Two of the most common compliance frameworks out there are HIPAA and PCI, and while they share popularity, there isn’t much else they share in terms of being interchangeable. Since Wind River has customers that need to consider both, I thought it might be helpful to review some of the history and how they are enforced.
PCI compliance comes from the PCI council, which collaborates with many major credit card brands focusing on protecting consumer data. Should a breach occur, fines are contractually agreed on and there are no criminal charges.
HIPAA compliance is monitored by HHS (Health and Human Services) and governed by the OCR (Office of Civil Rights), which are both government entities. Should a breach occur, both criminal and civil penalties occur in addition to a fine.
When it comes to the different frameworks, PCI DSS is very specific on what is required. The PCI council has included outlines processes and controls required to be in place such as review of information, logs and encryption needs. HIPAA on the other hand is focused on policies, training and processes giving just broad strokes. It is much more subjective than the prescriptive PCI framework.
In addition, HIPAA uses the Business Associate Agreement (BAA), which is a mechanism to hold companies liable for keeping Protected Health Information (PHI) safe. While there is much debate on that liability, most healthcare providers look for vendors to sign a BAA to ensure end-to-end protection of PHI.
While many tools exist to aid both HIPAA and PCI compliance, there are a few that can be leveraged for both. One such tool, which is included in the new Advanced Security Package, is the File Integrity Monitor (FIM). The file integrity monitoring tools in FIM cover many compliance frameworks including PCI, HIPAA, FISMA, GLBA, SOX and even the newest entrant, GDPR.
Both PCI and HIPAA exist to protect different sensitive information in different ways. Therefore, being HIPPA compliant does not check the PCI compliance checkbox and vice-versa. Frustrating for many businesses who may have to manage both (and possible other) compliance frameworks. Now enter HITRUST Common Security Framework (CSF), which may be the future (at some point) of compliance as it attempts to harmonize many of the popular compliance frameworks. Specifically, HITRUST CSF:
- Includes, harmonizes and cross-references existing, globally recognized standards, regulations and business requirements, including ISO, NIST, PCI, HIPAA and State laws
- Scales controls according to type, size and complexity of an organization
- Provides prescriptive requirements to ensure clarity
- Follows a risk-based approach offering multiple levels of implementation requirements determined by specific risk thresholds
- Allows for the adoption of alternate controls when necessary
- Evolves according to user input and changing conditions in the industry and regulatory environment on an annual basis
- Provides an industry-wide approach for managing Business Associate compliance
According to HITRUST Alliance, “the HITRUST CSF is the most widely adopted security framework in the healthcare industry: 81 percent of hospitals and 80 percent of health plans have adopted the framework in some way, either as a best practices resource or as the basis for their information protection program.”
However, HITRUST has yet to make inroads with merchants regarding PCI. Looking at the executive council you can see most of the leadership is behind healthcare right now. So, for the time being Wind River highly recommends the Advanced Security Package (ASP) for all your PCI needs. We’ll keep monitoring the evolution of compliance and the adoption of HITRUST over time to keep our customers ahead of the compliance curve.
