In the previous six articles, we’ve looked at how cyber security is impacting different industry sectors. The sectors analyzed have been, healthcare, financial services, manufacturing, automotive, energy, and retail. Each sector has its own cyber security pain points, and there is, of course, much overlap as well. Phishing is especially an issue across all industry sectors, likely because it taps into our behavior, and because of that it is very successful as an attack vector. To attempt to counter the onslaught of cyber threats against our nation’s industries, each sector has in place measures of compliance and regulations, with elements of security and privacy requirements specifically dealt with. In this final, round-up article, we’ll be looking at the compliance expectations of each sector, and how those guidelines should fit in with any industry sector security strategy.
Healthcare Compliance and Regulations
Healthcare is a data-rich industry sector and as such has some extensive security regulations to adhere to. The main body of regulations used within this sector are the Health Insurance Portability and Accountability Act (HIPPA) and the Health Information Technology for Economic and Clinical Health ACT (HITECH).
HIPPA was introduced in 1996 and the HIPPA Privacy Rule covers the security of Personal Health Information (PHI). PHI is has a very wide scope. It includes all personal information, such as name address and so on, but it also includes medical records and even DNA. HIPPA specifically regulates how PHI is handled, i.e. used and disclosed. It is meant, however, to get the balance between security and usability of PHI right; it is important to keep health data flowing and available for improved health care. The Privacy Rule covers health plans, healthcare providers, and health care clearing houses. Importantly, it also covers ‘business associates’. This means that the extended ecosystem of third-party vendors used by health care, also needs to be HIPPA compliant. Essentially any healthcare CIO is responsible for ensuring that third-party vendors take due care of any PHI that comes under their remit.
HITECH was introduced in 2009 as a way of encouraging the use of Electronic Health Records (EHR). HITECH is a separate law to HIPPA but they work in symbiosis. HITECH, for example, has set fines for non-compliance of HIPPA security regulations.
The HIPPA Omnibus rule, introduced in 2013, strengthens the main security requirements of HIPPA and sets the expectations of the breach notification rule to cover any breach of over 500 individuals. The breach must be reported to the U.S. Department of Health and Social Services, and the details made publically accessible.
Financial Services Compliance and Regulations
The financial services industry has a focus on the protection of financial data, including payment card information. Compliance requirements across the industry are complex and can be country specific. The Payment Card Industry Data Security Standards (PCI-DSS) specifically covers the handling and management of payment card data. This act covers all aspects of payment card data handling, from acquiring, transmitting, storing and processing these data. PCI-DSS is based on a process of, “access, report, remediate. It is about understanding your IT assets and processes around payment card handling, sorting out any vulnerabilities, and keeping records, as well as submitting compliance reports to the banks and card brands a company is associate with. Financial services companies need to ensure that their services can be PCI-DSS compliant.
The Sarbanes Oxley Act was brought in to protect the public from fraudulent financial transactions by corporations in general. However, it also impacts the financial sector. Its main thrust is around what records to store and for how long. The act specifies security measures that need to be undertaken to protect the stored records.
Payment protection is one area of compliance, but this doesn’t mean there isn’t a requirement to also protect Personally Identifying Information (PII) – see ISO27001 below.
Manufacturing Compliance and Regulations
There are a plethora of regulations covering the manufacturing industry, some being specific to the industry type, e.g. toy manufacture. However, in terms of security, the industry has to cover areas as diverse as data protection, IT safety and security, to health, safety and environmental impact. One of the most prevalent security based regulatory standards in this industry sector is the ISO27001 series. ISO/IEC 27001:2013 is a generic version of the regulation applied across all industry sectors. It is a regulation designed to establish an information security management system within an organization. The regulation looks at risks across the IT systems of a company, including how IT security is managed, access controls, operations security, and even human resource security. Meeting ISO/IEC 27001:2013 is an intensive process where the company must meet all of the requirements.
Automotive Compliance and Regulations
The automotive industry as a sub-sector of the manufacturing industry has to meet the compliance requirements of that industry. However, areas of automotive also offer financial packages for car purchases, and as such also need to meet various financial regulations, like PCI-DSS.
Transportation has to look to ISO27001 to ensure that customer and supplier information is kept safe, and to make sure their vendor ecosystem is also conforming to the remit of the standard.
The automotive industry has a specific requirement in terms of car safety too. As the automotive industry embraces the IoT and driverless cars, regulations covering those specifics will likely be covered by extensions to existing regulations.
Energy Compliance and Regulations
The North American Electric Reliability Council (NERC) controls the compliance requirements of the utility companies under the banner of energy. NERC specifically looks after the cyber security expectations of the sector, and more recently the impact of cybersecurity on the Smart Grid.
This sector is also covered by the Critical Infrastructure Protection (CIP) standard. Versions run from CIP-002 to CIP-009. A BES Cyber System is the term used in the sector to describe cyber assets that require protection. This includes control units such as SCADA and ICS.
Retail Compliance and Regulations
One of the main regulations overseeing security in the retail sector is PCI-DSS in controlling the handling and management of payment cards. PCI-DSS also covers Point of Sale (POS) transactions. This sector, as a major target for data theft, so is also under pressure to protect PII. Retail outlets build online stores requiring accounts to be created that store Personally Identifying Information, such as your name, address and email address. These data need to be protected using standards such as ISO27001.
Many of the standards and regulations have cross industry application. This makes sense in light of the cross industry attack vectors, many of which we have explored in each of the six industry sector articles looking at cyber security. Although some of the sectors have specific needs, such as the healthcare industry, all require a strategic approach to ensuring that the often complex compliance requirements can be met. It can take many months to get through the onerous requirements of compliance standards such as ISO27001, but the protection that a well thought through and regulated cyber security strategy can offer, is worth it in the long run, especially in light of the enormous efforts made by today’s cyber criminals.