There are many privacy and security compliances designed to protect customer and company data across a variety of industries. You may have heard of a few them, such as HIPAA or SOC. What do they mean exactly, and how can organizations secure their websites accordingly? Let’s look at three privacy and security laws you should know:
HIPAA (Health Insurance Portability and Accountability Act)
HIPAA was created in 1996 to protect the health information of patients. It’s a pretty serious compliance that health providers, employers and insurance companies must follow, as failure to comply can result in fines of up to $1.5 million (among other criminal penalties). Also, according to a recent study by Redspin, the average cost of a data breach for a healthcare organization is over $800,000.
Healthcare companies are in a considerably poor state of security as of late, with recent data breaches from Anthem and Premera, so being HIPAA compliant is more important than ever. HIPAA compliance has seven major requirements: Transport Encryption, Backup, Authorization, Integrity, Storage Encryption, Disposal and Omnibus/HITECH.
FISMA (Federal Information Security Management Act)
FISMA is a compliance for government agencies and their third parties, to protect their information and assets from being stolen. According to FISMA, the term information security means “protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide integrity, confidentiality and availability.” It was created in 2002, and isn’t particularly well known among the industry – only about 30% of government agencies are compliant, and more than 65% of government workers don’t even know what it is.
SOC (Service Organization Controls)
SOC is a relatively new series of standards (2011), created to assess the design and operating effectiveness of a service-based organization (such as the popular cloud and Software-as-a-Service market). SOC is made up of three reports – SOC 1, SOC 2 and SOC 3 – which focuses on finance, security, confidentiality and privacy.
What can an organization do to their website to improve compliance?
A secure website can have a huge impact on improving each of the above compliances, while also protecting against cyber attacks. Here are a few ways organizations can do so:
- Encrypt all customer, patient and organization data, both in transit and at rest – especially if you’re using a CDN, where confidential data travels across large distances. SSL is a good way to start.
- Limit access to confidential data by setting proper access permissions for staff and third parties.
- Enforce strong passwords for both employees and customers/patients who have access to confidential information, such as medical records.
- Install a Web Application Firewall (WAF) to prevent malicious traffic from visiting your website and block harmful requests.
- Have your website scanned daily for malware and viruses, especially if you’re a government or healthcare organization using proprietary web software. A website scanning solutions can detect and remove threats before much damage has been done.
- Backup all data on a regular basis to minimize damages in the event of a cyber attack.