HIPAA Breach Notification Framework

3Lions Publishing (3LP), owners of the HIPAA Survival Guide, have announced the release of their HIPAA Breach Notification Framework.  New HIPAA (Health Insurance Portability and Accountability Act) regulations and the HITECH Act require covered entities and their business associates to provide notification to stakeholders following a breach of health information.

3LP’s Framework provides a methodology for determining when HIPAA breach notification requirements are triggered, and also provides tools for implementing HITECH compliant security incident management.  The Framework comes with a security incident management user’s guide that assists covered entities and business associates to quickly integrate with their breach notification programs, saving a significant amount of time and expense.  The Framework also includes a HIPAA breach notification policy, model notification letters, training materials, and other tools.

The CEO of 3LP says: “Our Framework is ‘swipe and go’ priced to be economically affordable for healthcare stakeholders of all sizes, industry wide.  In addition, our Framework complements The Guard, highly recommended, best of breed HIPAA Compliance Software.”

The HITECH Act embodies a convergence between law, policy, and technology.  3LP expects this trend to continue as enabling technologies mandate a multi-disciplinary approach to complex regulatory issues.  Release 1.0 of the Framework and Release 3.0 of The Guard software address the convergence challenge by providing stakeholders with tools that allow them to more effectively attack Breach Notification as well as the daunting HITECH/HIPAA compliance learning curve.

Even if you are not HIPAA regulated, there may be a fair bit that can be learned from these guides when it comes to trigger development, breach notification, plan integration, and incident management in general.  Get yours, today.

New PCI Supplement – Protecting Telephone-Based Card Data

Today, customers can swipe credit cards in POS readers, they can use e-commerce sites online, or quite commonly use the telephone to complete payment transactions.  New guidance has just been issued by the PCI Security Standards Council aimed at securing stored payment card data collected via call centers and over-the-phone payments.  This directive is highly necessary and very timely.  Card data collected over the telephone or by voice-based payment systems are often overlooked as a vulnerable payments channel and have become a targets for criminals.

The PCI Council’s Protecting Telephone-Based Payment Card Data information supplement provides actionable recommendations for merchants and service providers to process payment card data over the phone in a secure manner.  What makes phone-based payments unique and more vulnerable than other payment processing methods is the regulatory requirement to record the calls, and the “card-not-present” capture and storage of sensitive CVV or CVC authentication data.  It is a violation of PCI DSS Requirement 3.2 to store any sensitive authentication data, including card validation codes and values, after authorization even if encrypted.  These authentication codes should not be stored in any manner.  Full primary account numbers (PANs) cannot be kept without additional protective controls in place.  PAN data should be encrypted if it must be stored.  Most payments made to call centers or over the phone with service reps are recorded.  Here’s a little PCI compliance secret for you.       ‘If you don’t need it, don’t store it.’

In face-to-face and e-commerce environments, risk-mitigating technologies have helped significantly reduce fraud rates, resulting in a shift of card fraud towards the Mail Order / Telephone Order (MOTO) space.  Until now, these phone-based transaction records have fallen outside the scope of the PCI standards.  The response to those merchants concerned enough with compliance to have asked, have heard the response from the PCI  council; If there is no way to extract the card data from the audio, PCI rules do not apply.  With the emergence and general acceptance of digitally recorded files for call recording, these records can now be easily be searched and extracted.  More merchants are using audio recordings, but are not encrypting or destroying the data.

Key points:

  • Explains how the PCI-DSS applies to card holder data stored in call recording systems.
  • Recommendations for assessing risk and applicable controls of call center operations.
  • Specific guidance around storage of sensitive authentication data, which includes suggested methods to meet PCI-DSS requirement 3.2.
  • Guidance on some of the key considerations faced by call centers when implementing PCI-DSS requirements.

Do More Than The PCI Minimum

No matter what type of business you run, from brick and mortar to virtual online, if you accept credit cards, you MUST keep the information that you gather secure.  This is more than just something that you have to do to remain compliant with The Payment Card Industry Data Security Standard (PCI DSS). 

  This is something that you OWE to your customers, regardless of regulatory and industry requirements. 

It is your responsibility, it is good business practice, and it also makes good sense. 



Credit card fraud and misuse costs businesses billions of dollars annually.  The cost per incident may vary, but can typically include:

  • Loss of income from fraudulent transactions
  • Costs of incident investigation and litigation
  • Costs associated with correcting the cause of the breach
  • Costs associated with auditing for further compromise and hardening against recurrence
  • Costs of reissuing cards to customers
  • Loss of reputation, customer confidence and future business
  • Fines imposed by credit card companies
  • Loss of ability to accept credit cards for payment

How much would your business need to pay out under each of these categories if there is a single breach?  Wouldn’t the costs of doing compliance right the first time balance out with the avoidance of that single breach?  Attackers continue to target banks and larger businesses, but are expanding their efforts to include smaller businesses while maintaining their focus on credit and debit card fraud.  You will spend the money to get it right after that first breach, and may never be able to fully recover your reputation, or to regain the assurance that your network has been returned to a clean and secure state.  Once roaches infest a building, it is very difficult to remove them all.  Once a network is compromised, it is never again completely your own.  The defenders of the network and data need to find every potential weakness, every point of entry, in order to properly defend it.  The attackers need only find one.

Continue reading

GRC – What Is It?

A commonly accepted definition of Integrated Governance, Risk, and Compliance Management [Racz et al. (2010)] –  “a holistic approach that ensures an organisation acts ethically and in accordance with its risk appetite, internal policies and external regulations through the alignment of strategy, processes, technology and people, to improve efficiency and effectiveness.”  Closely related concerns, GRC activities are becoming integrated and aligned in order to avoid conflicts, wasteful overlaps, and gaps.

File:GRC frameofreference.PNG



Continue reading

GRC Management Solutions

As the security landscape continues to devolve, businesses will continue to adopt and implement security controls.  The earlier that a Governance, Risk and Compliance (GRC) Management tool is adopted by the business, the sooner overall compliance and security will improve, and the more likely security awareness will permeate the business culture.   GRC Management tools are designed to support and unify existing and new processes, such as:

  • Asset management
  • Configuration management
  • Policy management
  • Risk management
  • Alert/Event monitoring
  • Incident management
  • Vendor management
  • Business continuity & disaster management
  • ID provisioning
  • Access control management
  • Privileged ID & password management
  • Log management
  • Regulatory compliance monitoring
  • Records management
  • Email management
  • Security Awareness programs

Although these individual processes may exist within an organization, they are generally developed independent of one another as a need arises, lack the necessary links and feedback loops to support one-another, and remain operating in silos, disconnected and unaware of one-another.  The use of an over-arching GRC Management tool is what will link information from all of these activities together, providing the business with a clear, high level picture of their security, compliance and technical operations, while allowing drill down into the weeds when problems are identified.  By eliminating redundant activities, GRC management tools can reduce total compliance costs and enable business leaders to get high-quality, accurate and timely information to support better business decisions.

GRC done right presents a powerful foundation for security efforts, allowing for clear definitions of metrics, success parameters, vision into the risk items that the business needs and should be managing, as well as operational effectiveness, all in a homogenous and consumable format.  The key to success of the GRC management platform is its ability to extract, import and correlate data from multiple diverse sources.  It has been a while, so I believe that it is time once again for me to examine the vendors and offerings within this important niche. 

Continue reading