Speak to a Transaction Security Advisor1-800-871-7640
Don’t think you have to comply?
For medical practice who accept payment cards,
COMPLIANCE IS MANDATORY.
The PCI-DSS (Payment Card Industry – Data Security Standard) is a single security standard composed of the cardholder security programs from all five of the leading credit card companies. If you accept, process, or store credit card information, you must accept the responsibility of being Payment Card Industry (PCI) Compliant and documenting your adherence on an annual basis. It’s now part of HIPAA law.
Because of the complexity of PCI-DSS requirements and the level of technical detail, many practices are choosing to partner with a company that offers a high-level understanding of both PCI and HIPAA – PCIHIPAA.com.
Build and Maintain a Secure Network Requirement 1: Install and maintain a firewall configuration to protect data Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data Requirement 3: Protect stored data Requirement 4: Encrypt transmission of cardholders’ sensitive information across public networks
Maintain a Vulnerability Management Program Requirement 5: Use and regularly update anti-virus software Requirement 6: Develop and maintain secure systems and applications
Implement Strong Access Control Measures Requirement 7: Restrict access to data by business need-to-know Requirement 8: Assign a unique ID to each person with computer access Requirement 9: Restrict physical access to cardholder data
Regularly Monitor and Test Networks Requirement 10: Track and monitor all access to network resources and cardholder data Requirement 11: Regularly test security systems and processes
Maintain an Information Security Policy Requirement 12: Maintain a policy that addresses information security
Let’s examine just the first three requirements and what they mean to you.
Requirement 1: Install and Maintain A Firewall Configuration.
What It Means
It is self-evident: cardholder data stored on computers is not safe if computers themselves are not safe. As a result, the first requirement is that merchants put a “wall” around their networks to keep hackers out.
One of the ways this requirement is met is by using firewalls positioned at all appropriate places throughout the network, and configured to block traffic that must be blocked. The fireworks must be set up and managed to work accurately and consistently. Each laptop must use its own “built-in” firewall to protect the data stored within it.
Action Steps for Merchants
Unfortunately, Requirement I is one of the most technically complicated and demanding sections of the PCI-DSS. The majority of medical practitioners are not IT experts and have not given a second thought to firewalls, network segmentation, and other complex security technical requirements. They need help to define the precise meaning of “firewall”, “router”, “configuration”, “DMZ”, “internal network”, “hypertext”, “SSL”, “VPN” and more.
There are only two choices: a physician can invest loads of time, money, and effort into becoming security experts – ignoring the demands of patient healthcare. Or that practice can partner with someone who offers the deep and specialized technical knowledge to navigate the world of computer network security. Failing to reach out to the right experts could lead to compromised security and network failures.
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.
What It Means
If you think of your security network as a bank vault, Requirement 1 is about making sure the walls of your vault are thick and strong. Requirement 2 is about ensuring the doors are closed off and locked when not needed and controlling their use as much as possible when they are needed.
Without multiple access points, the computer does not work. But each access method is a potential entry point for hackers. And therein lies the dilemma. This requirement is inundated with product-specific details and solutions can differ based on the computer’s operating system, routers, switches, wireless access points and more – all with their own specific products and manufacturers. Is it any wonder that medical practitioners risk millions of dollars in non-compliance fees?
Action Steps
There is no substitute for partnering with a PCI compliance company that truly understands computer host security. The complexity of Requirement 2 is simply too onerous to “go it alone.”
Let’s just take one basic example: under this requirement, practices must eliminate all “unnecessary accounts” on all computers and devices. But it’s next to impossible for a practice that isn’t highly technologically savvy to determine which accounts exist on any specific computer. And that’s one of the easier examples. PCIHIPAA offers the latest state-of-the-art solutions to make sure you can develop scalable and highly secure solutions that address this requirement to its fullest.
Requirement 3: Protect stored cardholder data.
What It Means
Stockpiles of patient computer data are a treasure trove for sophisticated hackers because of the huge payoff and minimal effort required to steal this data. As a result, requirement 3 requires medical practices to:
Minimize stored data (type of data and amount) and never store sensitive information such as PINs or verification codes.
Ensure that primary account numbers (PANS) are never displayed or printed unnecessarily, such as on receipts or in payment applications.
Make certain that measures are taken to prevent outsiders from accessing sensitive cardholder data whenever it is stored. The focus of this requirement is encryption, the most standard way to protecting stored data, as well as storage of the last four digits of account numbers.
Action Steps
The challenges of this requirement can be overwhelming. Each medical practitioner must ask, “How much potential business disruption will come with reducing data storage and encrypting the data? What processes would need to change? Does my practice use stored cardholder data for patient relationship management or simply for managing chargebacks?” It’s not simply about technology; it’s about how technology impacts business operations.
The first step is for physicians to analyze their own systems so they know where they stand. They must investigate where their systems might be storing cardholder data, if their payment applications or devices are certified, and if there’s even a remote change that systems can be misconfigured to store data without their knowledge.
The next step is to reduce the volume of stored data to the absolute minimum. Consider this: losing 200 credit card numbers is not good, but it’s far better than losing 2,000 numbers. Once that reduction is made, physicians must consider using encryption or a comparable technology to protect the remaining data.
Fortunately, PCIHIPAA.com can help you find a widely used encryption solution that fits your specific business requirements and use it in the recommended way with an eye toward the procedural as well as the technical requirements.
Medical practices are particularly at risk for hackers because of the wealth of personal patient information – including financial records.
The number of data breaches skyrocketed nearly 50% last year, compromising the personal records of at least 34.7 million Americans.
The cost of a data breach for a small practice is crippling – as high as $50,000 or more.
New HIPPA privacy and security fines under the American Recovery and Reinvestment Act (ARRA) of 2009 (Pub.L. 111-5)
