International Regulations and Controls
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Video Transcription
00:00
>> Hey there, Cybrary friends.
00:00
Welcome back to the HCISPP certification course with
00:00
Cybrary International Regulations and Controls.
00:00
My name is Schlaine Hutchins
00:00
and I will be your instructor.
00:00
In this video, we're going to talk about
00:00
treaties and laws and regulations.
00:00
This is not my area of expertise,
00:00
so I'm going to give you the study
00:00
book version of information.
00:00
Just know that some of this information
00:00
about the specific treaties and
00:00
regulations may be on the exam. Let's begin.
00:00
Since most countries craft
00:00
privacy and security regulations
00:00
for internally specific reasons,
00:00
it's not surprising that the regulations differ.
00:00
To settle the differences,
00:00
sets of countries have collaborated on
00:00
international agreements to bridge
00:00
the differences in how personal information is protected.
00:00
The agreements we will discuss are targeted toward
00:00
international business exchanges and do not
00:00
specifically address exchanges
00:00
among health care organizations.
00:00
The US-EU Safe Harbor is
00:00
a framework to allow US organizations to be in
00:00
compliance with the European Union in Switzerland
00:00
data protection requirement when engaged
00:00
in commerce transactions with the member countries.
00:00
Specifically, there is
00:00
a Safe Harbor framework between the US and
00:00
the EU and another framework
00:00
between the US and Switzerland.
00:00
Organizations seeking collaboration in either or both,
00:00
the EU and Switzerland would be
00:00
required to review and commit to each set of principles.
00:00
On February 4th,
00:00
2011 by US Canada joint declaration,
00:00
the Beyond the Border Action plan was announced.
00:00
It's a shared approach to security in which
00:00
both countries work together to address threats within,
00:00
at, and away from the borders
00:00
while expediting lawful trade and travel.
00:00
The Transatlantic Information Sharing
00:00
and Data Privacy Act
00:00
is an effort to enable the EU and
00:00
the United States to work more
00:00
closely and efficiently together to
00:00
exchange law enforcement information while
00:00
ensuring the protection of personal data privacy.
00:00
We've reviewed these several times throughout the course.
00:00
The most important laws and regulations related to
00:00
healthcare information within the US is HIPAA and HITECH.
00:00
HIPAA is the federal law
00:00
that was enacted and has been furthered by
00:00
the requirements of the Affordable Care Act of 2010
00:00
with operating rules for
00:00
each of the HIPAA covered transactions.
00:00
They are a unique standard health plan identifier
00:00
and a standard and operating rules for
00:00
electronic funds transfer and
00:00
electronic remittance advice and claims attachments.
00:00
In addition, health plans will be
00:00
required to certify their compliance.
00:00
The act provides for substantial penalties for
00:00
failure to comply with
00:00
the new standards and operating rules.
00:00
I must note and take note of this,
00:00
that there is no such thing as a HIPAA certification.
00:00
There are companies that claim to offer a certificate of
00:00
HIPAA compliance and it just simply doesn't exist.
00:00
While companies need to
00:00
certify that they're meeting the requirements,
00:00
that just means that you assess your own organization and
00:00
assess your controls against
00:00
the HIPAA regulations and standards.
00:00
These false certifications are
00:00
the same things as companies
00:00
offering a SOC 2 certification.
00:00
Again, there's no such thing.
00:00
SOC 2 is an audit report to review service
00:00
and controls for an organization
00:00
and to give an independent opinion.
00:00
While organizations can assess
00:00
their level of compliance,
00:00
HIPAA has standards of controls that are addressable,
00:00
and some that are required.
00:00
Those that are required must be
00:00
implemented by covered entities.
00:00
Addressable requirements may or may not be
00:00
implemented according to their applicability.
00:00
The HITECH Act ushered in an era
00:00
of rapid electronic record adoption,
00:00
but it also brought in new requirements for security,
00:00
privacy, and specifically breach reporting.
00:00
The scope of covered entities was also clarified to
00:00
include business associates such as billing providers,
00:00
software companies, and in some cases, banks.
00:00
The breach notification rules of HITECH are
00:00
detailed and mandatory for covered entities.
00:00
Covered entities must maintain
00:00
a log of all breaches and submit the law to the HHS.
00:00
They must notify individuals
00:00
affected by a breach within 60 days.
00:00
Breaches involving more than 500 individuals
00:00
must be reported to the HHS.
00:00
They must understand restrictions related to
00:00
marketing activities using patient information.
00:00
They must use and disclose
00:00
the minimum necessary subject data
00:00
to conduct a particular function or task.
00:00
They must provide an electronic copy
00:00
of a patient's health record upon request.
00:00
The provider may charge a fee for producing the copy.
00:00
They must mail first-class letters to
00:00
patients who might be affected by the breach.
00:00
One important Safe Harbor provision
00:00
exists in the HITECH Act for encrypted information.
00:00
If the information breached was encrypted with
00:00
certified FIPS 140-2 encryption,
00:00
the breach does not have to be reported.
00:00
Breaches do not have to be
00:00
disclosed if the information was exposed to
00:00
an authorized recipient and not further disclosed.
00:00
For instance, if a hospital faxes
00:00
information to the wrong number,
00:00
but the wrong number was also
00:00
a covered entity like another doctor's office,
00:00
that doctor's office is also covered by HIPAA,
00:00
and that disclosure does not have
00:00
to be reported to the HHS.
00:00
PIPEDA is the Canadian regulation.
00:00
Organizations covered by PIPEDA must generally
00:00
obtain an individual's consent when they collect,
00:00
use, or disclose that person's information.
00:00
GDPR is one of
00:00
the more recent data protection regulations.
00:00
GDPR is a regulation in the European Union on
00:00
data protection and privacy in
00:00
the EU and the European Economic Area.
00:00
It addresses the transfer of
00:00
personal data outside of the EU.
00:00
As an information security professional,
00:00
you should be aware of other
00:00
privacy and security regulations
00:00
outside of healthcare,
00:00
especially where aspects of the regulations may
00:00
affect or relate to
00:00
healthcare information protection regulations.
00:00
Here are a few examples of other industry specific laws.
00:00
OSHA is a unit of
00:00
the US Department of Labor
00:00
and addresses safety and protection of
00:00
workers in organizations that involve hazards and
00:00
hazardous waste as potential sources
00:00
of injuries and health-related problems.
00:00
OSHA covers health care workers at
00:00
hospitals and other medical facilities
00:00
where exposures to chemicals or
00:00
equipment could result in injuries or diseases.
00:00
PCI-DSS, the security standard is unique within
00:00
this training in that it's
00:00
the only standard that is
00:00
the private industry sector standard,
00:00
as opposed to a government-mandated regulation.
00:00
PCI targets merchants who accept product
00:00
and service payments from
00:00
customers using specific credit cards.
00:00
Merchants are ranked by levels, levels 1-4,
00:00
based on the number of
00:00
specific credit card transactions processed per year.
00:00
Each merchant is required to implement
00:00
privacy and security programs to protect
00:00
the financial information of customers with as much rigor
00:00
and completeness as
00:00
the health care standards provide for PHI.
00:00
Healthcare organizations that
00:00
allow credit card transactions
00:00
for the payment services fall under PCI-DSS compliance.
00:00
Such services provided by hospitals,
00:00
such as bill payments,
00:00
pharmacy, laboratory,
00:00
radiology services, food services,
00:00
gift shops, floral shops,
00:00
et cetera, may be covered by PCI.
00:00
Now, FOIA or Freedom of Information Act is
00:00
primarily seen as a basis for obtaining federal stores
00:00
of information that are seen
00:00
as publicly accessible and is
00:00
frequently used by private citizens
00:00
for political or legal issues.
00:00
FOIA offers very little to direct protection of PHI
00:00
or PII that is
00:00
not found in more appropriate regulations,
00:00
but it is included here because it was actually one of
00:00
the first US laws to identify
00:00
federal information that was not free to be distributed.
00:00
Congratulations. You made it through
00:00
treaties, laws and regulations.
00:00
I'll see you in the next video.
Up Next
