HIPPA and CMMC and FISMA, Compliance Oh My!

Blake B. (00:00)

The HIPAA bone connected to the PCI bone and the FISMA bones connected to the GDPR bone. Let's talk compliance. Welcome back to Brainbites. I'm Blake Boyd. Joining me, as always, is James Green. James, how are we doing today?

James G. (00:19)

I'm doing well. How are you doing?

Blake B. (00:21)

Well, actually, as well.

James G (00:23)

Well as well.

Blake B. (00:24)

All right. Good to hear today, if we didn't print the It bingo card from last week.

James G (00:30)

Oh, goodness.

Blake B. (00:31)

We have missed an opportunity because today we're talking compliance. And they're all acronyms, literally all acronyms.

James G (00:39)

They're fantastic, though.

Blake B. (00:40)

So as alluded to in the intro there, we've got HIPAA, PCI, Visma, GDPR, and those are probably just the foremost well known ones.

James G (00:49)

Yes, there are many others.

Blake B. (00:51)

Many others. So compliance is nothing new to the world, to the universe, I guess. But it compliance flower. It's new and exciting and frustrating at times, but it's happening. You can't run away from it.

James G (01:13)

Right.

Blake B. (01:13)

And it's becoming more important than ever. Yes.

James G (01:16)

As we've talked about cyber security insurance. And again, as more and more bigger threats and targets are out there, basically, we're putting compliance around what companies ought to be doing to make sure that everyone is safe and secure.

Blake B. (01:33)

Correct. We alluded to this in an episode a week or two ago that this is the infancy of regulation of the It industry. Compliance is starting to come down to specific industries in the United States and then more globally in nature, over in the EU with GDPR. So let's dive into a couple of them. So probably the one you're most familiar with from a naming standpoint is HIPAA. Hipaa. There's a lot about HIPPA, and a good bit of it has absolutely nothing to do with it. But a good bit of HIPAA does involve it. So HIPAA is I'm going to consult the notes here for what HIPAA stands.

James G (02:18)

That is the Health Insurance Portability and Accountability Act.

Blake B. (02:21)

There you go. So the portability and accountability in HIPAA portability side does go into the It a good bit. And then accountability is 50 50. So, yes, part of HIPAA is treating if a doctor is treating JLo, they can't post online that JLo was here for something and no selfies. You can't willingly disclose personal information or any PII, personally identifiable information about a person or acronyms in regard to health care. Right? Exactly. So from an It side of things, though, there's things like restricting access to as minimal access as necessary. Right. So, Becca, as a service provider for healthcare clients, we don't need to be able to access patient medical records.

James G (03:19)

No.

Blake B. (03:19)

We need to access the systems that allow you access medical records. But our accounts in the systems don't need the ability to access actual patient patient data.

James G (03:26)

Correct. We need to be reasonable.

Blake B. (03:28)

We even want that, right. And we only need to be exposed to it in situations where we're troubleshooting or helping a provider with a process that happens to view patient data. So the only time a Becca employee should see PII at a health care client is if we're standing over their shoulder trying to help this provider. When I click this button, it doesn't do what it's supposed to. And the other side of that button happens to be James physical form from his last doctor's visit. Right. So part of that is restricting those accounts and kind of things that have already been best practices from a security standpoint. But now there's this regulatory body saying, hey, do this and putting penalties behind not doing that. Right. So HIPAA, it's a 50 50. I'd say between general policy. Just, hey, make sure you're doing these things. Make sure you have a policy in place that says we train our employees on what HIPAA is. We train our employees on how to be diligent with the processing of data on the computers where they store things, where they share things, that kind of stuff. And then there is the procedure side of things.

Blake B. (04:37)

So that's the policy saying we have this stuff. And then there's procedure side of it, which is actually we do it. And here's the proof that we do it. Right. And having logs collected of access of PII and having logs of access of Phi, which is private healthcare information. So it's 50 50 between saying we do it and proving we do it. And then it's another 50 50 between it stuff and just operational security stuff.

 (05:01)

Right.

Blake B. (05:01)

So that's HIPAA. That's probably the one you've heard of. Generally, HIPAA does get misquoted a lot. If I tell somebody that I was at the doctor, that's not a HIPAA violation. I'm allowed to disclose whatever I want about my own medical records. My doctor can't go to TMZ and say that Matt Ryan was there for an AC and e maybe don't play him in your fantasy line up like that's a mega hip a violation. Now, if Matt Ryan post on Twitter, my knee hurts, maybe don't start knee or something. I think that's also an issue with the NFL players Union, but not compliance related.

James G (05:35)

That's a different regulatory body.

Blake B. (05:37)

So jumping over from the US, which HIPAA is a United States Act of Congress, moving over to the EU and something that you might be thinking, why do I care about it? Regulation in the EU, you've definitely been impacted by GDPR. You might not know you've been impacted by GDPR, but if you've ever been frustrated with a website that says, hey, cookies, accept our cookies.

James G (06:03)

That's GDPR, which is pretty much every single website at this point.

Blake B. (06:07)

Yeah, pretty much any major company. Because if your website is available in the EU, you have to have that. Gdpr is deep, it's thick, and there's a lot in there. The general consensus of GDPR, which stands for the general data protection regulation.

James G (06:26)

Not as creative.

Blake B. (06:27)

Not as creative.

James G (06:28)

This is very general.

Blake B. (06:29)

The general idea behind the general data regulation protection is that individuals must consent to their information being gathered. Thus cookies, you have to consent to accepting the cookies on the website. And that's why websites now allow you to choose whether you want marketing cookies strictly necessary cookies to make the website function so that your back button works, stuff like that. But GDPR was a step out of it. Compliance from a specific industry or specific type of It work into a more general and consumer based, I guess you could say it regulations. So the EU here is taking a stand of, hey, yes, businesses have a responsibility to keep data secure, keep data safe, not share things that shouldn't be shared confidentiality type stuff. But now they're expanding that to say, hey, you as an individual have essentially data rights. You have rights to be private. You have rights to know that your information is being tracked. And that changed the game when it came to consumer facing in It. So what we deal with here, a lot of Becca and what a lot of other It providers deal with. It's the business to business side of things.

Blake B. (07:49)

We're not really worried about what an end user need or what an individual consumer needs in buying a computer. We're thinking on the enterprise level, we're thinking about individual environments and kind of siloed environments of how does this impact my client in this way? And they're thinking, how do I control things for this regulation for my industry? Now, if you are someone who provided services to the general public, think of like, maybe, I don't know, Lenovo, or someone who does provide information or devices to the general public. Now they're having to make decisions on how they process information on those devices that they provide to the public.

James G (08:28)

Right. And that's where GDPR, primarily EU or European based. Over here in the States, mainly in California, we have the CCPA, California Consumer Protection Act, very similar to GDPR. But basically, as like was saying, it all comes back to you as the consumer have more rights around your data. And that's why we're starting to see like an iOS there's, the Ask app, not to track my data across apps and just making sure that your data stays with you so that it's not. Oh, I was just looking at these new set of shoes, and now I'm seeing ads for the same shoes that I was just looking at. It helps protect other companies, other services, kind of skimming that data and then selling essentially.

Blake B. (09:20)

And you might think, oh, that's just I don't care about my Privacy. I'm just a guy. But that is protecting you from that's. Just ensuring that your data stays with the company you have chosen to give it to. Right, right. So let's just Facebook, for example, you decided to put something on Facebook. You decided to browse to something on Facebook. You've made the inherent decision and trust and consent to go there. And to do that. Now that means that you're trusting Facebook with that data. So you've consciously, subconsciously, whatever, decided that you think Facebook has enough security controls in place to keep that data secure. Whether you're thinking about this or not, it's a decision you've technically made. Now, keeping that data secure to Facebook is the reason that's important is because, let's say Facebook has outsourced some development of some API that is controlling the algorithm of what posts you see, in what order. If that company is then allowed to get your data, you didn't make any sort of you didn't think about that company. You didn't do any sort of thought processing on whether you want them to have that date or not.

Blake B. (10:31)

Now they get compromised. Now, your personal information has been compromised by that company that you didn't even know existed. So that's kind of the background of why this might be important. Yeah. You don't care if Facebook tracks you, if Google tracks you because you put a Google Home house.

 (10:46)

Right.

Blake B. (10:47)

But if now all of a sudden someone that Google's outsourcing something to becomes compromised and they have all of your, hey, Google commands. Right. And it's like, oh, well, maybe I didn't want them to hear that. Right, right. So that's kind of the consumer side of things and where the EU has taken it, and it's definitely coming to the US 100%. You see it in California, it's going to make its way across everything else, especially as more of these breaches, like the big Equifax breach, that pretty much if you were over the age of 18 in like, 2018 or something like that, I think it was your information is statistically, your information was breached during that Equifax data breach. So as more things like that start to happen and more people are personally impacted by it, the changes are going to come now, moving back to the business side of things. The other one that you've heard of, probably, especially if you process credit cards, is PCI compliance. Pci compliance is the payment card industry data security standard. So it's actually PCI DSS. And the general gist of PCI compliance is that they are attempting to reduce financial fraud by placing security controls on where you hold that data, where you hold customer card data and how you process that data.

Blake B. (12:05)

So ensuring that if you're taking a credit card, you're using some sort of card processing service that's encrypted end to end. You're not writing down credit card numbers and saving them on a sticky note kind of stuff. You're not saving credit card numbers and just plain text formats and Word files, stuff like that generally just a good idea. If you take credit cards. If you process credit cards, you absolutely need to be aware of PCI compliance. If you don't, but you have ever recorded a credit card number that you've just dropped yourself into PCI compliance. It's one of those things that if you've never taken a credit card. You've never talked to anybody about credit cards. You don't have to worry about. But as soon as you do it once, now you're under that umbrella. Yeah.

James G (12:46)

And why all these are important is if you have a health care provider that is not HIPAA compliant, don't use them.

Blake B. (12:54)

Right.

James G (12:54)

If you have a credit card, if a site that you're using like if Shopify wasn't PCI compliant, don't use them. Like, if you want to be in the space, if you want to get contracts with certain vendors, if you want to offer these services, basically getting these compliance regulations is required. And that's why, again, going back to cybersecurity insurance, you're starting to see these overlaps where many of them want to make sure that the data is encrypted in transit and at rest. Oh, your data is backed up should worst case event happen, you're able to restore from backup. If someone is logging in, not just internally but also externally. There's a multi factor authentication step layer in between. That's why if you want to be in the space, if you want to play in those spaces, you have to get these regulations.

Blake B. (13:50)

Yeah. And some of this, if your doctor is not HIPAA compliant or your website you're going through doesn't seem PCI compliant. You would never know. It's not like you get a plaque that says I'm HIPAA compliant that you get to put on your front door. But it's kind of common sense or general logic, I guess you could say kind of back to security awareness training episode we did a while back. If the email looks too good to be true or if it seems really sketchy, like don't click on links in it. It's kind of the same way if you go to the doctor's office and they're writing all of your information down on a piece of paper and you're like, is that super secure? You just wrote my Social Security number down. What happens to that after we're done here?

James G (14:32)

Right?

Blake B. (14:32)

And if you go into the waiting room and there's this kind of paper scattered around, and if you pick it up and you're like, oh, hey, Bob Jones was here earlier, and that's his address. Like, maybe reschedule an appointment for some other time. And again, a website. If you're on a website and it looks like an HTML to site from 1995, maybe don't put your credit card information there because it might not be the most up to date.

James G (14:52)

When I got my flu shot, and I'm choosing to tell you that. So it's okay. When I got my flu shot, I watched like, okay, when I wrote all that stuff down on that piece of paper that everyone makes you feel that when you go into a healthcare provider. I watched what happened, and thankfully, they took care of it, as they should have. They just leave it sitting out. But it's something I was aware of.

Blake B. (15:12)

Right. So the last one we'll talk about. And this is kind of wrapping it all together from the US side of things and kind of showing that the United States is definitely starting to take this seriously from an individual compliance policy standpoint, but also from a global like, hey, cybersecurity is a thing that we should be paying attention to now. So talking about the one we alluded to in the intro FISMA, that's the Federal Information Security Management Act. So this actually started in 2002, so it's been around for a while. But the part that makes it interesting is the global shift to, hey, cybersecurity is a thing we should be focusing on was the update in 2014. So the original FISMA basically just required that federal agencies treat information security as a matter of national security. So it kind of makes sense. 2002 Internet really starting to become like, ubiquitous. It wasn't just this fictional idea anymore. A lot of stuff was starting to be communicated via email. So it's like, okay, well, hey, if an email to the White House gets intercepted, maybe that's a national security matter.

 (16:15)

Yeah.

Blake B. (16:15)

So then in 2014, though, it was updated and reformed to increase basically its coverage to cyber security attacks and kind of forcing this down. So basically, there were new controls put into FISMA about things you have to report, when you have to report on, how soon you have to report them after an event. And basically now, if you don't comply with FISMA, it can result in the loss of federal funding and the refusal of federal contracts. So if you're doing anything with the federal government and you decide not to follow the FISMA controls or you fail to report something in the time that FISMA tells you you have to, you can now be terminated from that federal contract and lose any federal funding you might have had. So this is kind of that shift into, hey, wait, cybersecurity is a real thing, and we're going to put some consequences behind not doing the things you should be doing to ensure the data that you hold is kept secure. And if you happen to have a breach, that's fine. You just got to tell us and we'll work through it. So that's compliance in a nutshell, one of our longer episodes, because that was only like four of the millions of different compliances out there.

James G (17:28)

It's a big deal.

Blake B. (17:30)

It's one of those things that it's not required right now, but it might be for your industry, your health care, if you're a federal contractor. Right. But for the general companies out there that aren't in one of those regulated industries, it's not something that's strictly required. But if you were to start focusing on some of the more general compliance, things like CMMC is very unique to government contractors. Hipaa is very unique to healthcare industry. But like NIST, the NIST controls and cybersecurity framework, there's nothing compliance related about NIST. It's not a compliance.

James G (18:06)

It's not a regulation framework.

Blake B. (18:08)

But yeah, it's a framework of general best practices based on a committee, I guess you could say, of experts saying, hey, we think this is the best way to go about something for It and cyber security. So you can bet that that's going to be heavily referenced when general regulation comes down on either all business or the It industries as a whole. So if you can start kind of starting to maybe adjust some of your business practices to fall in line with that cyber security framework, you're going to be in a significantly better place when it becomes a regulation, when it becomes something that you do need to comply with to either get this funding or apply for this contract or be a company like Becca is, if we want to remain an It provider, they might tell us we have to have this level of compliance or this level of controls. So if you can start focusing on some of those NIST framework items now and that's something that the client success team here at Becca does, we do go to our clients and say, hey, guys, maybe we should adjust our password policy to this, because that's the newness framework and kind of guide our clients in the direction of these things so that if it does eventually become a requirement and CMC is a great example of this.

Blake B. (19:21)

Cmc didn't exist three years ago, and we were helping our clients, especially those in the government contract side of things, really focused down on a lot of these nest controls and the ones that did, the ones that kind of took on some of those projects to change. When CMC rolled out in defare, which is like CMC light before CMC is ready to go again. This is a whole world. They were in a much better place. The number of things they needed to do to maintain their contracts was significantly less than those who said, okay, well, it's a great idea. We'll talk about it, we'll think about it, and then never move forward with any of it. When it came down and said, you're doing this or you lose the contract, they were in a much harder position and had to expend a lot more effort and a lot more money, honestly, to become compliant, as opposed to the ones who had kind of started implementing more controls over time. So it's not a requirement right now unless you're in one of these controlled industries, but not a bad thing to start focusing on and start looking into.

Blake B. (20:21)

How can you really make sure that you're in a good place if and when it does happen? Yeah.

James G (20:26)

And if you're a new company that's starting out, look at the regulations that are required in your industry and just start with those as your foundation, because that way you're just building on top of it. It's really hard to get going and then come back to your foundation. Like it's hard to start building a house and then go back and look at the foundation, just do it right out the gate. And that way when it does happen when you do have to show yes, I am compliant with XYZ, then it's like, okay, cool. That's all we need to know.

Blake B. (20:55)

Thanks. Yes, we're actually seeing that a couple of us were talking about how nice it would be to start a new it company right now. Beck has been around since 1975 and obviously in 1975 we weren't working on software as a service or hyper converged infrastructure like that one that didn't exist. We were doing typewriters, but we push technology. We're always on the cutting edge of technology and what we're doing but when we start doing this like cloud app security stuff, we're just haunted by Gremlins of on premise past and it's just the idea that some of these companies that have started up in the last two years, they're born in the cloud and they're just there and they're functioning and they could start fresh. We are 100% compliant with all the stuff that we have to be, of course, and things that we aren't required to be but we had to put a lot of effort in just because we started from nothing back in the late 70s. So thank you for listening to this extended episode of braid.

James G (21:54)

Bye.

Blake B. (21:55)

We will see you next week probably with no acronyms we might take a week off acronyms.

James G (21:59)

Thanks.

Blake B. (22:00)

Everybody.

James G (22:00)

See you. Bye.