3 PCI DSS 3.0 Themes

The main security topics to lead us into 2015.

Giles Witherspoon Boyd
By Giles
Witherspoon-Boyd
This article was also featured in Multi-Unit Franchisee.

Hopefully you’ve heard that the Payment Card Industry Data Security Standard (PCI DSS) has changed…again. In November of 2013, the PCI Council released PCI DSS version 3.0 and set the compliance deadline for January 2015. 

With the deadline of January 1, 2015 passed, many businesses still aren’t even close to compliance with the new standard.

SEE ALSO: PCI DSS 3.0: 10 Commonly Asked Questions

Why change the standard?

Changing technologies often improve business efficiency, but aren’t bulletproof to the weaknesses consistently found and exploited by hackers. 
New security regulations like PCI 3.0 are released to protect new technologies against recent hacking trends.Tweet: Security regulations like #PCI 3.0 are released to protect new technologies against new hacking trends. http://bit.ly/1CsrZMbTweet
In my opinion, Requirement 4.1 is the biggest PCI 3.0 change for franchisees. Many franchises and chains use satellite communications to connect locations. According to the newest version, it’s no longer acceptable to rely on the link provider’s system security. It’s your responsibility to encrypt satellite communications containing cardholder data so it remains secure.

If your franchisor hasn’t already asked you to begin implementing PCI 3.0 changes, they (or your bank) probably will soon. Here are three themes I’ve seen while reviewing additions to the newest PCI standard. 

1. Make sure sensitive data is kept from prying eyes

Security clearances aren’t just for high-tech companies and weapons manufacturers. For example, restricting access to the administrative portions of point-of-sale (POS) systems or hotel management applications can lower the chance of malware entering a system.

SEE ALSO: The Ultimate Guide to PCI DSS 3.0

PCI 3.0 digs deep into employee restrictions to safeguard access to customer data with a handful of new requirements. 
  • Requirement 5.3 reminds us that anti-virus shouldn’t be able to be altered without managerial approval. If just anyone can turn off anti-virus, they could leave a business vulnerable to malware that could slip past the unguarded system.
  • Requirement 7.1.1 requires a role-based access control system. This means employee access to card data and systems should only be granted on a need-to-know basis.
  • Requirement 9.3 is all about controlling physical access to sensitive areas. If an employee’s job doesn’t require them to have access, make sure they don’t have access.

2. Review, revise, repeat 

From my security experience, many breaches are caused in part by a lack of process review. Errors can easily occur because of ignorance, poor planning, lack of attention, or timing and can lead to security decay. 

The PCI Council definitely thought double-checking software, processes, and devices was an important part of a secure business environment. 
  • Requirement 9.9.2 ensures merchants regularly examine POS devices to make sure they haven’t been tampered with. This is especially important in the case of POS systems that are left out in the open and unattended for a long period of time (such as gas station terminals).
  • Requirement 10.6.2 states the importance of reviewing logs of all system components. Periodically reviewing logs helps determine if suspicious activity is occurring. 
SEE ALSO: PCI DSS 3.0 FAQ

3. Give me documentation or give me death! 

Documentation is a four-letter word to most businesses. Ugh! Who wants to devote precious resources to documentation? Well, the upsides are significant. Documentation is the failsafe that keeps your hands clean, keeps your company transparent, and keeps your security efforts organized. 

That’s probably why PCI version 3.0 has so many new requirements about documentation. 
  • Requirement 1.1.3 asks merchants to create a cardholder data flow diagram to show how cardholder data enters and flows through the network. 
  • Requirement 2.4 requires a document that lists all in-scope devices and their function. (That means every POS system, computer, mobile device, etc.)
  • Requirement 9.9.1 is very similar to 2.4, and requires merchants to maintain an up-to-date list of all devices including physical location, serial numbers, and make/model.
  • Requirement 11.1.1 asks merchants to maintain a complete list of authorized wireless access points and justify why they are needed in the business environment.
  • Requirement 12.8.5 requests two lists: the PCI requirements your third party service provider meets, and a list of PCI requirements your business is required to meet. This requirement was given to attempt to avoid miscommunication between third parties and merchants on who was responsible for what PCI requirements. In a franchisee’s case, it would probably be beneficial to have a similar list explaining the security responsibilities of both you and your franchisor.

Want a more intense overview of the PCI DSS 3.0 changes? Check out this blog.

Whew. Even though I didn’t go over every single change from PCI 2.0 to PCI 3.0, that was a lot to take in. Hopefully you can take what you’ve learned and begin to apply it in your security processes today. Start examining your physical devices for tampering, begin your list of wireless access points, and instigate company-wide role-based employee access. I promise you’ll be more secure.

Giles Witherspoon-Boyd (PCIP) is Enterprise Account Manager at SecurityMetrics and assists businesses in defining their PCI DSS scope. Follow him on Twitter and check out his other blog posts.

Ready or Not Here Comes PCI 3.0
Resolved: Does HIPAA Compliance Satisfy Meaningful Use?

How do Meaningful Use requirements overlap with HIPAA compliance requirements?

Tod Ferran, Security Analyst, CISSP, QSA
By: Tod Ferran
Can you tell the difference between HIPAA and Meaningful Use regulations? You’re not the only one struggling with the answer to this question. Many healthcare professionals don’t completely understand how the specific requirements of HIPAA and Meaningful Use relate. For example, did you know that your HIPAA risk analysis may cover your Meaningful Use risk analysis, but not the other way around? I promise to try and resolve your questions about the relationship between Meaningful Use and HIPAA in this blog post.

If you’d like a more comprehensive dive into the relationship between Meaningful Use and HIPAA, watch this recorded presentation.



Let me quickly answer some common questions healthcare providers have about Meaningful Use and HIPAA.

First, let’s talk about Meaningful Use attestation vs. HIPAA compliance:

Will Meaningful Use attestation count for HIPAA compliance? NO. 
Meaningful Use only focuses on your EHR system, while HIPAA is concerned with the entire patient data process. There are many additional aspects required for full HIPAA compliance, and as a note, using a cloud-based EHR does not absolve you of HIPAA requirements.

Will HIPAA compliance count for Meaningful Use attestation? NO.
Both HIPAA and Meaningful Use are concerned with identifying potential security risks. Both require a risk analysis. But the similarities end there. In reality, the overlap between the two is pretty small.

Now let’s talk about your risk analysis:

Will my HIPAA risk analysis cover my Meaningful Use risk analysis? YES.

As long as you’ve done a ‘complete and thorough’ job on your HIPAA risk analysis, it should cover your Meaningful Use risk analysis. If your HIPAA risk analysis is not complete and thorough, not only will it fail your Meaningful Use risk analysis, but will also not be an acceptable HIPAA risk analysis. It’s nearly impossible to perform a proper ‘complete and thorough’ HIPAA risk analysis without some outside security assistance.

Will my Meaningful Use risk analysis cover my HIPAA risk analysis? NO.
Meaningful Use only focuses on your EHR system, while HIPAA is concerned with your entire patient data process. A Meaningful Use risk analysis would only cover a very small part of a HIPAA risk analysis. We’ll discuss this in more detail later.

SEE ALSO: The Most Common Questions About HIPAA, Answered

Similarities between HIPAA and Meaningful Use

Both HIPAA and Meaningful Use require you to correct security problems as part of your risk management process. Both also require a risk analysis and Risk Management Plan. A risk analysis helps you measure, rank, and prioritize risks to your protected health information (PHI), while a Risk Management Plan works through the issues discovered in the risk analysis, and documents that you acknowledge and are working to correct those risks.

Need help with your risk analysis or risk management plan?

When the HHS comes in to do a HIPAA audit or investigation, if you have completed a risk analysis and show demonstrable progress on your Risk Management Plan, they go a lot easier on you.  

SEE ALSO: What to Expect with Upcoming HHS Audits

Differences between HIPAA and Meaningful Use

A Meaningful Use risk analysis is:
  • Only concerned with risk of your EHR
  • Only required for those participating in Meaningful Use
  • Only updated twice (Stage 1 and Stage 2 reporting, so far)
A HIPAA risk analysis is:
  • Concerned with the risks of the entire PHI environment (that means the EHR, email encryption, electronic records, paper records, Internet, business associates, servers, workstations, physical security, intake procedures, etc.)
  • Required of all covered entities and business associates
  • Reviewed and updated on a periodic basis (typically annually)



Synopsis

Meaningful Use and HIPAA are distinctly separate requirements that aren’t that similar after all.Tweet: #Meaningful Use and #HIPAA are distinctly separate requirements that aren’t that similar after all. http://bit.ly/1EBwJyDTweet
Not only is HIPAA compliance required, but it is also considered security best practice throughout the healthcare industry. If you already have a HIPAA compliance program, congratulations! Your risk analysis (if completed) may be a core requirement of Meaningful Use! If you haven’t started on HIPAA compliance yet, this is a great time to start a HIPAA program and kill two birds with one stone!

Want help starting your HIPAA program?

Tod Ferran (CISSP, QSA) is a Security Analyst for SecurityMetrics with 25 years of IT security experience. He provides security consulting, risk analysis assistance, risk management plan support, and performs HIPAA and PCI compliance audits. Check out his other blog posts.

5 Healthcare Security Lessons From The Field

Welcome to SecurityMetrics Blog!

Learn to secure your business on this blog.

Welcome readers! Fancy meeting you here! You’ve reached SecurityMetrics Blog, the data security educational center of SecurityMetrics, a company focused on helping organizations avoid security data breaches and prevent data theft. 

If you’re looking for educational content on HIPAA compliance, PCI compliance, or business data security, look no further. 

We update the blog at least twice a week with data security topics like:
And HIPAA compliance topics like:
And PCI compliance topics like:


Education is the name of the game

Data breaches are good for no one. Our hope is that by educating organizations on best practices to secure data from hackers, we can stop data breaches and help organizations feel better about their security posture. 

Say hello to our regular authors

The technology gurus of SecurityMetrics author this blog and include many true experiences of business security failures and successes in their posts.

Dave Ellis, Director of Forensic Investigations
Dave Ellis: Resident Hacker Expert
Brand Barney, Security Analyst
Brand Barney: PCI DSS Guru

Gary Glover: Security Specialist
Tod Ferran: HIPAA Master

Stay awhile!

Why don’t you browse around, subscribe for PCI or HIPAA (or both) updates, and start getting useable tips on how to secure your business! 
Auditing Archives: The Case of the File-Sharing Franchisee

Linking 100 restaurants through one insecure server connection is a bad idea.

Gary Glover, CISSP, QSA
By: Gary Glover
The following post is a segment in the Auditing Archives series. Hopefully the security failures I’ve seen while auditing businesses will help inspire better practices to ensure your own business security. 


I have a sad story to tell. An unfortunate franchisee with hundreds of restaurant locations hired an IT company with little security skills to configure their restaurant POS systems across multiple locations. By allowing every restaurant access to the same programs and files back at corporate HQ, it promoted process consistency across each restaurant management system, making information exchange easy, but also opening security holes. 

Want to read more Auditing Archives stories?

The sad part of the story is, the IT company configured every in-store POS system identically … with the same easily-guessable password. And each of those stores were connected to a common file server back at corporate. Now, if a bad guy can get into the corporate network and on to the file share server, every single restaurant owned by that franchisee is at risk for card compromise.

SEE ALSO: 7 Questions To Ask Your POS Installer

Check out the case study below.



Gary Glover (CISSP, CISA, QSA, PA-QSA) is Director of Security Assessment at SecurityMetrics with over 9 years of PCI audit experience. Check out his other blog posts.
HIPAA Workforce Member Training for Healthcare Staff: Why It’s Essential

Employees are forgetful. Training helps them remember important security practices.

Tod Ferran, CISSP, QSA
By: Tod Ferran
If you think your workforce members know how to secure patient data, you are sadly mistaken. Just take a look at the HHS Wall of Shame. Would it surprise you to learn that most of those breaches originate from healthcare workforce members?
Let me explain.
HIPAA Workforce Member Training

Thieves can only steal laptops if workforce members leave them in plain sight. Hackers can only access networks because workforce members set up easy-to-guess passwords. Improper disposal only happens when workforce members decide to throw PHI away instead of shred it. The list goes on.
I submit that your greatest liability and security challenge are your very own employees.Tweet: I submit that your greatest liability and security challenge are your very own employees: http://bit.ly/1BCkJ05 #HIPAATweet

Watch this video to learn 60 seconds of workforce member training basics.



Why should I train my workforce members on HIPAA compliance?

Most workforce members aren’t malicious. They’re just forgetful. People may have a fragmented view of what is required of them, or may never have been trained in the first place. Or, their previous employer may not have held them at the higher standard you require.

If you don’t give your workforce members specific rules and train them on those rules, they won’t be able to keep protected health information (PHI) secure. Workforce member training and education will remind them that security is important, and squash any bad security behaviors. Remember that ‘common sense’ is not very common, and what may seem obvious to you may never have crossed the minds of your staff! 

According to the Experian Data Breach Industry Forecast, “Workforce members and negligence will continue to be the leading cause of security incidents in the next year.”

Another reason HIPAA workforce member training is so important is to keep workforce members aware of the most up-to-date security policies and practices. Threats to the healthcare industry are constantly changing, which means security practices should follow. If workforce members are only trained once a year, that may not be enough to keep up to date with your constantly changing security best practices and certainly won’t keep up with the threats.

What do HIPAA requirements say about training?

The HIPAA Privacy Rule (section 164.530) states: A covered entity must train all members of its workforce on the policies and procedures with respect to PHI…as necessary and appropriate for the members of the workforce to carry out their function…

The HIPAA Security Rule (section 164.308) states: …Implement a security awareness and training program for all members of [your] workforce  (including management).

SEE ALSO: What Are My HIPAA Security Requirements?

HIPAA rules give a small list of workforce member training ideas, but I recommend including the following in your program: Need help training workforce members on HIPAA compliance security? We have a solution!


Our advice

The cool thing about workforce member training is that you can conduct it in the manner that works best for your organization. As you set up your training plan, here are some tips to consider:
  • Provide training as a mandatory part of new hire orientation
  • Require monthly or quarterly training of all staff members or develop a weekly educational program (annual isn’t enough)
  • Keep a repository of policies and procedures (keep these updated and inform staff of updates)
  • Develop a verification process to ensure training completion
  • Document dates and times when workforce members complete their training
  • Evaluate your training program effectiveness each quarter
  • Reduce costs by making training part of your comprehensive educational program
Check out this 21-day HIPAA plan webinar, which includes meeting ideas for your staff. 

Tod Ferran (CISSP, QSA) is a Security Analyst for SecurityMetrics with 25 years of IT security experience. He provides security consulting, risk analysis assistance, risk management plan support, and performs HIPAA and PCI compliance audits. Check out his other blog posts.