Copyright Goodheart-Willcox Co., Inc. Chapter 2 Information Security Fundamentals 63 of health-care fraud and HIPAA identity-theft crimes and sentenced to 12 years in federal prison. HIPAA is managed by the Department of Health and Human Services (HHS). It provides two key rules that are important to consumers: the Privacy Rule and the Security Rule. There are other rules and regula- tions with HIPAA as well. The Privacy Rule establishes a set of national stan- dards for the protection of all “individually identifi able health information.” This information is also known as protected health information (PHI). PHI could be in the form of electronic data, paper records, or even spoken conversation. Not complying with the Privacy Rule could result in civil fi nes. For “willful actions,” criminal charges could be fi led. Most medical practices use some form of digital or electronic platform for health records. A record in this form is called an electronic health record (EHR). The Security Rule establishes a set of national stan- dards to protect personal health information in elec- tronic form. These standards help organizations understand the safeguards they must undertake to ensure the confi dentiality, integrity, and security of informa- tion. Safeguards may be physical, administrative, or technical in nature. Failure to maintain the standards set by the Security Rule could be costly. Consider the case against an Indiana Walgreens pharmacy. A pharmacist accessed a customer’s prescription history and shared it with others. The information was used to harass and intimidate the customer. A jury awarded a verdict of $1.44 million to the cus- tomer for the violations of the standard of care required by HIPAA compliance. Payment Card Industry Data Security Standard The Payment Card Industry Data Security Standard (PCI DSS) is a set of regulations from credit card vendors that apply to businesses using their services. This is an industry standard, not a law. A council was founded in 2006 by Ameri- can Express, Discover, JCB International, MasterCard, and Visa. The PCI council developed 12 different requirements that businesses who process credit card pay- ments must follow to protect credit card and user information. The 12 standards are based on the six goals shown in Figure 2-22. Credit card data has long been sought by criminals. There have been many examples of stolen credit card data. Companies such as J.C. Penney, Home Depot, Target, Dairy Queen, and Jimmy Johns have seen breaches, and the list goes on. In 2016, Business Insider revealed that more money is stolen through credit card fraud in the United States than in the rest of the world. Most stolen credit card numbers are sold on the dark web to other criminals. These criminals then create phony cards from the numbers and sell them. It is a lucrative market. Any organi- zation that processes credit cards must do its part in protecting the data. The PCI DSS provides the tools to understand what must be done. It provides the frame- work to implement data protection. The key aspect of the PCI DSS is that it applies to any organization, regard- less of the size or number of transactions. If it accepts, transmits, or stores any cardholder data, PCI DSS applies. For example, suppose you sell crafts and use a tool such as Square on your iPhone or Android device to process the credit card transaction, as shown in Figure 2-23. You must comply with the mandates in the PCI DSS. The PCI DSS has four levels of compliance based on a merchant level. The merchant level is determined by the number of transactions per year. Your small business selling crafts would likely be level 4. However, a company that processes When you go to a doctor or hospital, you or your parents may be asked to sign a form that states you received a notice of the provider’s privacy practices. This is related to the HIPAA Privacy Rule. FYI Monkey Business Images/Shutterstock.com Figure 2-21. Anyone who handles health-care infor- mation, such as a doctor’s office, must follow the rules outlined in HIPAA.