3: Presentation Summaries - FlameSpyro/Tech-Journal GitHub Wiki

Health Insurance Portability and Accountability Act (HIPAA)

  • Brought in by President Clinton, the HIPAA act was introduced in 1996 to improve the portability and accountability of health insurance coverage
  • It can be described as a law that health and service workers cannot share patients' health information with anyone else without the patient's consent. This ensures that all patients have a complete understanding and control of what personal data gets shared.
  • Anyone who has legal access to patient medical records falls under the HIPAA act. This would involve health care, insurance, and pharmacies as examples.
  • Consequences for failing to follow/comply will lead to the suspension of license, fines up to $250,000, and jail time.
  • Controls under this act fall under 3 groups:
  1. Privacy Rule: This follows the standards for the use and disclosure of the protected information
  2. Security Rule: Contains what safeguards that complaints of the HIPAA act must follow to secure and contain confidential information
  3. Breach Notification Rule: A requirement in which in the case data happens to be compromised, the branch responsible must notify the affected parties of what has occurred.
  • Downsides to this act can be the lack of choice in some matters where some organizations require your medical information no matter what. This also only covers relevant medical information and you are unable to sue in the case of a breach.
  • HIPAA is relatively easy to comply and follow with as long as the affected parties constantly update and check for any breaches.
  • Overall a very strong method to use in order to gain the trust of patients and customers trying to use a medical provider.

General Data Protection Regulation (GDPR)

  • Development for the GDPR starts back in 1984 when it was passed by the United Kingdom. Later to be passed by the EU. Later on, the European Commission announces its development of the General Data Protection Regulation to later take effect in 2018.
  • The general summary of the GDPR is a movement allowing a user to have more control of their data and what they can do with it. This allows for users' right to create/change/delete data on request. When their data has been breached as well as request your data.
  • This is a massive regulation as any business that operates on a global scale must follow the rules and guidelines. As long as it affects any citizen in the EU, that company must comply with their rules
  • This regulation hit companies hard and caused a massive outbreak of panic and getting all set up in order to meet these restrictions due to size. On the opposite, this made smaller businesses have an easier time complying and following due to not needing to store as much information.
  • GDPR helps protect citizens of the EU and their personal data by making businesses accountable for messing with their data through monetary consequences.
  • The big downside is the lack of flexibility when it comes to organizations that benefit from data sales. Because of the chance of hurting some industries such as driving companies, the regulation isn't always enforced as heavily.

Gramm-Leach-Bliley (GLBA) and Sarbanes-Oxley (SOX)

  • The Gramm-Leach-Bliley act started back in 1999 when the repeal of the Banking Act of 1933 occurred. Sarbanes-Oxley Started in 2002 was made as a reaction to Enron and WorldCom.
  • The GLBA act Centers around financial organizations that offer services such as loans and other money lending services. The GLBA requires said organizations to explain how they fully protect and share the more private information of their customers/users
  • The SOX act involves the law to protect any investors to fall for any sort of similar incidents.
  • GLBA has financial institutions for being responsible for financial institutions for complying with the terms.
  • SOX involves publicly traded companies that deal with investors and are required to follow
  • Controls for GLBA include:
  1. The Privacy Rules: Specifies what data is gathered, how it's used and shared, and what it takes to protect it.
  2. The Safeguard Rule: Procedures to preserve information security. This is enforced by the FTC and advises businesses to create precautions when it comes to cyberattacks. Also requires putting at least one person in charge of the security plan.
  3. The Pretexting Rule: This prevents employees from gathering user information under any type of social engineering. Employee training must be developed to avoid this case.
  • The SOX act follows many types of control and requirements in order to be put in place here are some of the crucial aspects that must be followed: image
  • GLBA should already be a pre-requisite when it comes to the affected organizations. Financial institutions must have trust in order to proceed with the control rule being the most difficult to follow as proper measures for cybersecurity take time.
  • SOX may be tough to follow due to the guidelines leading to the potential restructuring of an organization.
  • As for benefits, GLBA protects consumer records while boosting the trust between the consumer and the affected party.
  • SOX benefits from info being held back by any shareholders and gives transparency in reporting.
  • Drawbacks to GLBA would include the lack of teeth when it comes to their privacy and security while SOX lacks through tough penalties and additional audits.

Payment Card Industry Data Security Standard (PCI-DSS)

  • PCI-DSS begins through the collaboration of cardholder companies such as American Express and Mastercard who collaborate to create the program in 2004
  • The goal of this program was to provide an additional level of security with merchants for any cardholder information.
  • Businesses, POS sites, and anything that handles sales must comply with the PCI
  • Controls that must be implemented include
  1. Protecting any information related to card data
  2. Being responsible for repaying banks for fraud charges
  3. Protecting against forms of attack on systems
  4. Covering for forensic investigations if a breach occurs
  • PCI-DSS isn't a law it's more of a contract. If the said contract is breached then penalties include fines of up to $100,000 per month for breaking compliance.
  • PCI-DSS is difficult to implement through difficulties such as tracking all access to network resources and cardholder data.
  • Benefits include a great standard for security. Low risk of breaches, good flexibility for smaller companies.
  • Detriments include its difficulty to implement, document and compliance.