Skip to main content

Hospitals That Take Plastic Must Comply with PCI

 |  By dnicastro@hcpro.com  
   April 19, 2011

Healthcare privacy and security teams watch closely for new rules and regulations from the government that will modify the HIPAA privacy and security rules.

However, they should also keep an eye on another security standard that last month cost a Boston restaurant chain $110,000. The Payment Card Industry (PCI) Data Security Standard (DSS), first released in 2004, requires any entities that accept credit cards to protect that information from theft.

In Boston last month, The Briar Group LLC, which runs popular restaurants in the city, agreed to pay $110,000 in a settlement after it was charged with not taking reasonable steps to protect diners' personal information from credit and debit cards.

Healthcare entities must take caution here, too. Those that take plastic, must comply with PCI DSS. And not all entities are aware of the standard, says Kate Borten, CISSP, CISM, president of The Marblehead Group in Marblehead, MA.

"I think healthcare organizations - and many others - are still unaware of PCI DSS," Borten says. "They may or may not be directly affected by DSS, depending on circumstances, but in any case, the security requirements are, like ISO (International Organization for Standardization), HIPAA, and other regulations and frameworks, simply good practice."

 PCC DSS standards require organizations who take plastic to:

  • Build and maintain a secure network
  • Requirement 1: Install and maintain a firewall configuration to protect cardholder data
  • Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
  • Protect cardholder data
  • Requirement 3: Protect stored cardholder data
  • Requirement 4: Encrypt transmission of cardholder data across open, public networks
  • Maintain a vulnerability management program
  • Requirement 5: Use and regularly update antivirus software
  • Requirement 6: Develop and maintain secure systems and applications

  • Implement strong access control measures
  • Requirement 7: Restrict access to cardholder data by business need-to-know
  • Requirement 8: Assign a unique ID to each person with computer access
  • Requirement 9: Restrict physical access to cardholder data
  • Regularly monitor and test networks
  • Requirement 10: Track and monitor all access to network resources and cardholder data
  • Requirement 11: Regularly test security systems and processes
  • Maintain an information security policy
  • Requirement 12: Maintain a policy that addresses information security

Borten says she used the news out of Boston to help students in her security class understand the importance of protecting firewalls.

"PCI DSS Requirement 1 deals with firewalls and includes many, many detailed good practices for any healthcare organization today," Borten says. "Not only is DSS good advice, but simply the existence of such standards makes it harder for any organization to defend itself in case of a breach and the organization isn't following them."

Rebecca Herold, CISSP, CIPP, CISM, CISA, FLMI, of Rebecca Herold & Associates, LLC, in Des Moines, IA, agrees with Borten that many healthcare entities are not aware of PCI DSS.

She also cautions that despite the fact that President Obama in December 2010 removed some of the entities that had to follow the Red Flag Rule, many, and perhaps most, healthcare providers completely removed Red Flag Rule from their area of concern. However, they need to know this change did not exclude all healthcare providers.

 "It only excluded those healthcare providers that do not regularly request credit reports for credit transactions from needing to comply with the Red Flags Rule," Herold says. "There are still many providers who, because of the way they accept payments, must still follow the Red Flags Rule."

The Boston restaurant incident should highlight to hospitals that they need to go beyond the boundaries of HIPAA and the HITECH Act, Herold adds. They must ensure they are appropriately safeguarding all the information related to payment processing, and the associated credit checks that go along with it.

"Hospitals are, by their nature, open environments with an abundance of patients, visitors and other non-workers constantly going into the many different areas of the hospital," Herold says. "I know that it is increasingly common for hospitals to accept credit card payments beyond their gift stores and cafeterias."

At a high level, a basic strategy hospitals should take to reduce their risks, Herold says, include the following:

  • Assign a position or person to be responsible for ensuring the security of credit card information, and appropriate controls for using credit cards
  • Implement policies and procedures covering how credit cards can, and cannot, be used, in addition to how the related information may be used, shared, stored, destroyed, and generally safeguarded
  • Implement technological, operational and administrative controls to protect digital credit card data, as well as hard copy data, and even credit cards themselves that may be obtained
  • Provide regular training and ongoing awareness communications to personnel who collect, process, store, and otherwise have access to credit card information
  • Consistently enforce and sanction non-compliance, along with having strong executive support for the policies and related actions.

Further, Herold says, take these specific actions to reduce risks:

  • Make sure only those who have responsibilities for credit card payments can access credit card information
  • Make sure personnel who have possession of credit cards keep those cards from others, and maintain control and security for them at all times
  • Do not throw away hard copy credit card slips without finely shredding them, or putting into secured trash receptacles
  • Do not allow non-personnel and others without responsibilities for credit card payments to be able to access the payments systems. This includes keeping stations that access such payment systems well-secured and locked when no-one authorized is around.
  • Do not keep credit card payment information within patient files, or with patient papers posted in or outside of patient rooms

 

Dom Nicastro is a contributing writer. He edits the Medical Records Briefings newsletter and manages the HIPAA Update Blog.

Tagged Under:


Get the latest on healthcare leadership in your inbox.