A version of this article was published in The Daily Record on March 26, 2012.
While doctors, hospitals and other medical facilities are patently aware of the numerous federal and state laws and regulations that govern the use and protection of patient information, they may not be aware of certain industry privacy standards that are also applicable to medical providers that accept or process credit and debit card payments from patients.
A. PCI Security Standards
The Payment Card Industry Security Standards Council (PCI SSC) was created jointly by most of the major credit card companies. It establishes technical and operational requirements known as the Payment Card Industry Data Security Standards (PCI DSS), that apply to all “merchants” (including medical providers) that accept or process payment cards. The PCI DSS is, in turn, enforced by the individual credit card companies through their dealings with any entity that accepts payments from that card company.
Compliance with the PCI DSS is important now, more than ever, because of the increasing number of transactions involving credit and debit cards, the potential liability that can arise from a security breach and subsequent compromise of payment card data, and the potential revocation of card processing services by banks and card companies.
A security breach can have far-reaching consequences, including notification requirements, litigation costs and potential financial liabilities. A data breach can also have an impact on goodwill, potentially resulting in a loss of reputation and patients.
Medical providers are vulnerable to data breaches at various stages of payment card processing. For example, point-of-sale devices, personal computers or servers, wireless hotspots, paper-based storage systems, and unsecured transmission of cardholder data to service providers, all present potential points of vulnerability. Compliance with the PCI DSS can help alleviate these potential vulnerabilities and protect cardholder data.
B. Three Steps
There are three steps for adhering to the PCI DSS: assessment, remediation, and reporting.
A medical provider should assess its data security by (i) identifying cardholder data, (ii) taking an inventory of its information technology assets and the business processes it utilizes for payment card processing, and (iii) analyzing them for vulnerabilities that could expose cardholder data.
Generally, small practices may use a self-assessment questionnaire as a self-validation tool to assess PCI DSS compliance. The self-assessment questionnaire is provided by the PCI SSC, and requires varying levels of information depending on the manner in which a medical practice accepts payment cards.
Remediation can be accomplished by (i) fixing vulnerabilities, and (ii) most importantly, not storing cardholder data any longer than absolutely needed to process a transaction.
Finally, required reports should be compiled and submitted to the acquiring bank and/or card brands with which a medical provider does business.
C. General Requirements
The PCI DSS also establishes 12 general requirements:
Build and Maintain a Secure Network
1. Install and maintain a firewall configuration and router configuration to protect cardholder data.
2. Do not use vendor-supplied defaults for system passwords and other security parameters.
Protect Cardholder Data
3. Protect stored cardholder data – in general, no cardholder data should ever be stored unless it is necessary to meet the needs of the business.
4. Encrypt transmission of cardholder data across open, public networks.
Maintain a Vulnerability Management Program
5. Use and regularly update anti-virus software or programs.
6. Develop and maintain secure systems and applications.
Implement Strong Access Control Measures
7. Restrict access to cardholder data by need-to-know.
8. Assign a unique ID to each person with computer access.
9. Restrict physical access to cardholder data.
Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data.
11. Regularly test security systems and processes.
Maintain an Information Security Policy
12. Maintain a policy that addresses information security for employees and contractors.
A medical provider’s compliance with these requirements, and with its specific bank and/or card company assessment and reporting requirements, can help protect patient cardholder information, and help prevent a damaging data breach.