Staying on top of compliance regulations is one of the most important tasks for all the organizations. IT departments of almost all organizations are always under pressure to meet the changing compliance requirements. Some of the common compliance requirements under which most organizations fall are SOX, HIPAA, GLBA, PCI DSS etc.
SOX compliance was enacted to protect shareholders and general public from the accounting errors and malpractices which could result in financial loss to them. All public companies are required to adhere to SOX compliance.
HIPAA compliance gives a set of standards for all companies that deal with protected health information (PHI) of the patients. This includes but is not limited to health insurance firms, organizations providing treatments, payments and operations in health care and others.
All financial institutions must comply with GLBA and accordingly implement security programs to protect private information of individuals.
PCI DSS on the other hand provides guidelines for all organization which accept payments through credit cards and debit cards. In the recent years we have seen new versions of Regulatory Compliance being launched. Let’s have a look at few of them.
PCI DSS Version 3.0 and PA-DSS Version 3.0
The latest version 3.0 of the PCI DSS and PA-DSS became effective from January 1, 2014. The official words say the latest version is more about clarifying the existing requirements and making them more specific and flexible so that they are easily understandable and implementable by the merchants.
The new version has been dished out based on the feedbacks from the industry experts and to meet the even changing security requirements. The primary factors that have been weighed in for the latest version are – lack of awareness about the compliance standard, slacks in the implementation of the authentication and password measures, third-party security challenges, inconsistencies in the self-detection of the malware and other security issues.
Overview of the types of changes included in the new version:
Clarification: This type of change clarifies the intent of requirements. Ensures that desired intent of requirements is portrayed through the concise wording in the standard.
Additional Guidance: This type of change has been introduced to increase understanding of a particular topic through further explanations, definitions, and/or instruction.
Evolving Requirements: This type of change has been incorporated to ensure that standards are up to date with changes in the market and emerging threats.
HIPAA 5010 went into effect on January 1, 2012. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) deputed that all organizations in the ambit of healthcare industry i.e. health plans, health care clearinghouses, and health care providers use standards formats for all claim related transactions. The HIPAA 5010 was rolled out because the previous version HIPAA 4010 could not support new developments in the health care and ICD-10 code – a system of medical classification used for procedural codes which track health related services rendered by medical professionals. The new version required organizations to make significant changes in their existing system to accommodate new information that is submitted on the claims in the absence of which claim processing could be delayed.
The above sections (PCI-DSS and PA-DSS Version 3.0 and HIPAA 5010 ) are just a couple of examples to give you an idea of the changes that organizations have to adapt to in their business operations to adhere to compliance standards so that they can save themselves from the financial penalties. There are a number of third-party software to help you out in this regard. For example, Lepide Data Security Platform has compliance-specific reports which cover most of these regulatory standards. But, it is very important to note that averting financial penalties should not be the only driving factor for complying with these standards. Instead, they should be considered as recommendations which can help you to secure your business against frauds and security breaches.