There’s a lot of movement right now in terms of work at home, how to provision for it quickly in a cost effective way. With this comes inevitable issues around security and, specifically, compliance standards. In this post we wanted to talk a bit about the 3 compliance standards that we see appear the most often in our experience working in the endpoint computing space, what the requirements are for meeting the standards at the endpoint level. At the end of this post we will also tell you how ThinKiosk and Secure Remote Worker meet these requirements, fulfilling a major part of overall environmental compliance.
Reasons for compliance
Compliance standards, data protection & regulation, etc. were put in place to protect personal and financial data. Primarily to prevent targeted data collection and dissemination without consent, and to stop digital theft & misuse of private, identifying data. Organizations meeting these compliance standards has become a large focus for customers, a Cisco survey in 2019, shows that 48% of customers had already changed providers specifically due to their data collection policies, showing users are aware of, and prioritizing these compliances. However, it is not just a preference for customers, there is also a legal requirement for companies to maintain security and compliance standards: currently, 107 countries around the world have legislation in place to protect user data. Data protection compliance is not just a nice to have but a necessity for companies and (especially in the case of the EU) state bodies to operate using user data.
PCI DSS, HIPAA and GDPR
When it comes to data protection compliance, especially in IT, you likely follow or at least know of the following compliance standards:
- Payment Card Industry Data Security Standard – PCI DSS, which is the main compliance standard for credit card and payment information – Any company that processes or collects payment information is considered a merchant or service provider, and is required to be compliant in PCI DSS. Customer service, enterprise etc.
- Health Insurance Portability and Accountability Act – HIPAA, which covers the usage of confidential patient information in healthcare industries – This includes health records, patient payment information, demographic data, or simply any identifiable information on the patients themselves, as a result, applies to healthcare providers, insurance providers, and hospitals.
- General Data Protection Regulation – GDPR, which covers the collection and dissemination of data from anyone in the EU – This covers the collection and usage of any information that relates to an individual who can be directly or indirectly identified that has not been consented to. This applies to both private and public entities dealing with personal information from any EU citizen.
Outside of these, there are other data protection compliances that may apply to you, often these are regulations that apply based on geography or “jurisdiction”, here you can find some information on the different compliance standards split by location.
In this blog, we will be focusing on the first 3 compliance standards mentioned earlier in this paragraph.
Something to realize is that compliance standards like above look at multiple parts of an environment. In order to be completely covered, companies often will need to take a multifaceted approach to meeting compliances, if you are new to this it may be useful to hire a compliance specialist who can help you get up and running with things like PCI, HIPAA or GDPR.
With all that, is the point of this blog just to tell me about compliance? Yes, partly. However, as ThinScale operates in the endpoint computing space, we have a lot of experience helping customers achieve compliance standards in PCI, HIPAA, and GDPR where they are relevant to the endpoint.
If you want to learn more about endpoint security & compliance check out our main Security & Compliance page where you can get an overview of everything you need to know to start out:
What are the compliance requirements for endpoints?
So what is required to maintain these compliance with PCI DSS, HIPAA and GDPR, and how can you ensure that you are meeting these requirements?
We’ve put together a handy table for each compliance standard below:
|Secure Network and Systems (i)||Maintain a firewall preventing unauthorized access to protect cardholder data.|
|Secure Network and Systems (ii)||Configure system credentials, change from system defaults.|
|Protect Cardholder data (i)||Protect card data when stored securely. Data should rarely be stored, encryption and cryptographic keys should be considered.|
|Protect Cardholder data (ii)||Encryption of data transmission across open networks.|
|Vulnerability Management (i)||System malware protection & regularly updated antivirus software.|
|Vulnerability Management (ii)||Maintain system and application security by ensuring updates within a month of release.|
|Strong access control measures (i)||Systems put in place to limit access to critical data, systems should deny all access by default.|
|Strong access control measures (ii)||User identification management, using unique IDs along with controlled user authentication (passwords, biometrics and smartcards. MFA should be used in any remote access scenario.|
|Strong access control measures (iii)||Restrict physical access to user/cardholder data by ensuring non-authorized personnel have no access to server rooms/data centers. Along with media removal restrictions and destruction measures in place. Protection on devices that capture this data also|
|Monitor & test networks (i)||Ability to perform system-wide audits, including user action logging. These logs should be maintained for one year and a minimum of 3 month’s logs immediately available for analysis.|
|Monitor & test networks (ii)||Regular security and process testing, carried out by qualified personnel on a quarterly basis.|
|Maintain IS policy||Policy to address information security for all personnel, including: Risk assessment process, usage policies, security responsibilities for personnel, and an incident response plan.|
|Audit Controls||Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.|
|Integrity||Policies and procedures to protect Electronic Protected Health Information (EPHI) from being altered.|
|Authenticated access to EPHI||Implement mechanisms to corroborate that EPHI data has not been altered without authorization.|
|User/entity authentication||Procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.|
|Transmission security||Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.|
|Workstation Use||Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected health information.|
|Device and Media Controls||Maintain a record of the movements of hardware and electronic media and any person responsible therefore.|
|Evaluation||Perform a periodic technical and nontechnical evaluation based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information.|
|Security of Processing||Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.|
|Notification of a personal data breach to the supervisory authority||In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent.|
|Appropriate technical and organisational measures||The protection of the rights and freedoms of natural persons with regard to the processing of personal data require that appropriate technical and organisational measures be taken to ensure that the requirements of this Regulation are met. In order to be able to demonstrate compliance with this Regulation, the controller should adopt internal policies and implement measures which meet in particular the principles of data protection by design and data protection by default.|
|Security of processing||In order to maintain security and to prevent processing in infringement of this Regulation, the controller or processor should evaluate the risks inherent in the processing and implement measures to mitigate those risks, such as encryption. Those measures should ensure an appropriate level of security, including confidentiality, taking into account the state of the art and the costs of implementation in relation to the risks and the nature of the personal data to be protected.|
To repeat what was mentioned earlier, these requirements are specific to endpoints. To be fully compliant the above requirements need to be met alongside other checks throughout your environment as part of a larger-scaled compliance audit. The above tables should be seen as guidelines but should not be seen as a way of achieving 100% compliance.
“complete compliance is a combination of multiple elements of people, process and technology.”
– Joel Dublin, senior consultant & Nick Trenc, Director. Coalfire Systems, Inc.
What can happen if you are non-compliant?
That’s good to know, you might be saying, but what can happen if I miss one of those points?
This is why it is important to be thorough when you are making your environment compliant with any of the above. As breaches caused by non-compliance can be very costly:
PCI DSS – Payments brands can fine financial institutions for non-compliance and financial institutions can withdraw the ability to accept card payments from non-compliant merchants. (one can also risk breaching GDPR as payment data can also be considered personal data, more on that below).
If you suffer a data breach you could face fines of up to €20 million or 4% of your annual global turnover – whichever of these is greater.
HIPAA – HIPAA’s punishment severity varies and is tiered based on whether the offense was due to neglect, knowingly ignored or if it was an oversight that, despite due diligence, was simply missed.
With HIPAA a single incident might result in multiple violations.
- HIPAA violations range from fines of $100 per violation (with an annual maximum of $25,000 for repeat violations) to fines of $50,000 per violation (with an annual maximum of $1.5 million).
- Further, there can be criminal penalties that range from fines of $50,000 and one year’s imprisonment to fines of $250,000 and ten years’ imprisonment.
GDPR – The less severe infringements could result in a fine of up to €10 million, or 2% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher.
The most serious infringements go against the very principles of the right to privacy and the consumer’s right to be forgotten at the heart of the GDPR. These types of infringements could result in a fine of up to €20 million, or 4% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher.
ThinKiosk and Secure Remote Worker
“Ok, that is scary, and now I want to make sure I meet compliance standards”. How can you meet compliance standards at the endpoint though? Our products ThinKiosk and Secure Remote Worker are designed to help you meet these endpoint compliances on corporate and personal devices respectively.
- ThinKiosk is a complete conversion suite that turns corporate windows desktops and laptops into hardened, software-defined thin clients, creating dedicated work machines for both on and off-prem, for static or mobile users.
- Secure Remote Worker is a BYOD/remote working solution that installs as an application on personal Windows devices. It is designed to provide a similar hardened workspace solution to ThinKiosk while allowing the end-user to close the secured workspace after their work and return to their private, personal device, providing security and compliance while maintaining user freedom.
Inside ThinKiosk or Secure Remote Worker’s UI, user accessibility and freedom are limited, IT management has full control over their entire endpoint environment and can easily run reports and audits on their user’s hardware & actions.
Together with Coalfire, a cyber risk management, compliance, and risk assessment service, we assessed the compliance levels of ThinKiosk and Secure Remote Worker for PCI DSS, HIPAA, and GDPR. These individual tests can be found linked below:
PCI DSS – “ThinKiosk & Secure Remote Worker, when properly implemented following guidance from ThinScale, can be utilized to meet the technical portions of several PCI DSS requirements for a merchant/service provider.”
HIPAA – “ThinKiosk or Secure Remote Worker, when properly implemented following guidance from ThinScale Technology, can be utilized by Covered Entities and Business Associates to meet all of the Physical and Technical Safeguards within the HIPAA Security Rule.”
GDPR – “ThinKiosk or Secure Remote Worker, when properly implemented following guidance from ThinScale, can contribute to comprehensive security and privacy program to meet the requirements of the GDPR for protecting personal data.”
For each of these compliance standards, ThinKiosk and Secure Remote Worker were both found to completely meet the vital requirements when it comes to compliance standards on the endpoint, and when rolled out alongside a thorough compliance plan, will help companies meet the requirements for complete compliance with the 3 standards above.
Though I am singing ThinKiosk and Secure Remote Worker’s praises at the endpoint level, I do want to stress again that full compliance with any of the above will not be met just by installing software. That said, ThinScale’s solutions, when used as part of an overall plan involving people, content and strategy, can certainly help you meet the endpoint requirements and can help with easing the process in achieving compliance throughout your environment: “It should be seen as a configuration management and hardening mechanism a Controller or Processor can use to support compliance in an often complex use case.” – Joel Dublin, senior consultant & Nick Trenc, Director. Coalfire Systems, Inc.
Don’t forget to check out our main Security & Compliance page, where you can get an overview on everything you need to know regarding endpoint security: