It continues to astound me how many businesses have a free version or home version of antivirus installed on their workstations at the office. There is no central management for the antivirus software to enforce the company security policy creates an infrastructure where each workstation can have a different level of protection or none at all. Leaving security up to the end-user is never a good idea that could easily lead to a virus infection. For those effected by HIPAA or PCI compliance having managed antivirus is a must.
PCI Compliance Regulations
Section 5.1 Deploy anti-virus software on all systems commonly affected by malicious software (particularly personal computers and servers).
Section 5.1.1 Ensure that anti-virus programs are capable of detecting, removing, and protecting against all known types of malicious software.
Section 5.2 Ensure that all anti-virus mechanisms are maintained as follows:
Are kept current,
Perform periodic scans
Generate audit logs which are retained per PCI DSS Requirement 10.7
Section 5.3 Ensure that anti-virus mechanisms are actively running and cannot be disabled or altered by users, unless specifically authorized by management on a case-by-case basis for a limited time period
In order to comply with all of these regulations there is no other choice than to use managed antivirus as it automatically updates, regularly scans and keeps logs in a central place.
HIPAA Compliance Regulations
45 C.F.R § 164.306 (2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.
45 C.F.R § 164.308 (a)(5)(ii)(B) Protection from malicious software. Procedures for guarding against, detecting, and reporting malicious software.
These regulations are a bit more cryptic, but they do require antivirus to be installed, fully capable of protection and able to report. The best way to achieve this is to use managed antivirus.
If your company is using standard or free antivirus to protect your business workstations, then contact us for assistance.