Start-ups are integral to  economic success of any country, generating  millions new jobs in recent years and experiencing significant market growth as business owners tap new technologies to increase brand reach and impact. With the recently developed industry standards and regulatory requirements influencing all industries, cyber security compliance becomes a mandate for business success.

In this digital era, as the severity and number of cyber-attacks increases, industry standards organizations and governments seek to enforce cyber security by establishing mandatory compliance requirements. However, compliance requirements often lag behind cyber security risk. Therefore, to prepare for dynamic compliance requirements, businesses need to have a risk based approach which includes addressing and mitigating risk of cyber security so that they can stay ahead of the evolving requirements.

Think Big while Starting Small

Most of the time start-ups view their IT as inherently safe —there is a common thought, after all, why would hackers bother with smaller businesses when large-scale operations handle huge volumes of valuable data? Cyber security for start-ups may also take a back seat because almost all of mission-critical tasks that require owners’ attention.

Here’s the hard truth: Start-ups are often in the line of fire for digital compromise precisely because they don’t have built-in cyber security controls or well-articulated InfoSec policies.

Since there’s a lower chance of attacks being detected, identified and mitigated, attacker/hackers looking to test new threat vectors or grab consumer data may target start-ups

 Clearly, start-ups should not ignore risk pertaining to Cyber security. Few of the key activities includes

Compliance : From privacy regulations such as HIPAA and GDPR to start-up PCI compliance, our experts ensure your data handling and storage processes meet evolving expectations.

Internal Audits : Periodic internal audits are helpful in identifying critical gaps between the actual status and desired compliance status.

Risk Assessments :Regulatory bodies wanted to ensure that controls and measures taken by organisation are sufficient and reasonable to your organization, customers, and partners. There are many frameworks available in the market, organisation need to choose the right one as per their requirements and then identify acceptable risk. If possible more than one framework can be used to identify and compare the risks. Organisation shall identify and implement a balanced security strategy factoring in compliance and safeguards based on their specific business and objectives.

Security management : Proper security management services help streamline IT environment and protect business purpose. It provides a holistic view to the management about cyber security compliance.

Incident Response and remediation : When a breach does occur, organisations need to address the attack immediately, contain it, and remediate the threat. A properly trained, expert incident response team to stop, fix, and an ongoing incident response process and plan to keep data secure.

Vulnerability Assessment and Penetration testing : Not all vulnerabilities are obvious. Vulnerability assessments and penetration testing helps find and secure potential failure points.

Third Party Risk Management (TPRM)/Vendor Risk Management : Vendors or service providers are the integral part of most of the start-up businesses. Organisations need to ensure third-party partners are aligned with your organization’s risk controls. Organisations shall ensure that all the vendors are adhering all the desired requirements pertaining to cyber security compliance.

What are the data breach risks?

Data breaches has become very frequent irrespective of the organisations size.

The recent trends indicate that cyber criminals target small businesses which does not have adequate security to gain unauthorized access to data that they can sell on the dark web. Hacking and social engineering attacks focus on exploiting vulnerabilities in servers, systems, networks, software, and people to gain entry.

Many small businesses currently lack the necessary resources required to defend against these attacks, which increases the probability that hackers will continue to target them.

Below are the recent data breach trends

• One fourth of data breaches involved small businesses.
• Many of breaches include social engineering by exploiting lack of awareness of cyber security among employees.
• Maximum of breaches were financially motivated
• Most of the breaches were perpetrated by outsiders and script kiddies.
• Almost more than one fourth of breaches still take months or more to discover

What is cybersecurity compliance and why it is necessary?

Compliance, in general is the act of being aligned with guidelines, rules, regulations and legislation. In cybersecurity, compliance is a program that establishes risk-based controls to protect the confidentiality, integrity, and ensure availability of information stored, processed, or transferred.

Cyber security compliance is not a stand-alone compliance many a times, it is based on multiple standards or regulations to be adhered by any industry. Sometimes different standards can create uncertainty and surplus work for organizations using a checklist-based approach

For example, an e-commerce organisation needs to meet PCI DSS(Payment Card Industry Data Security Standards) if accepts payments through POS(Point-of Service) device, they also require to adhere HIPPA (Health Insurance Portability and Accountability Act) for their employees health information.If this organisation serves European customers then must be complaint with GDPR (General Data Protection Regulation)

What Data is subject to cybersecurity compliance? 

Cybersecurity and data protection laws and regulations primarily focus on the protection of sensitive data, such as

Financial Informatione.g. credit card numbers, card pin numbers, bank account number etc.

PersonallyIdentifiable Information (PII)e.g.First and last name,address,date of birthetc.

Protected Health Information (PHI)e.g. Medical history, records of admissions, prescription records etc.

Other sensitive datathat may be subject to state, regional, or industry regulations includes:

• IP addresses
• Email addresses, usernames, and passwords
• Personal email contents
• Personal messages
• Authenticators, including biometrics such as fingerprints, voiceprints, and facial recognition data
• Marital status
• Race
• Religion

Step by Step Cybersecurity Compliance Program

€Creation of a Compliance Team

For every business irrespective of size, a compliance team is compulsory. Since organizations mainly start-ups are continue to move their business-critical operations to the cloud, there is a need for an interdepartmental workflow and communication across business and IT departments.

Define the Scope

Identify and define the clear scope which includes business processes, information systems, legal requirements, contractual requirements, etc.

€Identify and Establish a Risk Management Process

RISK IDENTIFICATION

Identify all information assets and information processing systems, networks, servers, and data that they access.

 RISK ASSESSMENT

Review the risk level of each data type. Identify where high-risk information is stored, transmitted, and collected and rate the risk of those locations accordingly.

ANALYZE RISK

After assessing risk, you need to analyze risk. Traditionally, organizations use the following formula:

Risk = (Likelihood x Impact)

SET RISK ACCEPTANCE /TOLERANCE LEVEL

After analyzing the risk, you need to determine whether to transfer, treat, accept, or reduce the risk.

Implement Controls

Once the risk is identified treat the risk based on your risk tolerance, you need to determine how to mitigate or transfer risk. Controls can include:

• VPNs
• Access Management
• Firewalls
• Employee training
• Encryption
• Password policies
• Network security
• Third Party/Vendor risk management program

Create Policies

Document Policies and procedures for your compliance activities and controls. These policies acts as the foundation for any internal or external audits.

Continuously Monitor, Respond, and Improve

Continuous monitoring helps in identify new gaps in the cybersecurity compliance program and hence the weaknesses of the information systems and processes can be reduced to strengthen the security. Organizations need to regularly update all the systems in order to avoid any kind of data breach.

Since cyber security is an innovative method, where cyber criminals always try to find out new vulnerabilities in the systems and exploit it.These new vulnerabilities lead to Zero Day attack. Organisations need to monitor their networks and processes in order to identify any suspicious behavior and content it immediately. Internal audits and penetration testing are most effective ways of internal audits.

What are the Benefits of cybersecurity compliance?

There are lots of benefits:

€Enables you to protect your company’s reputation,

It maintain consumer trust, and build customer loyalty by ensuring  customer’s sensitive information is safe and secure

It reduces the risk of a data breach, hence the associated response and recovery costs.

It saves organisations from the less-quantifiable costs of a breach such as reputation damage, business interruption, and loss of business.

Enhance the trust of customers and regulatory bodies in the organisation

€Implementing the appropriate safeguards and security measures to protect sensitive customer and employee information strengthen company’s security posture.

€ It helps to protect intellectual property such as trade secrets, software code, product specifications, and other information that gives your company a competitive advantage.

Other Links :

CYBER SECURITY CHALLENGES FACED BY FINTECH START-UPS

WHAT IS HIPAA?

HIPAA COMPLIANCE FOR HEALTHCARE SECTOR, HIPAA (Health Insurance Portability and Accountability Act) signed by US President Bill Clinton in 1996, provides data privacy and security provisions for safeguarding medical information.

HIPAA Act does the following:

• HIPAA reduces health care fraud and abuse.
• HIPAA acts mandates the storage, protection and handling of handling of medical data, ensuring healthcare data is kept secure.
• HIPAA Act provides provisions for storing patient’s healthcare information.
• HIPAA act is meant for protection and safeguarding unauthorised handling of PHI(Protected Health Information)

HIPAA COMPLIANCE FOR HEALTHCARE SECTOR is a must for healthcare solution providers. HIPAA compliance guidelines are meant to safeguard patient’s health information, ensuring that it is securely stored and correctly used.

All the sensitive data which can reveal patient identity must be kept as confidential in order to adhere HIPAA. There are set of rules of policies and privacy which the organisation need to adhere to achieve compliance.

WHAT INFORMATION IS PROTECTED UNDER HIPAA?

HIPPA Privacy Rule protects a patient’s health information and any identifying information, in any medium or format—files, email, audio, video or verbal communication. Any of the following is considered private health information:

• Name of patient
• Birth date, death date or treatment dates, and any other dates relating to a patient’s illness or care
• Finger and voice prints
• Social Security Number
• Photographs
• Medical records numbers
• Telephone numbers, addresses and other contact information
• Any other unique identifying number or account number

WHY HIPAA COMPLIANCE IS IMPORTANT?

 HIPPA compliance is a well thought of guidelines meant for safeguarding patient’s .Failure to this can put patient’s critical information at risk. Cyber Security breaches have catastrophic impacts on organisation’s reputation, also can leads to disciplinary actions and sometimes huge penalties and fines.

In past years ransom ware and malware attacks like WannaCry, Non Petya, have impacted millions of computers across the world, including healthcare organisation.

Hackers exploited vulnerabilities existing in the Network devices like weak passwords, outdated versions of Operating Systems which are commonly used in healthcare sector.

Since there is not adequate awareness and information security support in medical service providers, the attack was very easy to carry out.

Now a day’s everything is technology driven, so HIPAA also regulates some aspects of technology systems used to store, manage, and transfer healthcare information.

The organisations that fail to implement adequate system can suffer significant damage. If any data breach incident take place, the affected organisations has to submit disclosure documents for each and every breach individually.

WHO NEEDS TO BE HIPAA COMPLIANT?

Following is the list of the organisation which needs to be HIPAA compliant

• Healthcare providers, who stores data and process PHI in electronic form.
• Clinics,
• Hospitals,
• Regional health care services,
• Medical practitioners
• Healthcare clearinghouses
• Healthcare billing services
• Community health management information system).
• This also includes any organisation which collects PHI from healthcare organisations and process it into an industry standard format.
• Health plans
• Medicaid,
• HMO (Health Maintenance Organisation),
• Insurers,
• Public health authority,
• Medicare prescription drug card sponsors,
• Universities and schools which collects, store or transmit PHI)
• Business associates of all the above
• Any organisation which handles PHI in electronic format such as vendors, contractors and infrastructure service providers.
• This also includes organisations that store or destroy (shred) documents.
• Transcription services,
• Medical equipment companies,
• Auditors and
• Accountants

HIPAA PRIVACY, SECURITY AND BREACH NOTIFICATION RULES

PRIVACY RULE

HIPAA Privacy rules are Standards for privacy of PHI of individuals. The main goal of HIPAA rules is to protect medical reports and other PHI(Personally identifiable health information)

HIPAA privacy rules are applies to these types of organisations;

• Providers, supply chain (vendors, contractors) and service providers (data centre and cloud service providers). All healthcare Clearinghouses and health care providers shall be compliant.
• This rule also applies to healthcare service providers who conducts health related electronic transactions.

Accordingly to HIPAA privacy rule patients have legal rights over their health information.

Below are the fundamental rights of patients:

• To authorise disclosure of their health information and records.
• To request and examine a copy of their health records anytime
• To request correction to for the health records as needed

SECURITY RULE

HIPAA Security Rule are the Security Standards for the protection of ePHI and is a subset of privacy rule only. This rule is applicable to electronic personally identifiable health information (ePHI), which shall be protected if it is created, maintained, and received by any organisation. Covered entities shall maintain confidentiality, integrity and availability of ePHI.

 Covered entities shall adhere all safeguards to be compliant:

• Technical Safeguards:

Access Control, Audit control, integrity control, transmission security

• Physical Safeguards

Physical Access control, work station and device security, security of electronic media

• Administrative Safeguards:

Security Management process, Security Manager, Information Access Management System, training and awareness, evaluation system.

HIPAA BREACH NOTIFICATION RULES 

Even after having adequate security measures in place, there is a possibility of breach. For such cases Breach notification rules specifies how the organisations should deal with it.

First of all organisations should know how to define a breach. A breach is unauthorised use or disclosure of PHI forbidden by Privacy rule. The unauthorised use or disclosure of PHI is presumed to be a breach unless your organisation demonstrate there is a low probability the PHI has been compromised based on a risk and impact assessment of at least the following criteria:

• The extent and nature of the PHI involved, including the types of identifiers and the probability(likelihood )of re-identification
• The unauthorized individuals to whom the disclosure was made or who used the PHI
• Whether the PHI was actually acquired viewed or acquired
• The extent to which the risk associated with PHI has been mitigated

PHI breach notifications must be provided without unreasonable delay and no later than 60 days following the breach discovery. Notifications of smaller breaches which is affecting fewer than 500 individuals may be submitted to HHS (The United States Department of Health & Human Services) annually. The HIPPA Breach Notification Rule also requires business associates like vendors, suppliers, service providers of covered entities to notify the covered entity of breaches at or by the business associate.

HIPAA PENALTIES

As per HIPAA Privacy Rule, a healthcare data breach as well as failing to give patient’s access to their PHI, could result in a fine from OCR(Office for Civil Rights)

The minimum penalty for: HIPAA COMPLIANCE FOR HEALTHCARE SECTOR

• Unknowingly violating HIPAA is $100 per violation, with an annual maximum of $25,000 for repeat violations.
• Reasonable cause for violating HIPAA is $1,000 each violation, with an annual maximum of $100,000 for repeat violations.
• Wilful neglect of HIPAA, but when the violation is corrected within a given time period, is $10,000 per violation, with an annual maximum of $250,000 for repeat violations.
• Wilful neglect of HIPAA, and the violation remains uncorrected, is $50,000 per violation, with an annual maximum of $1.5 million for repeat violations.

The maximum penalty for all of these is $50,000 per violation, with an annual maximum of $1.5 million for repeat violations.

Covered entities, organisations and individuals who intentionally  disclose or obtain PHI in violation of the HIPAA Privacy Rule can be fined up to $50,000 and receive up to one year in prison. If the HIPAA Privacy Rule is violated under false act, the penalties can be increased to a $100,000 fine and up to 10 years in prison.