Strict Standards: Only variables should be assigned by reference in /home/castchadmn/public_html/templates/business_line/vertex/responsive/responsive_mobile_sidebar.php on line 8

Strict Standards: Only variables should be assigned by reference in /home/castchadmn/public_html/templates/business_line/vertex/responsive/responsive_mobile_menu.php on line 137

Home

About Us

IT Services

Understanding IT

News

Blog

Contact Us

Support

Newsletter Content

6 minutes reading time (1256 words)

Highly Regulated Industries Come with Their Own Demands

Highly Regulated Industries Come with Their Own Demands

Regulations are put on certain data constructs for a reason: the data within is sensitive. Today, there are seemingly more regulations than ever, and as the GDPR kicks in for organizations that deal with EU-based organizations, we thought it would be a good time to talk about how to navigate these highly-regulated environments to ensure success and security.

While there are movements of industry professionals lobbying for improvements to some personal data protection laws, not much has been done about it by legislators in the U.S. The regulations that are on the books work to protect certain types of personal information, but there isn’t that overreaching article that states there will be consequences for losing someone else’s personal information. Within certain environments however, it is extremely important to know how to navigate as not to mistakenly expose information that has no business being shared.

In Healthcare
We’ll start with healthcare, as it is the most prevalent. Healthcare data is protected, and that protection is regulated, and all for good reason. This information is the most personal information a person can reveal and has no business being in possession of anyone but the provider, the insurer, and the patient. The most well-known regulation for healthcare in the United States is called the Health Insurance Portability and Accountability Act (HIPAA). It was constructed to keep personal healthcare data secure as new systems of transfer and new insurance practices were being implemented.

Healthcare information isn’t all handled the same. There are a multitude of organizations that oversee different parts of the healthcare process. The Center for Medicare/Medicaid services focuses on patient care, while the Occupational Safety and Health Administration (OSHA) focuses on the safety of workers. This is just the tip of the proverbial iceberg. With so many regulatory agencies thumbing around it can be difficult to ascertain which practices are the best practices, and which strategies work to keep every party involved insulated from having their sensitive information compromised.

For the healthcare providers it can be pretty harrowing, since they are for-profit businesses and need to keep certain information on the ready to facilitate solid operational integrity, as well as to ensure that rising costs aren’t sinking their practice. So many providers are constantly revisiting the best ways to stay compliant, while transforming their policies around the existing standards of data protection. This creates a lot of headaches and toiling over policy. One of the best ways to navigate this arena is to set defined practices that work to mitigate redundancy.

Financial Services
Another vertical market that is highly regulated is the financial services industry. Today, there are a lot of financial organizations looking to IT to speed up operations, cut costs, and manage their businesses more accurately. Since the current congress just rolled back a lot of the Dodd-Frank Act, organizations that work in financial services now have three major regulations they need to be cognizant of. They are the Gramm-Leach-Bliley Act (GLBA), the Sarbanes-Oxley Act (SOx), and the Payment Card Index (PCI DSS). Some larger organizations will still need to adhere to Dodd-Frank, but smaller banks and other lending institutions that were often hamstrung by the Dodd-Frank regulations, are now able to operate free from its stated oversight. Here is how each work in regard to data security:

  • GLBA - Puts in place a mandate that financial services organizations need to identify, adjust, and test their data protections systems to ensure that customer information isn’t being misused or misallocated.
  • SOx - Works to require accurate and responsible accounting, and puts an onus on large businesses to increase the transparency of profits.
  • PCI DSS - Functions to protect cardholder data, and provide strong controls, reporting, and testing of payment card systems.

The major regulators in the United States are the Federal Trade Commission (FTC), the Consumer Financial Protection Bureau (CFPB), and the Securities and Exchange Commission (SEC). They often step in and levy fines when it's called for, but they typically hold fast or take advisory roles in matters of data security as it could be looked on as above their mandate. Their function is mostly to keep trade, practices, and markets fair and efficient, not really to protect personal information. Unless threats to that sanctity are directly coming from identified threat actors, the financial regulators won’t take a proactive approach.

Despite the lack of proactive oversight, most financial entities typically keep their practices to a certain standard, however. The standards outlined by the Federal Financial Institutions Examination Council handbook or FFIEC-IT. With a dedication to keeping financial services technology the secure product it needs to be, FFIEC-IT booklets outline what is expected to keep a compliant and secure financial services IT infrastructure. The FFIEC-IT website provides all the information anyone would need to know to keep their IT infrastructure, network, security practices, and reporting at a level commensurate with the expectations of financial services customers and regulators.

Creating a Plan
All security standards tend to follow the same general principles. Most will talk about the need for concise reporting and constant assessment. This actually works in the service provider’s favor as they can outline a strategy that will work for the many types of organizational oversight that they function under. By creating a static security management plan (SMP), an organization sets up a workflow that will outline the steps everyone has to take to guide them. This can be done the old fashioned way with a checklist on a clipboard, but the best way many organizations we’ve researched accomplish this is by using an electronic spreadsheet to work in some degree of automation. This also provides the visibility to quickly translate and compile information into any reports that you are mandated to provide regulators.

The SMP should include:

  • An organizational security mission statement.
  • A static hierarchy of authority with the organization’s reporting structure.
  • Identification of areas that need to be secured.
  • A general outline of individual duties and activities under the SMP.
  • The static documentation system that has to be used to keep things compliant.
  • An organizational training program or interface to keep staff up-to-date on shifts in the SMP.
  • A roadmap on how to incorporate liaison sites.
  • A top-to-bottom security organizational chart.
  • A copy of SMP evaluations and a plan for improvement, if needed.

Once you have a dedicated SMP in place, you can go about applying it to every facet of your organization. This is a time-consuming task as everything your business has to keep secure should have a line item in the spreadsheet, but once it’s done it will be much easier to ascertain where your organization is on a certain tactic, and how resources should be deployed to ensure that compliance is maintained.

A big part of staying compliant is to put in practice quality assessment tools. Sometimes your organization’s security and practices will work in concert, and sometimes they will conflict. Ensuring that your reference materials are current, consolidated into an easy-to-decipher format, and reported properly will provide you with a much more manageable time managing the assessment and validation systems you’ll need to prove compliance to regulators.

At CASS Tech, we are experts in designing, implementing, and supporting any business’ compliance strategies. With the GDPR finally going into effect in the EU and data security and personal privacy constant hot-button issues in the U.S., now is the time to build a compliant data security system for all the sensitive data your organization deals with. Call us today at (248) 538-7374 to see how our professional IT technicians can help you stay compliant.

These Four Technologies can Give Your Business a B...
Technology Basics: Uploads and Downloads
 

Comments 6

Addaneye Gifford on Tuesday, 03 July 2018 21:49
great [url=https://www.fiverr.com/linkshop/75-dofollow-backlink-on-actual-page-rank-pr2-to-pr6]Dofollow Trust Flow Backlinks[/url]
Addaneye Gifford on Saturday, 07 July 2018 22:41

So wait is this one of those research paper written in the assignment writers style ? Because if it is then its amazing i was actually looking around for something like this, so thanks a lot for this, you gusy are amazing! Ill be definitely be back here for more!

So wait is this one of those research paper written in the [url=https://myassignmentwriter.com.au/]assignment writers[/url] style ? Because if it is then its amazing i was actually looking around for something like this, so thanks a lot for this, you gusy are amazing! Ill be definitely be back here for more!
Addaneye Gifford on Tuesday, 10 July 2018 16:38

Amazing, this is great as you want to learn more, I invite to This is my page. Yeast Infection

Amazing, this is great as you want to learn more, I invite to This is my page. [url=https://www.naturalfoodseries.com/10-remedies-treat-vaginal-yeast-infection]Yeast Infection[/url]
Addaneye Gifford on Friday, 13 July 2018 01:02

Actually I read it yesterday but I had some thoughts about it and today I wanted to read it again because it is very well written. Messages of Obsession

Actually I read it yesterday but I had some thoughts about it and today I wanted to read it again because it is very well written. [url=http://www.lovetractions.com/message-of-obsession-by-karen-fox]Messages of Obsession[/url]
Addaneye Gifford on Saturday, 14 July 2018 22:48

In this case you will begin it is important, it again produces a web site a strong significant internet site: Pineapple

In this case you will begin it is important, it again produces a web site a strong significant internet site: [url=https://www.naturalfoodseries.com/10-benefits-pineapples]Pineapple[/url]
Addaneye Gifford on Monday, 16 July 2018 19:31

Why do only so much written on this subject? Here you see more. His Secret Obsession

Why do only so much written on this subject? Here you see more. [url=https://www.languageofdesires.com/7-obsession-phrases-that-makes-a-man-fall-deeply-in-love]His Secret Obsession[/url]
Already Registered? Login Here
Guest
Tuesday, July 17, 2018

Captcha Image

Latest Blog

Packing for trips can be frustrating because there’s always the chance that you’ll pack either too much or too little. This is especially true if you have multiple devices that you might be tempted to bring with you. It’s important to remem...

Contact Us

Learn more about what CASS Tech
can do for your business.

(248) 538-7374

CASS Tech
37000 Grand River Avenue Suite 130
Farmington Hills, Michigan 48335

Account Login