Sharon Finney, an information security administrator at Decatur
Ga.-based Dekalb Medical Center has been dealing with regulatory
compliance issues for years.
 | | | | | When I go to the audit and
compliance committee or board of directors … I have to come up with
something more than telling them that a regulation or standards say
we need to do it.
Sharon Finney,
information security administratorDekalb Medical
Center |
| | | | | |
| |
|
The teaching hospital implemented content monitoring and data
loss prevention software from Denver-based Vericept as part of its
Health Insurance Portability and Accountability Act (HIPAA)
compliance program in 2004 and now is reviewing its systems to
ensure compliance with the
Payment Card Industry Data Security Standard (PCI DSS).
New regulations and standards designed to lock down systems
containing critical information are constantly coming to the
forefront. But financial boards aren't necessarily giving IT pros
like Finney a blank check to implement new security
technologies.
"When I go to the audit and compliance committee or board of
directors … I have to come up with something more than telling them
that a regulation or standards say we need to do it," Finney said.
"You need a plan and strategy to say here are the items that need
to be addressed, here are how they impact us and show what is
critical and what is an acceptable level of risk."
Companies that accept credit card transactions, including
healthcare institutions are taking a standard approach to PCI DSS.
But many are underestimating the costs associated with becoming
compliant, according to a recent survey.
Conducted in June by the Boston-based Aberdeen Group, the survey
helped highlight the route some companies are taking to become
compliant. Aberdeen surveyed 125 organizations and analyzed those
that they call best-in-class – firms that had reported PCI
compliance, addressed six or more
PCI DSS requirements and had no data security breaches in the
last year.
The study found that in many cases companies are consistently
underestimating the costs associated with compliance, said Derek E.
Brink, vice president and research director at Aberdeen. Even the
best-in-class organizations are underestimating the costs, he
said.
"With respect to PCI compliance, in many cases it cost about 40%
more than they estimated," Brink said.
Still, the survey found that the best approach is to start by
understanding which systems hold sensitive credit card data and
then performing an assessment to discover what data is most at
risk.
Brink said that 63% of best-in-class organizations eliminated
systems that stored sensitive authentication data, such as magnetic
stripe data, PIN numbers and card validation values. Segmenting
networks of systems to isolate credit card data was also cost
effective for many companies, Brink said.
"If you cut off systems that don't process cardholder data from
those that do, then the PCI DSS requirements only apply those that
process the data," Brink said. "You cut off a big bunch of systems
and reduce your scope. This was a big distinction between
best-in-class and the industry average."
The study found that 68% of those best-in-class organizations
used PCI DSS as a guide to improve protection of all sensitive
business data, including credit card data. PCI projects typically
lasted 12-18 months and began with a data flow diagram to determine
which systems contained sensitive PCI data. Second, a risk and
vulnerability assessment was undertaken on all system components in
the cardholder data environment to determine which areas needed to
be addressed.
Survey respondents said technology implementations began with
encryption of cardholder data transmissions across open networks,
with more than 89% year-over-year performance improvement.
Encryption of stored cardholder data also was a priority followed
by development secure systems and applications that handle
cardholder data.
Experts say
data encryption is an area where costs could add up. Software
vendors are lining up to do business. Joe Sturonas, chief
technology officer of PKWARE, which packages and encrypts sensitive
data, said his company is seeing an increase in interest in the
financial services industry. Banks, which do business with
thousands of merchants are looking for a way to enable end users to
encrypt transaction logs and other items that may contain sensitive
data, Sturonas said.
Sturonas said that while PKWARE's container approach is unique,
it uses the full-blown encryption technology required by PCI
DSS.
"Even though you have a secure pipe to send data, the idea is
that this data should have interoperability and should be protected
once it lands through that pipe on the other side," Sturonas
said.
Aberdeen is also projecting a rise in the number of qualified
security assessors needed over the next 12 months. Companies are
also seeking out scanning vendors, log analysis, auditing and
reporting tools and application vulnerability scanners as part of
their compliance initiatives.
Mike Rothman, president and principal analyst of Security Incite
in Atlanta, said
companies should stick to the basics when it comes to
compliance rather than buying expensive technology. By
developing a layered approach to security, compliance costs could
be minimal, he said.
"It seems like there's a whole business around complicating all
this stuff," Rothman said. "The reality is if you've got a strong
security program and you documented your stuff and you are training
your users and protecting the data that needs to be protected then
you're going to be compliant."
For Finney of Dekalb Medical Center, who has more than 4,000
users on her network, including three cafeterias and restaurants
that accept credit and debit cards, risk assessment is going to be
essential to the security program.
"The same tools we put in place for HIPAA also allow us to put
in rules for PCI or other standards," Finney said. "Eventually we
can choose to address issues with technology or insure against it
or choose to accept it as an acceptable risk."