Healthcare privacy and security teams are watching closely for new rules and regulations that will modify the HIPAA privacy and security rules.
However, they should also keep an eye on another security standard that last month cost a Massachusetts restaurant chain $110,000.
The Payment Card Industry (PCI) Data Security Standard (DSS), first released in 2004, requires any entities that accept credit cards to protect that information from theft. View the regulation .
Boston-based The Briar Group LLC, which runs popular restaurants in the city agreed to the settlement after it was charged with not taking reasonable steps to protect the personal information found on diners’ credit and debit cards.
Healthcare entities must take caution here, too. If you take plastic, you must comply with PCI DSS. And not all entities are aware, says Kate Borten, CISSP, CISM, president of The Marblehead Group in Marblehead, MA.
“I think healthcare organizations—and many others—are still unaware of PCI DSS,” Borten says. “They may or may not be directly affected by DSS, depending on circumstances, but in any case, the security requirements are, like ISO [International Organization for Standardization], HIPAA, and other regulations and frameworks, simply good practice.”
PCC DSS standards require organizations who take plastic to do the following:
- Build and maintain a secure network
- Install and maintain a firewall configuration to protect cardholder data
- Not use vendor-supplied defaults for system passwords and other security parameters
- Protect cardholder data
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
- Maintain a vulnerability management program
- Use and regularly update antivirus software
- Develop and maintain secure systems and applications
- Implement strong access control measures
- Restrict access to cardholder data by business need-to-know
- Assign a unique ID to each person with computer access
- Restrict physical access to cardholder data
- Regularly monitor and test networks
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintain an information security policy
- Maintain a policy that addresses information security
Borten says she used the news out of Boston to help students in her security class understand the importance of protecting firewalls.
“PCI DSS Requirement 1 deals with firewalls and includes many, many detailed good practices for any healthcare organization today,” Borten says. “Not only is DSS good advice, but simply the existence of such standards makes it harder for any organization to defend itself in case of a breach and the organization isn’t following them.”
Rebecca Herold, CISSP, CIPP, CISM, CISA, FLMI, of Rebecca Herold & Associates, LLC, in Des Moines, IA, agrees with Borten that many healthcare entities are unaware of PCI DSS.
She also cautions that despite the fact that President Obama exempted some entities from following the Red Flags Rule  in December 2010—at which point many healthcare providers completely removed Red Flags Rule from their area of concern—they do need to realize that not all healthcare providers were excluded.
“It only excluded those healthcare providers that do not regularly request credit reports for credit transactions from needing to comply with the Red Flags Rule,” Herold says. “There are still many providers who, because of the way they accept payments, must still follow the Red Flags Rule.”
The Boston restaurant incident should highlight the need for hospitals to think beyond HIPAA and the HITECH Act, Herold adds. They must ensure they are appropriately safeguarding all the information related to payment processing, and the associated credit checks that go along with it.
“Hospitals are, by their nature, open environments with an abundance of patients, visitors and other non-workers constantly going into the many different areas of the hospital,” Herold says. “I know that it is increasingly common for hospitals to accept credit card payments beyond their gift stores and cafeterias.”
Herold says that hospitals should follow this high-level strategy to help mitigate risks:
- Assign a position or person to be responsible for ensuring the security of credit card information, and appropriate controls for using credit cards
- Implement policies and procedures covering how credit cards can, and cannot, be used, in addition to how the related information may be used, shared, stored, destroyed, and generally safeguarded
- Implement technological, operational and administrative controls to protect digital credit card data, as well as hard copy data, and even credit cards themselves that may be obtained
- Provide regular training and ongoing awareness communications to personnel who collect, process, store, and otherwise have access to credit card information
- Enforce and sanction noncompliance consistently, and have strong executive support for the policies and related actions
Further, Herold says, take these specific actions to reduce risks:
- Ensure only those staff members who have responsibilities related to credit card payments can access credit card information.
- Make sure personnel who have possession of credit cards keep those cards from others, and maintain control and security for them at all times.
- Discard hard copy credit card slips only after finely shredding them, or put them into secured trash receptacles.
- Restrict nonpersonnel and staff members without responsibilities related to credit card payments, from accessing payments systems. This includes keeping stations that access such payment systems well-secured and locked when no one authorized is around.
- Do not keep credit card payment information within patient files or with patient papers posted in or outside of patient rooms.