IT organizations in the healthcare industry are being asked to make increasingly complex and subtle decisions. IT everywhere is being asked to do more and be responsible for more. Enabling the business to meaningfully engage IT, and creating a way that provides the businesses with the right information to make decisions is key to the perceived and actual success of an IT department. The road to engaging all parts of the business is difficult, but it has also been shown to be a hallmark of successful organizations.
We frequently are asked about the Experian Independent Third Party Assessment (EI3PA). The EI3PA is the Experian assessment requirements they impose on third parties that have access to credit history information. Not much of the documentation is publicly available so we thought we would share our insights based on our experience and reviewing the Experian guidance.
The EI3PA came about because Experian wanted to make sure that credit history information shared with their partners was secured appropriately. Rather than create their own standard starting from scratch they just grabbed the PCI Data Security Standard (PCI DSS). The PCI DSS outlines controls that should be in place to protect card holder data (credit card numbers). In this case instead of applying to credit card data each control applies to credit history information. This means a third party handling Experian credit histories will need to comply with each of the 12 PCI DSS Requirements. The requirement categories are (just replace “cardholder” with “credit history”):
Build and Maintain a Secure Network
- Requirement 1: Install and maintain a firewall configuration to protect cardholder data
- Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
- Requirement 3: Protect stored cardholder data
- Requirement 4: Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
- Requirement 5: Use and regularly update anti-virus software or programs
- Requirement 6: Develop and maintain secure systems and applications
Implement Strong Access Control Measures
- Requirement 7: Restrict access to cardholder data by business need to know
- Requirement 8: Assign a unique ID to each person with computer access
- Requirement 9: Restrict physical access to cardholder data
Regularly Monitor and Test Networks
- Requirement 10: Track and monitor all access to network resources and cardholder data
- Requirement 11: Regularly test security systems and processes
Maintain an Information Security Policy
- Requirement 12: Maintain a policy that addresses information security for all personnel
Each organization will need to review the DSS and ensure the minimum controls described are in place. The friendly folks at Experian also want some evidence from a third party ensuring that you are actually complying. So EI3PA requires all third parties to demonstrate their compliance by having a QSA perform an on-site engagement. This is more strict than PCI which categorizes merchants into tiers based on credit card transaction volume. The PCI tiers are used to determine the type of reporting required to demonstrate compliance (on-site assessment by a QSA for large volume shops, but just a self assessment questionnaire for small volume firms).
In addition to an overall assessment of compliance with the DSS standard, web application and network penetration testing must be completed. Specifically:PCI DSS 11.3 penetration testing at least once a year and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub-network added to the environment, or a web server added to the environment). These penetration tests must include the following:
11.3.1 Network-layer penetration tests
11.3.2 Application-layer penetration tests
The EI3PA guidance changes periodically and is not publicly available. Make sure to request the appropriate supporting documents from Experian including their up-to-date FAQ. This will help make the process smooth and ensure that you are using the appropriate version of the DSS. Being informed and making sure you have all the data in advance will help make the process smoother.