Hospitals That Take Plastic Must Comply with PCI

Healthcare privacy and security teams watch closely for new rules and regulations from the government that will modify the HIPAA privacy and security rules.

However, they should also keep an eye on another security standard that last month cost a Boston restaurant chain $110,000. The Payment Card Industry (PCI) Data Security Standard (DSS), first released in 2004, requires any entities that accept credit cards to protect that information from theft.

In Boston last month, The Briar Group LLC, which runs popular restaurants in the city, agreed to pay $110,000 in a settlement after it was charged with not taking reasonable steps to protect diners' personal information from credit and debit cards.

Healthcare entities must take caution here, too. Those that take plastic, must comply with PCI DSS. And not all entities are aware of the standard, says Kate Borten, CISSP, CISM, president of The Marblehead Group in Marblehead, MA.

"I think healthcare organizations - and many others - are still unaware of PCI DSS," Borten says. "They may or may not be directly affected by DSS, depending on circumstances, but in any case, the security requirements are, like ISO (International Organization for Standardization), HIPAA, and other regulations and frameworks, simply good practice."

 PCC DSS standards require organizations who take plastic to:

• Build and maintain a secure network
• Requirement 1: Install and maintain a firewall configuration to protect cardholder data
• Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
• Protect cardholder data
• Requirement 3: Protect stored cardholder data
• Requirement 4: Encrypt transmission of cardholder data across open, public networks
• Maintain a vulnerability management program
• Requirement 5: Use and regularly update antivirus software
• Requirement 6: Develop and maintain secure systems and applications