that we can meet your security needs. Get in contact and schedule a consultation today.

The post How To Make A Personally Identifiable Information Policy appeared first on RSI Security.

This article will discuss that data and how you as a processor can best protect it. 

Special Categories of Personal Data

What makes data special? According to the GDPR, special category data (SD) is personal data that, if leaked or lost, could have serious privacy concerns for the data subject. In the next section, we will explore the difference between regular personal data and special categories. 

The kind of data that the GDPR considers “special category” are listed below:

• Racial or ethnic origin
• Political opinions
• Religious or philosophical beliefs
• Trade union membership
• Biometric or genetic data
• Health data
• Data concerning sexual orientation or sexual life

The privacy risks surrounding special categories of data go beyond identity fraud. Using the data mentioned above to identify a data subject could have adverse effects and could cause:

• Reputational damage or embarrassment
• Discrimination or personal harm

For this reason, the regulation distinguishes special categories in an article of its own and outlines restricted means of processing, which we will discuss later. 

Personal Data vs. Special Category Data

What is something that you own but everyone else uses?

Your name. 

Your name is a form of Personally Identifiable Information (PII) but does not fall under special categories. Personal data and special category data are both a form of PII. The difference is that the regulation puts more restrictions on the processing of special categories. 

As we mentioned prior, exposure to SD can significantly impact the data subject’s rights and freedoms. However, this is not the case for personal data; finding out someone’s name is unlikely to have a massive impact on their rights and freedoms.

We should clarify that the “rights and freedoms” do not refer to the ones mentioned in the GDPR (for example, the Right to be forgotten). But instead, refer to the general rights and freedoms afforded to all EU citizens; this is what makes the special categories data “special.” 

Some examples of a general right would be: 

• Freedom of thought, conscience, and religion
• Freedom of expression
• The right to bodily integrity

The idea being that processing this kind of data could interfere with these types of rights and freedoms. Hence, organizations need to take extra care when dealing with this type of data.

While other personal data types are also considered sensitive, the loss would not raise the same issues as special categories would.

You will still need to apply the same safeguards to both types of data. The reason being that in a data leak, aggregated personal data can give attackers access to your customers’ digital livelihood, exposing them to all manner of identity fraud and financial loss. 

Lastly, unlike personal data, you cannot process special categories under the legitimate interest category, and lawful processing is a more stringent requirement. This would only apply to businesses anyway, and government bodies have slightly different rules, which we will explore next.

When Can You Process Special Category Data?

There are rare cases when a business can process this category of special data. The lawful processing of special category data falls under article 9 of the regulation. 

Within the article, the processing of this kind of data is strictly prohibited unless you can satisfy the article’s conditions. There are complicated legalese in the article, so we will simplify it, but you can find it here if you wish to check out article 9 in its entirety.

If you are a business, you can only process this kind of data if you have express consent from the data subject. There is no legitimate business interest that will allow you to process special categories lawfully. 

And it is essential to mention that even with express consent from the data subject, member states can still explicitly prohibit the processing at their discretion. Member states are just EU countries included within the regulation. 

This means that even though the French government allows French data subjects to consent, the German government might not. Please keep in mind that this is just an example, so please check with local law enforcement whether this is possible or not, and don’t hesitate to contact an expert for compliance advice. 

However, there are cases where processing is still lawful, although consent is not received. In brief, the exceptions are: 

• Obligations in the field of employment 
• Protect the vital interest of the data subject, and the data subject is incapable of giving consent.
• Foundation or non-profit with a religious, philosophical, or trade union membership aim, with a legitimate interest (keeping in mind that appropriate safeguards must still be employed)
• Personal data that is manifestly made public by the data subject
• Courts acting in their judicial capacity
• Reasons of substantial public interest

It is unlikely that business will satisfy any of these reasons. In the cases that express consent is given, and whether or not you have other lawful grounds to process that data, the protection of data falling under the designation of special categories is important.

Protecting Special Category Data

Protecting special categories does not differ that much if you are already employing high-standard security methods. But some precautions must be highlighted when dealing with processing. 

The GDPR outlines two main safeguarding techniques that will also result in compliance if implemented correctly:

1. Organizational Safeguards
2. Techncial Safregaruds

However, there is no specific mention of how the organization should implement these safeguards. Neither is there any mention of what the organization should be using (in terms of software solutions or method).

But the cyber industry has worked closely with regulators. It is consistently developing new frameworks and agreeing on best practice methods, which we will take you through in the coming sections.

Organizational Safeguards

When it comes to protecting special categories of data, the organizational safeguards will form most of the strategy. Managerial safeguards are the techniques of data protection that are on a company-wide scale. 

It doesn’t look at the information system in isolation but rather as a living system that involves many moving parts.

You will often see policies as the main driver behind organizational safeguarding implementation.

Risk-Based Approach To Special Category Data

The GDPR stresses the importance of taking a risk-based approach to security. Essentially, organizational security becomes a good management practice over applying the latest software solutions as a catch-all to your security needs.

This is especially true regarding special category processing. Human error is still the main culprit of data breaches. Applying appropriate technical safeguards is one thing, but if a staff member ends up losing the data in an unencrypted storage device, the whole exercise is pointless. 

So when we refer to a “risk-based approach,” we mean realizing all the potential ways the information system could fail for reasons other than technical cyberattack (i.e., breaches bypassing encryption). 

What does it look like to have a risk-based approach to select categories of data protection?

Generally, you will take a risk-based approach through enacting an organizational security policy. 

Here are some examples of organizational policies regarding the processing of special category data you want to employ.

Access Controls: you should limit who has control over the special categories of data. Access should only be authorized to personnel who require it for their job function. Another form of access control can come from a password management policy. All staff who have authorized permission will need to adhere to the password management policy as an extra security layer. Employing these additional steps will show good faith with the regulators and keeping you on the right side of the law.

Privacy Risk Assessments: All staff members involved in processing special categories will need to be aware of the privacy risks associated with processing this kind of data. When forming the risk assessment, you should involve as many personnel as possible and keep them up to date on all policies regarding:

• Threat analysis
• Vulnerability management
• Incident response management and planning

Involvement in these business operations will help mitigate privacy risks.

When in doubt, framework it out: you don’t need to build a security strategy from the ground up. Take advantage of the many security frameworks that established organizations have worked hard to develop. Many industries already use frameworks like:

• CIS CSC
• NIST 800 SP
• ISO 27001
• NIST Cybersecurity Framework

Take some time to examine which one will work best for you, and use it as a road map to security implementation. Many will already cover necessary data protection and more. In short, it will help you achieve privacy by design and default.

Staff Awareness Training

Enacting policy is one thing, but no one following it is an entire challenge in itself. Designing an acceptable security policy will only get you so far. You need to make a concerted effort to ensure all staff is on the same page as you.

A staff awareness training program will do just that. The policies designed through implementing organizational safeguards will guide you in developing a training program. The policies essentially become the training requirements.

Coupled with the proper use of technical safeguards (discussed in the next section), you will have a complete staff awareness training program.

Technical Safeguards

The technical safeguarding of special categories of data will involve the use of software solutions. 

The GDPR does mention the use of technical safeguards, but only one article mentions the direct use, which is encryption. However, other forms of safeguarding go beyond just encrypted or pseudonymization of personal data, which we will explore in this section.

Encryption Methods

The number one technical safeguard is the use of encryption. Encryption is directly mentioned in the regulation, so you can’t discuss technical safeguards without talking about encryption methods.

Some common type of encryption methods that would be appropriate to use in protecting special categories of data are:

• PKI infrastructure: critical public infrastructure is a common enterprise encryption solution as it works well for sizeable private information systems. It is adaptable to the number of users, and it is also commonly used on the internet today.
• SHA 256 and Hashing: Hashing is an encryption technique used in password protection. Some blockchains will also use hashing cryptography as a means of security, and it transfers well to data protection. 
• Pseudonymization: another technique mentioned directly in the regulation. This process involves removing specific “identifiers” from the data. This way, attackers who do get a hold of the data cannot make a logical assumption about to whom the data belongs.

The main goal of encryption is to ensure the integrity of the special categories of data. Encryption ensures the “message” or data, in this case, has not been tampered with or altered in any way. It also means that any breach would mean that the data remains secured behind an encryption wall.

Ideally, the encryption would stop the breach from happening, but it is best to be extra secure and encrypted the data itself. 

Social Proofing

Social proofing is an organizational issue, but the technical aspects also make it a technical safeguard. Essentially, social proofing is ensuring that your personnel doesn’t fall prey to social engineering.

This form of safeguarding should be the main focus of the staff awareness training program. However, it should not be limited to only social proofing (staff training in proper workstation use and the appropriate handling of sensitive data is vital). 

Some techniques of social proofing involve:

• Spam and phishing awareness: staff should be aware of links and spam emails and how to detect and avoid them.
• Social media phishing: hackers are becoming more sophisticated. They will target staff members and attempt to befriend them to access sensitive parts of the information system.

The staff must know social proofing techniques when dealing with special categories of data, as the potential privacy risks attributed to this type of data are very high.

Conclusions

You will need to take extra precautions if you are processing special categories of data and ensure that you are legally allowed to process it in the first place. However, the security process of protecting that data does not differ too much from the standard security approach. 

As long as you are always employing best practice models, you can assure your data subjects that their data protection is your top priority.

And if you are looking for the best practice approach to data protection, get in contact with RSI Security today.

We can help you reach your GDPR compliance goals. Whether you are processing special categories of personal data or need help developing a compliance strategy, RSI security is here for you. Schedule a consultation here.

The post The GDPR Special Categories of Personal Data appeared first on RSI Security.