Most of my rants recently have been about the need to encrypt sensitive data, even on private networks, especially since breaches are hitting the news regularly now. In 2008, Regulatory Compliance was a hot topic and PCI, HIPAA, GLBA, SOX and others receiving plenty of coverage throughout the year. While some companies are still struggling to abide by ‘08 deadlines, ‘09 has a few of it’s own. The following are just a few compliance deadlines for 2009 that might affect your business.
New e-prescribing regulations take hold April 1, 2009: Under the new regulations, any physician who electronically prescribes drugs covered under a Part D plan must comply with new CMS standards for communication of information between providers and Part D plan sponsors. By 2011, there's a goal of universal e-prescribing under Medicare. This does not mean that all Rx will now have to be sent electronically, just that those Doctors who are using an electronic system for Medicaid/Medicare scripts must abide by these rules. There are a whole range of security challenges here from data transmission, to doctors using mobile devices, to massive breaches of such sensitive info, to storage.
FTC extends ID-Theft compliance Deadline to May 1, 2009: This is the ‘Red Flag’ rule. Initially slated for a November 1, 2008 deadline, Red Flag requires any entity (including health care) that maintains ‘accounts’ or is a ‘creditor’ to implement anti-identity theft measures. It’s supposed to protect consumers from fraud that is gained by using another person’s identity without their knowledge. Written procedures that identifies suspicious activity (red flag), mitigates damage if their is a breach and staff training are all part of the regulation. HIPAA alone does not make a health care facility compliant.
PCI-PoS/PED deadline July 10, 2010: PCI is extending their guidelines for DSS to cover unattended Point-of-sale PIN entry devices. These are those ‘Pay for your parking’ machines, ‘tickets for event’ kiosks, vending machines and any other terminal where a PIN might be entered. First, by July 1, 2009, Triple-DES will be mandated for all debit transaction processing. A year later, all fuel pumps (and like terminals) will need to have encrypted PIN entry pad, be able to encrypt the PIN itself and process using TDES.
Each of these will require infrastructure security, identity and access management, encryption, acceleration, availability, storage, and a host of other technologies. You don’t have to look far however to find a solution since F5 can help you succeed this latest round of compliance deadlines.