HIPAA - The Health Insurance Portability and Accountability Act focuses on three key criteria for handling Protected Health Information (PHI): availability, confidentiality and integrity. This blog post focuses on availability as it applies to HIPAA applications and HIPAA data.
Availability means that PHI is always available, accessible and never lost. When a patient arrives at the emergency room at three o'clock in the morning, the electronic health records need to be available so the physician can address the emergency with all of the patient's records at her fingertips. Patient records in the health care world is no longer a 9-5 job - and one of the main drivers behind electronic health records (EHR) is the portability and availability of patients' records to health care providers around the clock.
Recent Data Breaches Exemplify the Importance of PCI Compliance
Strafor, the latest target of hackers, lost credit cardholder data in December that was released to the public later that month. The data belonged to thousands of customers, including politicians, military officers, government officials and business executives.
Stratfor is a private international affairs research firm that may have not encrypted data before storing it in its database, allowing hackers to access and release customer credit card numbers. As a result of lax online security, the firm's website was taken down and lost a month's worth of subscriptions - forcing the company to draw on its savings to survive.
The PCI DSS (Payment Card Industry Data Security Standard) is regulated by major industry card-issuers, including VISA, American Express, Discover, MasterCard and JCB International, and applies to companies that accept, store, process and transmit cardholder data.
AICPA Fumbles Audit Standards at the 5-Yard Line
The story is a good one. SAS 70, the 20-year-old standard for data center audits had been twisted, used and abused in so many ways that a "SAS 70 Audit" stands for very little these days. The AICPA (American Institute of CPAs) had the right idea when they created 2 new standards - SSAE 16 to replace SAS 70 for internal financial audits and SOC 2 as an objective audit for data center operators.
Unfortunately on the way to the goal line, the AICPA didn't just trip and fumble the ball, they conceded 90 yards in the wrong direction by creating a set of audit standards that confuse the intended audience and leave industry experts scratching their heads. The new audit reports, SSAE 16, SOC 1, SOC 2, and SOC 3, were meant to substantiate data center merits, but are leaving the entire market dazed and confused.
For more information pertaining to SAS 70, SSAE 16 (SOC 1), and SOC 2 Compliance and the confusion among all of these standards, click the read more link below for more information.