MSP Responsibilities When It Comes to Compliance
Managed Service Providers (MSP) serve all kinds of companies across a number of industries. As you can imagine, this means following a number of very serious laws and regulations. When it comes to being an MSP, compliance can mean thinking about any number of major factors where security is concerned. Two very good examples of this are PCI and HIPAA. The former deals with compliance acts that concern the retail industry, while HIPAA does the same for healthcare. Let’s take a close look at what both of these calls for.
Payment Card Industry Data Security Standard (PCI DSS) is a proprietary standard used by organizations that accept payment through credit cards. PCI DSS covers the use of the major credit cards, meaning American Express, MasterCard, Visa, JCB and Discover. This standard is overseen by the Payment Card Industry Security Standards Council. It was created over a decade ago to provide greater controls around credit card data to reduce the incidents of fraud that were so common throughout the industry.
Compliance isn’t something you can risk being lax. Every year, the Payment Card Industry Security Standards Council administers a check to ensure that companies are following the rules as instructed. As an MSP with customers in the retail industry, your company is expected to keep those businesses in compliance and far from the legal problems they’d face if they weren’t.
PCI DSS Compliance Requirements
Fortunately, PCI isn’t vague about what compliance looks like. They’re actually very upfront about what it takes to meet their requirements and remain on their good side. First and foremost, you are expected to build a secure network and systems. This includes maintaining it throughout the year as well. Doing this requires a satisfactory firewall that will keep cardholder data far away from the hackers who want it. Then there are the passwords: no defaults allowed and other security parameters apply.
Along with this, you have to design, maintain, and manage a vulnerability program. This must protect every system you use against malware. You have to regularly update your anti-virus software as well. Secure systems and applications should be developed and constantly maintained. Strong access control measures have to be implemented too. As you probably already know, malicious parties no longer need a high-level understanding of coding or some other impressive tech-related skill to bust into your system. All it takes is getting their hands on a user’s password. Therefore, you must limit access to cardholder data to only those parties (including businesses) that absolutely have to have it in order to fulfill their role. Access to system components must be identified and authenticated too before it’s given out. Only the actual cardholder should be allowed physical access to their specific information. Finally, your company needs to create their own information security policy and ensure it is maintained. This policy should address information security as it relates to all personnel.
Next, let’s take a look at HIPAA. The Health Insurance Portability and Accountability Act (HIPPA) was enacted back in 1996. Title I of the act protects health insurance coverage of employees as well as their families in the event that they change jobs or lose theirs. Title II required that national standards be created for electronic healthcare transaction.
Just like with the above, let’s look at some helpful tips to ensure that your customers are in compliance with HIPAA.
HIPAA Compliance Requirements
In the business world, it is not uncommon to deal with a lot of other companies, not just customers. In any case, you may be required to sign BAAs or Business Associate Agreements. This is a result of a relatively new rule, so this may apply to you even if you didn’t have to do this in the past. If you do qualify, you’re going to need to follow HIPAA’s privacy rule, their security rule and the provisions related to breach notifications. Any clients of yours who are covered entities under HIPAA will also require that you sign BAAs. Likewise, you will have to get BAAs signed by any vendors you do business with.
Using EHRs (Electronic Health Records) come with a number of demands as well. Mainly, you need to make sure that privacy and security matters are covered. Under the fairly new Technology for Economic and Clinical Health (HITECH) Act, healthcare clients must report data breaches that affect 500 or more people to the Department of Health and Human Services (HHS), as well as the media. Obviously, those who were affected must be told about it too. Any electronically protected health information that your clients create, transmit, receive or maintain must be kept confidential. Their availability and integrity must be maintained by the MSP as well. Data breaches must be protected against too.
The Office for Civil Rights, under the Department of Health and Human Services, can decide to audit you or your clients at any time. No matter what the circumstances, you could be held accountable for a data breach too, meaning a penalty if it came as the result of noncompliance. These could equal $50,000 for every violation or as much as $1.5 million per year for every category you were in violation of. Sufficed to say, you just want to make sure you’re following all of HIPAA’s requirements each and every day.
Operating as an MSP is never easy. Between PCI DSS and HIPAA, there’s a lot to remember, but hopefully the above makes things a little easier.