Compliance Law List
Compliance Law
Requirements
PCI
Install and maintain a firewall configuration to protect cardholder data
Do not use vendor-supplied defaults for system passwords and other security parameters
Protect stored cardholder data
Encrypt transmission of cardholder data across open, public networks
Protect all systems against malware and regularly update antivirus software or programs
Develop and maintain secure systems and applications
Restrict access to cardholder data by business need to know
Identify and authenticate access to system components
Restrict physical access to cardholder data
Track and monitor all access to network resources and cardholder data
Regularly test security systems and processes
Maintain a policy that addresses information security for all personnel
(PCI Security Standards Council, 2015)
HIPAA
Security Rule
A covered entity must adopt reasonable and appropriate policies and procedures to comply with the provisions of the Security Rule. A covered entity must maintain, until six years after the later of the date of their creation or last effective date, written security policies and procedures and written records of required actions, activities or assessments
Ensure the confidentiality, integrity, and availability of all e-PHI created, received, maintained or transmitted
Identify and protect against reasonably anticipated threats to the security or integrity of the information
Protect against reasonably anticipated, impermissible uses or disclosures
Ensure compliance by their workforce
Risk Analysis and Management
The Administrative Safeguards provisions in the Security Rule require covered entities to perform risk analysis as part of their security management processes
A risk analysis process includes
Evaluate the likelihood and impact of potential risks to e-PHI
Implement appropriate security measures to address the risks identified in the risk analysis
Document the chosen security...