Health Insurance Portability and Accountability Act (HIPAA):
This act came into act in 1996 with its main intent being improvement in efficiency and effectiveness of the health care system. It includes, among its various components, privacy and security rules. The rules focuses on Protected Health Information (PHI) and electronic PHI (ePHI) gathered in the healthcare process and mandate the standardization of electronic transactions, code sets, and identifiers. Recognizing that electronic technology could erode the privacy of health information, the law also incorporates provisions for guarding the security and privacy of personal health information. It does this by enforcing national standards to protect:
• Individually identifiable health information, known as the Privacy Rule.
• The confidentiality, integrity and availability of electronic protected health information, known as the Security Rule.
The complete suite of rules is known as the HIPAA Administrative Simplification Regulations. It is administered by The Centers for Medicare & Medicaid Services and The Office for Civil Rights. There are five parts to HIPAA's Administrative Simplification Statute and Rules:
1. Electronic Transaction and Code Sets Standards: Requires every provider who does business electronically to use the same health care transactions, code sets and identifiers. This rule is administered by The Centers for Medicare & Medicaid Services.
2. Privacy Rule: Provides federal protections for personal health information held by covered entities and gives patients an array of rights with respect to that information. The rule permits the disclosure of personal health information needed for patient care and other important purposes. This rule is administered by the Office for Civil Rights.
3. Security Rule: Specifies a series of administrative, physical and technical safeguards for covered entities to use to assure the confidentiality, integrity and availability of electronic protected health information. This rule is administered by the Office for Civil Rights.
4. National Identifier Requirements: Requires that health care providers, health plans and employers have standard national numbers that identify them on standard transactions. This rule is administered by The Centers for Medicare & Medicaid Services.
5. Enforcement Rule: Provides standards for enforcing all the Administration Simplification Rules.
The Federal Information Security Management Act (FISMA):
This act was enacted in 2002 to promote computer and network security for the information and the information systems within the U.S. federal government and also for parties such as government contractors which used to manage it by mandating yearly audits. With the FISMA act in place it enacted the federal government to focus on cyber security for outsourcing companies which was previously neglected. The FISMA act recommends that an effective security program must include:
• Risk assessment at periodic intervals
• Addressing policies and procedures based on the risk assessments
• Subordinating plans for information security for networks, facilities, etc.
• Information Security awareness program for employees
• Periodic testing and evaluating effectiveness of IS policies, procedures, practices and controls on a yearly basis
• Defining process to detect, report and respond to security incidents.
• Planning to ensure continuity of operations.
Payment Card Industry Data Security Standard (PCI-DSS):
The Cardholder Information Security Program (CISP) was instituted by Visa USA and MasterCard International. Mandated since June 2001, the program is intended to protect cardholder data—wherever it resides—ensuring that members, merchants, software outsourcing companies and service providers maintain the highest information security standard. Using the Payment Card Industry (PCI) Data Security Standard as its framework, CISP provides the tools and measurements needed to protect against cardholder data exposure and compromise across the entire payment industry. The PCI Data Security Standard consists of 12 basic requirements supported by more detailed sub conditions.
Summarizing, information security in software outsourcing industry is of utmost importance as it plays a huge part in protecting its assets. There is no formula for 100% security, so there is a need for a set of benchmarks to ensure an adequate level of security is attained for a software outsourcing company in India. This article lists the various regulatory compliances that are available for information security.
The after-effects of not being regulatory compliant in the software outsourcing industry are complex, and there is no running away than to face them. A lot of precious time and effort can be saved by becoming familiar with the laws and by bringing in specialists who can work together a plan combining regulatory compliance and IT security. Most importantly, regulatory compliance translates into plain old good IT security practices.
No comments:
Post a Comment