The Schellman Blog

Is there a period of time that the DEA-EPCS Third Party audit is valid? On March 31, 2010 the Drug Enforcement Agency's (DEA) rule, "Electronic Prescriptions for Controlled Substances" has revised its regulations to give physicians the choice of writing prescriptions for controlled substances the traditional method or through the electronic system. Originally, the regulation restricted physicians and practitioners from writing electronic prescriptions for controlled substances (EPCS).

When you commit to getting ISO 9001 certified, you commit to meeting the needs of customers and other stakeholders regarding your product or service through a comprehensive quality management system (QMS). But it’s not enough to meet the standard—you have to get ISO 9001 certified, which involves an initial certification audit, further surveillance audits, and recertification in order to maintain an accredited certification.

When Microsoft released version 9 of their Data Protection Requirements (DPR) back in October 2023, the new framework contained several important updates, as well as a few brand new requirements, including the addition of new considerations for suppliers processing protected health information (PHI).

Since the sunsetting of PCI DSS v3.2.1 on March 31, 2024, PCI DSS v4.0 has become effective, as have some of its new requirements (though future-dated requirements will be effective March 31, 2025). While v4.0 has introduced some major changes in various areas, for service providers—including some that include additional nuance for colocation providers in particular—multiple new requirements are now effective as well as some that are future-dated.

As technology continues to evolve and embed itself more into society, regulations to govern its use and protect consumers are struggling to keep up in parts of the world. But not so in the European Union (EU), where they’ve recently made progress on a wave of new cyber legislation—among those is the NIS 2 Directive.

This week marks the first anniversary of Schellman's Weekly Read—over the past year, we've sent a Friday email to subscribers containing links to our latest and greatest content. To mark the occasion—fifty-two straight weeks of thought leadership and compliance insight, we've put together the Schellman Weekly Read Top 5 Posts (as determined by most clicks).

Though society has, these days, moved firmly into the digital age where emails, texts, and the online world dominate both communication and cyber-attack vectors, it might not occur to people—or organizations—that some scams are still perpetuated over the phone in what’s called a vishing attack.

For those financial institutions involved in international transactions, compliance with the security requirements set forth by the Society for Worldwide Interbank Financial Telecommunication (SWIFT)—otherwise known as its Customer Security Programme (CSP), which aims to better secure the global financial community against cyber threats. One part of the Programme includes the SWIFT Customer Security Controls Framework (CSCF), which was updated in 2024 and now mandates controls around the protection of outsourced critical activity.