(1)
Using the out-of-the-box settings for the firewallruns counter to requirement 2. To comply with the do not use vendor-supplied defaults for system passwords and other security parameters requirement, custom passwords and settings should be used. Installing a firewall is covered in requirement 1, while applying patches and updates is covered in requirement 6.
(2)
The threat landscape is constantly changing, so it is important tomaintain and evolve security awareness across the organization. Maintaining training programs is important, but these must also evolve to account for the changing threat landscape. Imposing strict access controls is not defined well enough to be applicable here. Access control should be appropriate; controls that are too strict might limit accountability and transparency that's required by SOX. Third-party software that's PCI DSS-compliant must still be hosted on a system that is compliant.
(3)
Masking, encrypting, and truncating cardholder data are techniques that can limit the exposure of cardholder data. Before these techniques are considered, the requirement to store the data should be evaluated. If the cardholder data doesn't need to be stored, this would reduce any risk to zero.Storing only the data that's requiredis therefore the best method for preventing the exposure of cardholder data.
(3)
HIPAA specifies that a full name or surname and initial, count as identifiable information.Mr. Doe, while differentiating this individual from Miss or Mrs. Doe, doesn't contain any reference to first name, and therefore is not judged as identifiable according to HIPAA.
(1)
Audit controlsthat record and evaluate access to systems are listed in all three frameworks (PCI DSS Requirement 10, HIPAA Technical Safeguard 2, and SOX Audit Guidance Note 3). Encryption is mentioned in PCI DSS, but specifically notes that encryption doesn't take a PCI DSS environment out of scope. Data expiration is not mentioned in any of the standards. Backups are a requirement of SOX, but not specifically listed in either PCI DSS or HIPAA, except to extend the scope of the framework to backups, as well as live systems.
(3)
SOX may still apply if the company has registered debt securitieswith the US Securities Exchange Commission. Public US ownership is only one of the criteria that puts a company in scope for SOX, so it isn't clear that SOX doesn't apply at this time. Operating in the US is not a criteria for SOX; SOX is about ownership and share issues.
(1) Both the systems are in scope for HIPAA because they store identifiable health data. The app is able to share health data with providers and specifically link this data to the individual customer. Regardless of whether or not the phone number is supplied, this ability would fit under the feature any other unique identifying number, characteristic, or code. Terms and conditions of service do not exempt systems or companies from regulation and compliance frameworks.
(4)
The system must be regularly monitored, as this is a specific requirement of PCI DSS(requirement 11). PCI DSS requirements, as well as the threat landscape, evolve over time, and compliance is only valid for that specific snapshot in time. It is good practice to regularly monitor the system; continuous monitoring may be beyond the means of many companies.
(4)
The company could comply with the "Restrict physical access" requirement under PCI DSS by moving all the devices in the open-plan environment to a different subnet to the CDE and ensuring that no data is shared between the two systems. If these devices were in a different network segment, and no data was shared between these devices and the CDE, these devices would be out of scope. This site office may well only include business development people or coders working on representative (non-real) data; it is unclear whether the office would actually handle card holder data or e-PHI.
Locking away a server doesn't necessarily ensure compliance with workstation and device security safeguards, as there may be other devices that are not locked away (for example, user workstations) that still have access to the data (for example, over the network).
(2)
The company still needs to comply with HIPAA because it processes payments in relation to healthcare provision to individuals. This is specifically in the definition of PHI. The fact thatpayments are processed means that the company isn't just relaying information to its customers. The company is connected to some covered entities (pharmacies), but this is only relevant if the covered entity is providing information to the company, and not the other way around.
Historical data would still need to be stored in compliance with HIPAA, but this is not the only area where the company would need to be compliant.