Please Click on The Topic Your Interested In.

HIPAA - SSAE-16 - PCI

 

Click Here to Return to Previous Page 

 

 

 

HIPAA FAQ

 

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) provided federal protections for personal health information, and specifies administrative, physical and technical safeguards to assure the confidentiality, integrity, and availability of electronic protected health information. What does it mean for a service provider to be HIPAA Compliant?

A “Covered Entity” is an individual, organization or agency that must comply with the requirements to protect the privacy and security of health information and which falls into one of the three categories: A Health Care Provider
 - A health care provider includes those such as doctors, clinics, psychologists, dentists, chiropractors, nursing homes and pharmacies. A health care provider as such is a covered entity if they transmit any information in an electronic form in connection with a transaction for which the Health and Human Services (HHS) has adopted a standard. A Health Plan
 - A health plan includes health insurance companies, HMOs, company health plans, government programs that pay for health care (such as Medicare, Medicaid, and the military and veterans health care programs). A Health Care Clearinghouse
 - A health care clearinghouse includes entities that process nonstandard health information they receive from another entity into a standard (i.e., standard electronic format or data content), or vice versa. Here is a PDF to determine whether an individual or company or organization is a covered entity under the Administrative Simplification provisions of HIPAA.

What are the HIPAA Compliance responsibilities for companies located in a data center?

Any company located within a data center that qualifies as a covered entity must adhere to the privacy rules as set forth in the HIPAA Privacy Rule.

What does it mean for a data center colocation provider to be HIPAA Compliant?

In the broad definition of a health care clearinghouse, a data center facility could be interpreted to “facilitate the processing of” health information by providing the infrastructure to do so. This may include backup storage devices, connectivity to network providers or virtual servers. However, as per Think Smart Data Center’s SSAE 16 control standards, user organizations (customers that use Think Smart′s services) are responsible for: 1. Informing Think Smart of any regulatory issues that may affect the services provided by Think Smart.
2. Ensuring that adequate mechanisms are in place to monitor and protect content of any information passing through their network.
3. Implementing their own access control systems on their infrastructure. Think Smart does not maintain or have logical access to user organization software or data. The customer is responsible to meet the requirements of HIPAA compliance. And Think Smart, under the data center’s SSAE 16 controls, is already HIPAA compliant for the storage and processing of data using its managed services and data center infrastructure. Click Here to go to Think Smart's HIPAA Business Associate Agreement

 

 

 

SSAE 16 FAQ

Think Smart’s Data Center completes an SSAE 16 SOC1 Type II audit annually. This SSAE 16 audit supersedes the prior SAS 70 Type 2 audit.

Think Smart Inc. understands the importance of ensuring the utmost transparency in 
internal controls and procedures. We want our customers to know they can trust Think Smart to
 provide data center services that meet the strictest control standards and 
industry best practices. What is SSAE 16? Effective for audit periods ending June 15, 2011 or thereafter, the Statement on Standards for Attestation Engagements No. 16 (SSAE 16) is a new standard created by the American
Institute of Certified Public Accountants (AICPA). The replacement of SAS 70 with SSAE 16 represents the first significant modification to the AICPA standards for reporting on controls at a service organization since SAS 70 was issued in 1992. As organizations became
increasingly concerned about risks beyond financial reporting, SAS 70 often was misused as a means to obtain assurance regarding compliance and operations. SSAE 16 and its
international counterpart, ISAE 3402, were drafted to correct these misuses.

How are SSAE 16 and SAS 70 different?

The SSAE 16 SOC 1 report and the SAS 70 Type 1 report are similarly focused in content, but the SSAE 16 SOC 1 report includes an assertion by management for the system description and related control objectives.

What are the Service Organization Control (SOC) reports?

SOC1 is a report on financial controls. It details risks and internal controls relevant to financial reporting of the user organization. SOC2 is a report on Trust Principles criteria related to security, availability,
confidentiality, processing integrity and privacy. This report details internal control measures for a defined set of criteria relevant to IT service providers such as colocation,
cloud computing and hosting providers. SOC3 is also a report on the same criteria as specified in SOC2, but the report is intended for general distribution. This report provides a description of the company’s internal control
system and the “Independent Practitioner’s Trust Services Report.” A SOC 3 seal, which may be linked to the company’s website, is issued after the successful completion of the SOC 3
examination.

Describe SSAE 16 Type 1 and Type 2 reports

The SSAE 16 Type 1 report documents the auditors’ opinion regarding the accuracy,
completeness and suitability of the design of internal controls as of a set date. The SSAE 16 Type 2 report audits the implementation of the SSAE 16 Type 1 report over a set period of time, typically 6 months to a year and requires sample testing of each control for operating
effectiveness during the specified period.

Is Think Smart’s Data Center SSAE 16 compliant?

Think Smart’s Data Center completes an SSAE 16 SOC1 Type II audit annually. In accordance with AICPA guidance, there is no such designation as “SSAE 16 Compliant“.

 

 

 

PCI COMPLIANCE FAQ

 

 Think Smart’s Data Center is a PCI Compliant data center. Think Smart stores no client credit or personal information inside the data center.

 

What is the difference between PCI Compliance, PCI DSS and the PCI Data Security Standard?

PCI DSS is an abbreviation for PCI Data Security Standard, the worldwide information security standard set by the Payment Card Industry Security Standards Council to help control and minimize points of risk to fraud or compromise of sensitive information. PCI Compliance is an adherence of the way your business handles information to the PCI DSS standard.

 

What does it mean for a service provider or merchant to be PCI Compliant?

There is a group of principles and requirements, which organize the elements of the PCI DSS. To be PCI Compliant means to restrict your information handling procedures to the PCI DSS requirements, and to have an attestation of compliance.

These principles and requirements are found on the About the PCI Data Security Standard (PCI DSS) page on the PCI Security Standards Council website.

The PCI Security Standards Council, LLC has provided a PCI DSS New Self-Assessment Questionnaire (SAQ) Summary v1.2 to determine which SAQ is appropriate for your
company.

 

What are the PCI Compliance responsibilities for merchants and companies located in a data center?

Build and Maintain a Secure Network Install and maintain a firewall configuration to protect cardholder data
Do not use vendor-supplied defaults for system passwords and other security parameters


Protect Cardholder Data

Protect stored cardholder data
Encrypt transmission of cardholder data across open, public networks

 

Maintain a Vulnerability Management Program Use and regularly update anti-virus software of programs
Develop and maintain secure systems and applications

Implement Strong Access Control Measures Restrict access to cardholder data by business need-to-know
Assign a unique ID to each person with computer access
Restrict physical access to cardholder data


Regularly Monitor and Test Networks
Track and monitor all access to network resources and cardholder data
Regularly test security systems and processes

 

Maintain an Information Security Policy
Maintain a policy that addresses information security for employees and contractors

Additional PCI DSS Requirements for Shared Hosting Providers
Shared hosting providers must protect cardholder data environment

 

What does it mean for a data center colocation provider to be PCI Compliant?

A data center provides the facility for companies and merchants to conduct their business. In that capacity, the data center provider has specific responsibilities that have to be PCI Compliant. A merchant or company that is located within a PCI Compliant data center is not then PCI Compliant, each merchant or company claiming PCI Compliance must have and be able to provide their own attestation of compliance.

Data centers are only required to fill out the portions of the SAQ self-assessment that apply, and to provide a “Not Applicable” or “Compensating Control Used” explanation in the Appendix of the SAQ.

In addition, as per the SAQ Validation Type 5, SAQ: v1.2 D:

“The questions for Requirements 9.1-9.4 only need to be answered for facilities with “sensitive areas” as defined here. “Sensitive areas” refers to any data center, server room or any area that houses systems that store, process, or transmit cardholder data. This excludes the area where only point of sale terminals are present, such as the cashier areas in a retail store.”

The following questions are the specific listed Requirements 9.1-9.4 for data centers:
9.1 Are appropriate facility entry controls in place to limit and monitor physical access to systems in the cardholder data environment?
9.1.1(a) Do video cameras or other access-control mechanisms monitor individual physical access to sensitive areas?
9.1.1(b) Is data collected from video cameras reviewed and correlated with other entries?
9.1.1(c) Is data from video cameras stored for at least three months, unless otherwise restricted by law?
9.1.2 Is physical access to publicly accessible network jacks restricted?
9.1.3 Is physical access to wireless access points, gateways, and handheld devices restricted?
9.2 Are procedures in place to help all personnel easily distinguish between employees and visitors, especially in areas where cardholder data is accessible?
9.3 Are all visitors handled as follows:
9.3.1 Authorized before entering areas where cardholder data is processed or maintained?
9.3.2 Given a physical token (for example, a badge or access device) that expires and that identifies the visitors as non-employees?
9.3.3 Asked to surrender the physical token before leaving the facility or at the date of expiration?
9.4(a) Is a visitor log in use to maintain a physical audit trail of visitor activity?
9.4(b) Are the visitor’s name, the firm represented, and the employee authorizing physical access documented on the log?
9.4(c) Is visitor log retained for a minimum of three months, unless otherwise restricted by law?

 

Click Here to Return to Top of Page