- HIPAA Update - http://blogs.hcpro.com/hipaa -

Take plastic? Know this security standard

Healthcare privacy and security teams are watching closely for new rules and regulations that will modify the HIPAA privacy and security rules.

However, they should also keep an eye on another security standard that last month cost a Massachusetts restaurant chain $110,000.

The Payment Card Industry (PCI) Data Security Standard (DSS), first released in 2004, requires any entities that accept credit cards to protect that information from theft. View the regulation [1].

Boston-based The Briar Group LLC, which runs popular restaurants in the city agreed to the settlement after it was charged with not taking reasonable steps to protect the personal information found on diners’ credit and debit cards.

Healthcare entities must take caution here, too. If you take plastic, you must comply with PCI DSS. And not all entities are aware, says Kate Borten, CISSP, CISM, president of The Marblehead Group in Marblehead, MA.

“I think healthcare organizations—and many others—are still unaware of PCI DSS,” Borten says. “They may or may not be directly affected by DSS, depending on circumstances, but in any case, the security requirements are, like ISO [International Organization for Standardization], HIPAA, and other regulations and frameworks, simply good practice.”

PCC DSS standards require organizations who take plastic to do the following:

Borten says she used the news out of Boston to help students in her security class understand the importance of protecting firewalls.

“PCI DSS Requirement 1 deals with firewalls and includes many, many detailed good practices for any healthcare organization today,” Borten says. “Not only is DSS good advice, but simply the existence of such standards makes it harder for any organization to defend itself in case of a breach and the organization isn’t following them.”

Rebecca Herold, CISSP, CIPP, CISM, CISA, FLMI, of Rebecca Herold & Associates, LLC, in Des Moines, IA, agrees with Borten that many healthcare entities are unaware of PCI DSS.

She also cautions that despite the fact that President Obama exempted some entities from following the Red Flags Rule [2] in December 2010—at which point many healthcare providers completely removed Red Flags Rule from their area of concern—they do need to realize that not all healthcare providers were excluded.

“It only excluded those healthcare providers that do not regularly request credit reports for credit transactions from needing to comply with the Red Flags Rule,” Herold says. “There are still many providers who, because of the way they accept payments, must still follow the Red Flags Rule.”

The Boston restaurant incident should highlight the need for hospitals to think beyond HIPAA and the HITECH Act, Herold adds. They must ensure they are appropriately safeguarding all the information related to payment processing, and the associated credit checks that go along with it.

“Hospitals are, by their nature, open environments with an abundance of patients, visitors and other non-workers constantly going into the many different areas of the hospital,” Herold says. “I know that it is increasingly common for hospitals to accept credit card payments beyond their gift stores and cafeterias.”

Herold says that hospitals should follow this high-level strategy to help mitigate risks:

Further, Herold says, take these specific actions to reduce risks: