Copyright Goodheart-Willcox Co., Inc. 486 Networking Fundamentals A standard contains rules such as no wireless devices can be used in the com- pany for processing customer information and the network must be scanned pe- riodically to identify any rogue access point. As discussed earlier in this chapter, a rogue access point is one that has been installed without company authorization. For example, a credit manager installs a WAP so that he or she can use his or her own laptop from any location in the store to access user-account information. Th e WAP installed by the credit manager would be considered a rogue access point. Another key requirement to data security compliance is the creation and en- forcement of an incident response plan. An incident response plan contains step-by- step instructions to be followed immediately after a security incident has occurred. For example, on discovery of unauthorized access to the network, all network servers containing customer data will be shut down until the breach has been secured. Th e network will not be considered secure until notifi cation has been distributed by the network security chief. Health Insurance Portability and Accountability Act Th e Health Insurance Portability and Accountability Act (HIPAA) is a set of stan- dards designed to protect health records. All health-care organizations are required to protect patient-related records. Th is applies to all health-care organizations and insurance companies. HIPAA has three broad areas of compliance requirements: ad- ministrative safeguards, physical safeguards, and technical safeguards. Administrative safeguards require that policies and procedures be designed, maintained, and implemented to ensure confi dentiality of patient records. An ad- ministrative safeguard must also include an employee training component. Physical safeguards require that all patient information must be physically se- cured. For example, patient information must be kept in a safe, secure area and only authorized personnel can access the data and only on a need-to-know basis. Th e in- formation must be secured from access when no one is present. Technical safeguards include mandates such as all exchange of patient data must be encrypted when transferred over public networks. Th ere is an exception at the time of this writing concerning encryption. E-mail to and from a patient is not required to be encrypted unless requested by the patient. All access to the network must be authenticated. Th is means that, at a minimum, usernames and passwords are required for all users on an individual basis. Also, access from other health en- tities, such as insurance companies or other health professionals, must have their identities verifi ed. Another aspect of technical safeguards is the establishment of policy and procedures to ensure security of patient records. Payment Card Industry Data Security Standard Payment Card Industry Data Security Standard (PCI DSS) is a set of credit card security standards designed to protect credit card information. Th is is not a law but rather a voluntary set of security standards. PCI DSS typically requires all data to be encrypted when transferred, a fi rewall to be installed and maintained, and a written policy and procedure manual to be used as a guide for personnel dealing with cus- tomer data security. Failure to comply with this standard could result in fi nes and a possible suspension of the ability to accept credit cards for any transactions.