How does privacy law come into play when a pandemic hits? Do the rules change? How do business associates and covered entities know when and where they can share PHI related to the pandemic? Let’s discuss so that you know the impact to your organization.

HIPAA Privacy Rule and Pandemics

The HHS recently released a memo that explains how the HIPAA Privacy Rule balances protection of PHI with protection of national public health. During pandemics like the coronavirus, the HHS outlines the unique disclosure permissions in the HIPAA Privacy Rule:

  • Treatment – Covered entities may disclose, without a patient’s authorization, PHI about the patient as necessary to treat the patient or to treat a different patient.
  • Public Health Activities – Covered entities may disclose, without a patient’s authorization, PHI about the patient when it is legitimately required by public health authorities to carry out their public health mission.
  • Disclosures to Family and Friends – Under specific scenarios outlined by the HIPAA Privacy Rule, a covered entity may share PHI with a patient’s family members, relatives, friends, or others involved in the patient’s care.
  • Preventing Serious and Imminent Threats – Covered entities may share PHI with anyone as necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public.
  • Disclosures to the Media – Reporting to the media or the public at large about an identifiable patient or their treatment is not permitted without the patient’s written authorization.
  • Minimum Necessary Disclosures – Covered entities must make reasonable efforts to limit the information disclosed to that which is the “minimum necessary.”

For business associates, the main impact will potentially be requests from their covered entity to facilitate PHI disclosures to local, state, and federal health authorities as well as to friends and families of patients. For covered entities, a point of focus should be involving and preparing their Privacy and Compliance Officers to ensure proper disclosures and minimum necessary standards are being followed.

If you are a business associate or covered entity impacted by the HIPAA Privacy Rule, we encourage you to study the DHHS’ memo to reacquaint your organization with the unique disclosure permissions caused by a pandemic.

GDPR and Pandemics

Will coronavirus test Europe’s commitment to privacy? GDPR does allow for the temporary suspension of privacy requirements for certain crises like this pandemic. Article 9 addresses how long the information can be stored and where, who has access to it, and when the data should be purged after the crisis passes.

Some European countries have adopted their own guidance on privacy in the time of the coronavirus – Italy has adopted Civil Protection Ordinance No. 630 to temporarily lift restrictions on sharing personal data related to public health issues. France has published guidelines for data sharing and data retention related to coronavirus response. Germany’s Federal Data Protection Act addresses processing special categories of personal data.

Your Response to Coronavirus

In times like this, we never want your organization to feel uncertain about your privacy practices. If your Privacy or Compliance Officers have questions about how to handle this pandemic, don’t hesitate to reach out. We do not want you to just survive this crisis. We want you to emerge stronger and more secure on the other side of it.

More Privacy Resources

Business Continuity and Disaster Recovery Planning Checklist

CDC – Coronavirus Disease 2019 (COVID-19)

Trends in Privacy, Breach Notification, Data Security Legislation in 2019

We get a lot of questions about PCI and HIPAA audits. There’s legislation and complicated requirements behind these frameworks, so what happens when your company is required to obtain both types of compliance? Are you able to consolidate both audits into one project? KirkpatrickPrice has developed the Online Audit Manager to make it easier to combine multiple audits into one project, including PCI and HIPAA. Let’s talk through why and how you would take on the project of a combined PCI and HIPAA audit.

What are PCI and HIPAA Audits?

Before we discuss how to go through a combined PCI and HIPAA audit, let’s review what each of these types of audits are.

The PCI DSS was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. The founding payment brands include Visa, Inc., MasterCard, Discover Financial, American Express, and JCB International. The PCI DSS is a rigorous framework that consists of nearly 400 individual controls. PCI compliance is a critical part of staying in business for any merchant, service provider, or subservice provider who is involved in handling cardholder data. A PCI audit must be conducted by a QSA.

The integrity of the healthcare industry relies on keeping data secure and patients safe. This, in part, was why HIPAA was created. HIPAA sets a national standard for the protection of consumers’ PHI and ePHI by mandating risk management best practices and physical, administrative, and technical safeguards. HIPAA was established to provide greater transparency for individuals whose information may be at risk, and the OCR enforces compliance with the HIPAA Security, Privacy, and Breach Notification Rules.

Why a Combined PCI and HIPAA Audit?

Depending on your services, both PCI and HIPAA compliance may be required of your organization – and when multiple types of compliance are required of you, it’s important to know that a combined PCI and HIPAA audit is an option.

Protecting cardholder data as well as protected health information is a difficult task, but compliance in these areas will ensure your organization is doing its due diligence. Healthcare is one of the most at-risk industry for data breaches, and the most expensive. In 2019, IBM reported that the average cost of a data breach in healthcare is $6.45 million, totaling out at $429 per record. Plus, once you’ve had a data breach, you’re more likely to have abnormal customer turnover – 8% in healthcare. In the financial services industry, the average cost of a breach is $5.86 million. Don’t you want to do every test and assessment possible to keep your organization from falling into these statistics?

Using the Online Audit Manager

Our goal is to make PCI and HIPAA reports more accessible to organizations who are being asked for them, so in order to complete a combined PCI and HIPAA audit, we utilize the Online Audit Manager. The Online Audit Manager is an online audit delivery tool that maps the requirements of each framework to one another so that you can capitalize on your resources instead of answering the same question over and over again on separate audits – all with the goal of saving your organization’s time, effort, and capital. Completing a combined PCI and HIPAA audit with KirkpatrickPrice will be a more efficient, accessible process for your organization. Interested in more specifics on how this works? Let’s set up a demo of the Online Audit Manager.

More PCI and HIPAA Resources

4 Reasons to Start a PCI Audit Right Now

HIPAA Compliance Checklist

Using the Online Audit Manager to Complete Multiple Audits

So you’ve completed a SOC 2 audit, how prepared does that make you for an ISO 27001 audit? How do you know whether your organization needs a SOC 2 attestation or an ISO 27001 certification? For organizations working toward security compliance, deciding between these two audits depends on a few factors. While these audit frameworks are different in many ways, they also share some core similarities that make it difficult to decipher which audit may meet your organizational needs. Don’t worry, we’re here to help you decide when you should complete a SOC 2 audit, ISO 27001 audit, or both.

How SOC 2 and ISO 27001 Audits are Similar

SOC 2 and ISO 27001 audits are similar in that they both test an organization’s approach to information security and its ability to mitigate risk. Many of the same controls are tested for each framework; controls like context of the organization, asset management, access control, physical security, business continuity. When you complete one audit, it does put you closer to compliance with the other. Both have value for building customer loyalty, new business, your reputation, and better information security practices.

While there are many similarities between ISO 27001 and SOC 2 audits, you can also learn about the differences in our previous blog post, SOC 2 vs ISO 27001. Still, with all these commonalities, it makes sense that you might be wondering which audit is best for your organization. The answer to that question starts with an evaluation of what your clients ask of you, your customized compliance needs, and your security goals.

When to Choose SOC 2

If your client is asking for a SOC 2 audit report, the decision of whether to complete a SOC 2 audit is made for you. You should always complete the audit that your clients are requiring from you. Testing your processes against any of the Trust Services Criteria – security, confidentiality, availability, processing integrity, and privacy – will result in a SOC 2 report that you can give to your clients for assurance of your security practices. The AICPA specifically requires that CPA firms perform SOC 2 audits. Why a CPA firm? To name just a few reasons: integrity, independence, and accountability. There are so many different types of CPA firms, though – bookkeeping, forensic, risk, tax, full-service, and audit firms. You want to choose a qualified CPA firm who specializes in information security auditing.

When to Choose ISO 27001

For organizations that do business internationally, it’s important to note that ISO 27001 is the only internationally-accepted standard for governing an organization’s information security management system (ISMS). This fact may make an ISO 27001 audit or certification more valuable than a SOC 2 to international organizations.

Once you’ve decided that you need a ISO 27001 audit more than a SOC 2 audit, there’s a second decision to make: do you need an ISO 27001 certification? Organizations may choose to perform an internal audit against the ISO 27001 standard and pursue certification, but they could also just do the audit if it will satisfy client requirements. Like other frameworks, certification is possible but not mandatory.

Why Not Both?

The value of a multi-audit process, like KirkpatrickPrice’s Online Audit Manager tool, is that you can complete both the SOC 2 and ISO 27001 audits in the same project engagement. If you’ve already completed a SOC 2 audit and are looking to prove to clients that you have a holistic approach to information security instead of just meeting the lower-level requirements, you can exceed expectations by completing both audits.

A multi-audit approach would save your time as some of the qualifying questions and scoping information needed to complete SOC 2 and ISO 27001 audits overlap, such as details on security training and management role. That means you can spend less time in the weeds of completing an audit and more time showing your clients, investors, and employees that meeting security goals is a top priority.

If you’re ready to learn more about your information security audit options, contact KirkpatrickPrice today, receive a quote, and get started on your compliance journey.

More Resources

ISO 27001 FAQs

What Type of Compliance is Right for You?

Using the Online Audit Manager to Complete Multiple Audits

The Importance of Network and Data Flow Diagrams

Network diagrams and data flow diagram are called out in PCI Requirement 1; in fact, the PCI DSS puts so much weight on a good diagram that they include it in the first phase of the Prioritized Approach, which is the recommended method to remediate compliance gaps.

But, PCI is not the only place where network and data flow diagrams are valid. In any environment where an organization has sensitive data, these two pieces of documentation are critical during an audit. They will provide valuable information and understanding about the environment in less time than any other piece of documentation. So, how can you create effective network diagrams? How can you create effective data flow diagrams? Let’s discuss.

What is a Network Flow Diagram?

A network flow diagram maps the flow of data through networks. Digital systems often involve network-connected systems with functionality distributed across multiple nodes. For example, in an ecommerce store, data might move from an order system to invoicing, payment, and logistics systems.

A network flow diagram indicates the routes over which data travels, the internal and external nodes on which it is stored or processed, and the purpose of those nodes. Network flow diagrams are essential to understanding the environment that hosts sensitive data as well as risk mitigation and the enforcement of information security policies.

How to Create Effective Network Diagrams

Effective network diagrams show where sensitive data is on your network and how it is protected. In order for a network diagram to be effective, it needs to achieve the following:

  1. Identify:
    • All boundaries of the sensitive data’s environment
    • Any network segmentation points which are used to reduce scope of the assessment
    • Boundaries between trusted and untrusted networks
    • Wireless and wired networks
    • All other connected points applicable to the protection of sensitive information and the critical assets where it is transmitted, processed, or stored
  2. Locate the network protections (i.e. firewalls, IDSes, router ACLs, etc.) surrounding the systems that transmit, process, or store the data in question (the “sensitive environment”). Important considerations include:
    • Define the boundaries between trusted and untrusted networks, including any network segmentation related technical controls that enforce segmentation if the entire network is not supposed to be in scope.
    • If there is no internal network segmentation, then your entire network is in scope for the audit.
    • VLANs do not, by themselves, constitute internal segmentation since they don’t restrict access.
    • Internal segmentation might include internally deployed network firewalls; router ACLs that only allows specific devices to communicate to the sensitive systems; Network Admission Control or similar technology to make decisions on whether or not a device requesting access to the sensitive area has met the security requirements such as patch levels, anti-virus signature dates, and last scan time, etc.
    • In all cases, segmentation must enforce access to the sensitive areas. If a packet – any packet – can get from one place to another, then the source is not segmented from the sensitive environment and it is in-scope.
  3. Identify ALL wireless networks – even if they’re out scope.
  4. Identify the system components involved in transmitting, processing or storing sensitive data. This includes workstations, databases, routers, firewalls, wireless access points, application servers, switches, etc.
  5. Identify the devices responsible for administering the security of the sensitive systems (i.e. antivirus, logging, authentication, etc.).

How to Create Effective Data Flow Diagrams

In a simple environment, the data flows might be easily overlaid on top of network diagrams. In more complex environment, you might see something else altogether. We frequently see “swim lane” flowcharts that break the process down into “lanes” executed by specific teams. The form and structure is less important than the information contained in it, though. Effective data flow diagrams must include the following:

  1. Be sequenced. For example, “We receive sensitive data at X; it goes through these Y points and is destroyed at Z.”
  2. Follow the data life cycle.
    • Create: Where does data come into our organization?  What business processes – such as a sales team or a call center – are involved? What technical systems – such as a web server, an SFTP server, or contact center – are involved?
    • Share: With whom and how is the data shared?  For example, by email attachment, SharePoint, or AWS S3 bucket.
    • Use: What people and system components use the data – either as input or provided as output as part of the process?
    • Store: Where is it stored? A filing cabinet, a shared folder?
    • Archive: How, where, and for long is the data archived? For instance,  archived in an S3 Glacier bucket for one year, on magnetic tape for two years, then in a records warehouse for seven years.
    • Destroy: How is it destroyed when no longer needed? Is it via Iron Mountain shredding service, by secure electronic wipe of the magnetic tape?
  3. Have sufficient references to names of applications where sensitive is transmitted, processed or stored.  The application details, including the system components on which it runs, might be documented elsewhere in a more complex environment.
  4. Address the question: Where is my sensitive data and who needs to interact with it?

An Example Network Flow Diagram

Whether you’re undergoing a PCI or SOC audit, or you’re pursuing other compliance goals, creating and maintaining effective network diagrams and data flow diagrams is key to your audit success. Because we know that this is complex but critical documentation, KirkpatrickPrice auditors are committed to helping our clients create thorough network diagrams and data flow diagrams.

Our client, Net Friends, is a great example of this. After Net Friends’ SOC 2 audit, they commented,

“We are so appreciative of the time and attention we received from Randy and the team at Kirkpatrick Price during the SOC 2 audits, and their collaborative approach of working with us on topics that extend well beyond their core mandate. Who could have predicted when we started this ongoing audit process that we would be inspired creatively?!?”

This is part of KirkpatrickPrice’s mission – to inspire and empower our clients to achieve challenging compliance goals.

Here’s an example network flow diagram we put together for Net Friends’ before and after:

example network flow diagram for Net Friends

All in all, effective network diagrams and effective data flow diagrams play off of each other.  They are powerful tools that will provide significant amounts of information to those responsible for protecting sensitive data.  They will help you define scope the of affected system components, identify critical controls, and identity weaknesses in the control framework. If you want to learn more about how KirkpatrickPrice can help you improve your network diagrams and data flow diagrams, contact us today to speak to a specialist.

More Compliance & Cybersecurity Resources

Most Common SOC 2 Gaps

How to Scope a HITRUST Engagement

Independent Audit Verifies SCREEN GP Americas’ Internal Controls and Processes

Rolling Meadows, IL – SCREEN GP Americas, a division of the SCREEN Graphic Solutions Co. Ltd., owned by SCREEN Holdings Co, Ltd., today announced it has completed its SOC 2 (System and Organization Control) Type I audit, performed by KirkpatrickPrice, a licensed CPA firm specializing in information security and committed to thorough audits.

This attestation provides evidence that SCREEN GP Americas has a strong commitment to security and to delivering high-quality services to its customers by demonstrating they have the necessary internal controls and processes in place.

An SOC 2 audit provides independent, third-party, validation that a service organization’s information security practices meet industry standards stipulated by the AICPA, the American Institute of CPAs. During the audit, a service organization’s non-financial reporting controls as they relate to security, availability, processing integrity, confidentiality, and privacy of a system, are tested. The SOC 2 report delivered by KirkpatrickPrice verifies the suitability of the design of SCREEN Americas’ controls to meet the standards for these criteria.

“We know how important information security is to our customers,” said Robert Bernstein, Chief Financial Officer, SCREEN Holdings Co. “The entire SCREEN organization is constantly striving towards higher levels of security. It is one thing for us to say we provide secure services…it’s another to provide independent verification from an expert. We’ve gone through one of the most rigorous security audits in the industry, SOC 2, to demonstrate our commitment to compliance.”

“The SOC 2 audit is based on the Trust Services Criteria. SCREEN GP Americas has selected the security and confidentiality criteria for the basis of their audit,” said Joseph Kirkpatrick, President of KirkpatrickPrice. “SCREEN GP Americas delivers trust-based services to their clients, and by communicating the results of this audit, their clients can be assured of their reliance on SCREEN GP Americas’ controls.”

SCREEN GP Americas plans to pursue a SOC 2 Type II report in 2020, further demonstrating its commitment to compliance.

About SCREEN GP Americas

SCREEN Americas, entering its 53rd year in business in 2020, provides a wide range of solutions to meet graphic communications needs, with a strong focus on production-class inkjet printing technology.  SCREEN Americas commitment to satisfying its growing list of customers is reinforced by delivering the latest innovations that help diverse printing operations profitably grow their businesses.

SCREEN Holdings Co, Ltd., is a major international corporation whose global footprint is seen in many industries. Our history traces back over 150 years to Ishida Kyokuzan Printing Works, a lithographic printing shop founded in Kyoto in 1868. Since then, the SCREEN Group has continued to meet the rapidly changing needs of various business sectors, including Electronics, Media and Information, Life Sciences, Inspection and Measurement and Energy.

About KirkpatrickPrice

KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to over a thousand clients in North America, South America, Asia, Europe, and Australia. The firm has more than a decade of experience in information security by performing assessments, audits, and tests that strengthen information security practices and internal controls. KirkpatrickPrice most commonly performs assessments on SOC 1, SOC 2, PCI DSS, HIPAA, HITRUST CSF, GDPR, ISO 27001, FISMA, and FERPA frameworks, as well as advanced-level penetration testing. For more information, visit www.kirkpatrickprice.com, connect with KirkpatrickPrice on LinkedIn, or subscribe to our YouTube channel.