2018 was the year of security and compliance at NextRequest. We have spent extraordinary amounts of time, resources, and brainpower to put security best-practices and measures in place and we’re really making some strides! Today we announce that we now map to CJIS and HIPAA Security rule controls, and there’s more on the way!
It seems as though new compliance acronyms pop-up overnight. We wanted to share what various compliance terms mean, who it applies to, and most importantly---in what ways our FOIA software is in compliance.
NOTE: This blog post is for informational purposes only and should not be taken as legal advice. You should contact an attorney or compliance professional to obtain advice with respect to your organization’s particular issues.
The Service Organization Control (SOC) reporting platform was developed by the American Institute of Certified Public Accountants (AICPA) to help organizations manage the complex and often diverse security issues around their data as well as to provide a framework for service providers to measure against.
SOC 2 defines criteria for managing customer data based on five “trust service principles”
Software vendors: No software vendor is required to be SOC 2 compliant, it’s a purely voluntary process. A vendor that is SOC 2 compliant is showing how invested they are in the security of their customer’s data. Regular third party audits ensure the requirements of each of the five trust principles are met and hold the vendor accountable for maintaining immaculate security standards.
Buyers of software: For any organization that will be collecting, storing, and passing personal information through a piece of software SOC 2 compliance should be a minimal requirement when considering a SaaS provider.
SOC 2 allows SaaS vendors to assure customers that their information is secure and will be available whenever needed. Working with a software vendor that has received its SOC 2 Report helps ensure that an agency has satisfactorily conducted due diligence and taken the steps necessary to meet compliance requirements that are internally and externally mandated by a government agency.
In order to pass the SOC 2 Type 1 audit, we upgraded our infrastructure and data control policies to ensure that we adhere to AICPA’s SOC 2 guidelines for security, system availability, processing integrity, data confidentiality, and privacy. The audit required a written description of our security procedures, including protocols for storing, encrypting, sharing, and protecting sensitive customer data. To pass the audit we also needed to commit to regular security checks on our infrastructure, have recovery plans in place in the event of a server crash, and verify that our systems are protected from unauthorized access.
The Criminal Justice Information Services Division (CJIS) refers to a division of the U.S. Federal Bureau of Investigation (FBI). Established in 1992, the division is currently the largest division of the FBI. CJIS’s mission is to reduce criminal and terrorist activities by providing crucial and timely information to the FBI and qualified law enforcement and criminal justice agencies.
In order to preserve the integrity of data, CJIS has advanced a variety of policies for wireless networking, data encryption, remote access and authentication. Some of their rules include:
The CJIS Security Policy applies to all organizations and individuals that access CJI (criminal justice information) or support criminal justice services.
Every day, law enforcement agencies across the U.S. access CJIS databases to gain information that can help them identify lawbreakers or potential national threats, perform background checks, and track criminal activity. CJIS compliance is necessary to keep networks aligned on matters of data security and encryption. It is also necessary to ensure that sensitive intelligence data doesn’t fall into the wrong hands.
NextRequest maps to CJIS security controls. Additionally we have undertaken an independent third party audit of our security and privacy practices.
That said, the FBI’s CJIS Division does not evaluate products or services for compliance itself, nor does it issue any document asserting a vendor or product meets particular requirements. An email from Stephen Exley, information security analyst within the CJIS Information Security Officer Program, testifies to that fact: “Please be aware there is no CJIS certification process with regard to the CJIS Security Policy. The only certifications related to CJIS that I know of are in regard to facial recognition and fingerprint capture standards. Those do not have any relation to the CJIS Security Policy. … We do not certify, nor endorse any product, solution, or vendor.”
The sole certification activity conducted in connection with the CJIS Security Policy is self-certification — more properly called self-attestation. In that process, an agency carefully documents how it has complied with each requirement in the CJIS Security Policy. It then provides that documentation to the FBI’s CJIS Division, outlining the results of that audit. Compliance is an activity that an organization attests to, through policies, practices, hardware and software implementation, combined with personnel training and accountability, to prove they have achieved compliance with a specific mandate or regulation.
Is your Vendor CJIS-Certified? - https://www.nccpsafety.org/assets/files/library/Is_Your_Vendor_CJIS-Certified.pdf
HIPAA, or the Health Insurance Portability and Accountability Act of 1996, covers both individuals and organizations. Those who must comply with HIPAA are often called HIPAA-covered entities.
HIPAA-covered entities include health plans, clearinghouses, and certain health care providers as follows:
For HIPAA purposes, health plans include:
A local government may operate a self-funded health plan that qualifies as HIPAA covered entity. The government may contract with a third-party administrator to manage the plan, but the plan itself may be a component of the local government. If so, the local government would be the covered entity.
Many local governments, especially counties, are HIPAA covered entities because they offer services or have staff that (1) meet the definition of “health care provider” under HIPAA and (2) transmit health information in electronic form in connection with a HIPAA-covered transaction.
For example, a county may operate a clinic in the health department that meets the definition of health care provider. Or a municipality may offer emergency medical services that meet the definition. The definition of health care is expansive and therefore it may be possible that unexpected components of the local government are also providers. For example, a department of social services may employ a nurse-social worker to counsel foster children.
If a covered entity, like a local government, has a mix of functions – some that are required to be covered and some that are not – the HIPAA regulations allow the entity to designate itself a “hybrid entity” thereby limiting its compliance responsibilities to only certain parts of the entity. By definition, a hybrid entity is simply a single legal entity that has both covered and non-covered components and designates itself a hybrid entity by identifying covered health care components.
In order to become a hybrid, the entity – such as the city or the county – must draw invisible lines throughout its organization identifying who will be required to comply and who will not.
HIPAA streamlines administrative healthcare functions, improves efficiency in the healthcare industry, and ensures protected health information is shared securely.
NextRequest maps our security controls to HIPAA’s Security Rule.
There are a number of other rules within HIPAA (e.g. Privacy Rule), which cover business practices of covered entities. If a covered entity enters into a relationship with another entity to handle Personal Health Information (PHI) this requires the creation of a Business Associate Agreement (BAA), also called “business associate contracts”.
If you’re unsure whether you need to be HIPAA compliant ask the following questions:
Payment Card Industry Data Security Standard, or PCI for short, is the compliance that applies to any organization, regardless of size or transaction volume, that accepts credit cards. Any organization that processes, stores or transmits credit card information must be PCI compliant.
In the event of a data breach, lack of PCI compliance could result in steep fines by the PCI Security Standards Council. PCI compliance for small business lessens the liability for your business when a data breach occurs.
Any entity that processes, handles, or stores credit card data is required to be PCI DSS Compliant.
The main purpose of the PCI is to reduce the risk of debit and credit card data theft from hackers and thieves.
All payments on NextRequest are processed through Stripe, a PCI Level 1 Service Provider. NextRequest does NOT store customer credit card information on our servers.