health-care-hipaa-hitech-hitech , visio-stencils

PCI DSS, SOX (CobiT) and HIPAA & HITECH simplified

October 22, 2017

PCI DSS SOX (CobiT)
HIPAA & HITECH
Penalties: Fines, loss of credit card processing and level 1 merchant requirements
Penalties: Fines up to $5M and
up to 10 years in prison
Penalties and fees
up to $1.5M for neglect
5.1.1  Monitor zero day attacks not covered by anti-virus

6.2 Identify newly discovered security vulnerabilities

11.2   Perform network vulnerability scans quarterly by an ASV

11.4   Maintain edge IDS and IPS’s to monitor and alert personnel; keep engines up to date
DS 5.9 Malicious Software Prevention, Detection and Correction “Put preventive, detection and corrective measures in place (especially up-to-date security patches and virus control) across the organization to protect information systems and technology from malware (e.g., viruses, worms, spyware, spam).”

DS 5.6 Security Incident Definition

“Clearly define and communicate the characteristics of potential security incidents so that they can be properly classified and treated by the incident and problem management process.”

164.308 (a)(1)(ii)(A)

Risk Analysis – Conduct Vulnerability Assessment

164.308 (a)(1)(ii)(B)

Risk Management — Implement security measures to reduce risk of security breaches

164.308 (a)(5)(ii)(B)

DS 5.10 Network Security

“Use security techniques and related management procedures (e.g., firewalls, security appliances, network segmentation, intrusion detection) to authorize access and control information flows from and to networks.”

“Use security techniques and related management procedures (e.g., firewalls, security appliances, network segmentation, intrusion detection) to authorize access and control information flows from and to networks.”
Protection from Malicious Software — Procedures to guard against malicious software host/network IPS

164.308 (a)(6)(iii)

Response & Reporting — Mitigate and document security incidents
10.2   Automated audit trails

10.6   Review logs at least daily

10.3   Capture audit trails
DS 5.5 Security Testing, Surveillance and Monitoring “… a logging and monitoring function will enable the early prevention and/or detection and subsequent timely reporting of unusual and/or abnormal activities that may need to be addressed.”
164.308 (a)(1)(ii)(D)

Information System Activity Review — Procedures to review system activity
10.5   Secure logs

10.7   Retain audit trail for at least one year

10.7   Maintain logs online for three months

164.308 (a)(6)(i)

Login Monitoring — Procedures and monitoring for login attempts on host IDS

164.312 (b) Audit Controls — Procedures and mechanisms for monitoring system activity
6.6 Address new threats and vulnerabilities on an ongoing basis by installing a web application firewall in front of public-facing web applications.
DS 5.10 Network Security

“Use security techniques and related management procedures (e.g., firewalls, security appliances, network segmentation, intrusion detection) to authorize access and control information flows from and to networks

AI3.2  Infrastructure resource protection and availability
164.308(a)(1)

Security Management Process — Implement policies and procedures to prevent, detect, contain and correct security violations.

164.308(a)(6)

Security Incident Procedures

Implement policies and procedures to address security incidents.