Information Security Regulatory Compliance and Privacy: HIPAA, HITECH, and Sarbanes-Oxley

By Peter H. Gregory

If you think you might be interested in entering the field of information security, you need to familiarize yourself with regulatory compliance and privacy standards. Among the many are HIPAA, HITECH, and Sarbanes-Oxley.

HIPAA and HITECH

Healthcare providers, insurance companies, and most U.S. based companies offering health insurance benefits are required to comply with HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health Act).

HIPAA requires that organizations storing electronic protected health information (EPHI) take certain measures to protect the confidentiality, integrity, and availability of EPHI. Organizations required to comply with HIPAA are known as covered entities.

HITECH expanded the reach of HIPAA by requiring business associates that store or process EPHI to comply with HIPAA as well. The term business associates means any organization that provides services to a covered entity. HITECH also added new breach notification requirements, ensuring that citizens will be notified if their health information is inappropriately disclosed or compromised.

Sarbanes‐Oxley

The Sarbanes‐Oxley Act of 2002 is a law that was passed as a result of several corporate scandals involving falsification of financial records of public companies. Often known as SarBox or just SOX, this law has had a significant effect on security policy and security controls in U.S. publicly traded companies.

SOX Controls

The primary consequence of SOX was the enactment of controls in the following IT functions:

  • Security policy: Organizations are required to have a security policy that is relevant, periodically reviewed and approved by management, and enforced.

  • Access management: Organizations are required to have effective and mature access management processes and tools, so that only authorized personnel have access to appropriate systems, roles, and functions.

  • Change management: Organizations are required to be in complete control of the IT systems and infrastructure that supports their financial systems, so they must have a mature change management process that ensures that only approved changes may be made to systems and that unapproved changes will be detected and corrected.

  • Incident management: Organizations are required to have tools and processes in place to detect incidents in a timely manner and to respond to incidents properly and effectively, resulting in incident resolution as well as a complete understanding of the extent of any incident.

  • Vulnerability management: Organizations are required to have tools and processes in place to periodically examine systems for vulnerabilities and to correct those vulnerabilities timely and effectively.

  • Event logging: Organizations are required to have tools and processes in place to ensure that all events are recorded, and that those recordings are archived, for in‐scope systems. Periodic review — or automated alerting — of events is also required.

  • Internal audit: Organizations are required to take full ownership of the state and effectiveness of their internal controls, including periodic internal audits of those controls and effective responses to issues found during those audits.

The context of these controls is an organization’s key financial system, as well as supporting systems and infrastructure. Any additional applications related to revenue or expenses may also be in‐scope.

The intent of these IT controls is the prevention or detection of any tampering of financial records that is performed through manipulation of underlying IT systems and infrastructure.

Audits

U.S. public companies are required to undergo an annual financial audit by a U.S. registered public accounting firm. Before SOX, the IT portion of a public audit was brief and superficial. After SOX, IT audits are typically thorough and arduous, with considerably more attention on IT operations for in‐scope systems, infrastructure, and personnel.