Hospitals That Take Plastic Must Comply with PCI

• Implement strong access control measures
• Requirement 7: Restrict access to cardholder data by business need-to-know
• Requirement 8: Assign a unique ID to each person with computer access
• Requirement 9: Restrict physical access to cardholder data
• Regularly monitor and test networks
• Requirement 10: Track and monitor all access to network resources and cardholder data
• Requirement 11: Regularly test security systems and processes
• Maintain an information security policy
• Requirement 12: Maintain a policy that addresses information security

Borten says she used the news out of Boston to help students in her security class understand the importance of protecting firewalls.

"PCI DSS Requirement 1 deals with firewalls and includes many, many detailed good practices for any healthcare organization today," Borten says. "Not only is DSS good advice, but simply the existence of such standards makes it harder for any organization to defend itself in case of a breach and the organization isn't following them."

Rebecca Herold, CISSP, CIPP, CISM, CISA, FLMI, of Rebecca Herold & Associates, LLC, in Des Moines, IA, agrees with Borten that many healthcare entities are not aware of PCI DSS.

She also cautions that despite the fact that President Obama in December 2010 removed some of the entities that had to follow the Red Flag Rule, many, and perhaps most, healthcare providers completely removed Red Flag Rule from their area of concern. However, they need to know this change did not exclude all healthcare providers.

 "It only excluded those healthcare providers that do not regularly request credit reports for credit transactions from needing to comply with the Red Flags Rule," Herold says. "There are still many providers who, because of the way they accept payments, must still follow the Red Flags Rule."

The Boston restaurant incident should highlight to hospitals that they need to go beyond the boundaries of HIPAA and the HITECH Act, Herold adds. They must ensure they are appropriately safeguarding all the information related to payment processing, and the associated credit checks that go along with it.

"Hospitals are, by their nature, open environments with an abundance of patients, visitors and other non-workers constantly going into the many different areas of the hospital," Herold says. "I know that it is increasingly common for hospitals to accept credit card payments beyond their gift stores and cafeterias."