In this article
FREE Phishing Simulator!
Find out which employees are vulnerable and train them on the spot!Click Here!
In this article
Find out which employees are vulnerable and train them on the spot!Click Here!
Healthcare companies have to follow a long list of rules. HIPAA is prime example. However, if they accept credit card payments, they also need to comply with another set of rules known as PCI-DSS.
PCI stands for payment card industry. It isn’t the name of any official organization, but refers to the overall industry. That being said, there is an unofficial, international organization that is seen as an authority in this field. That would be the PCI SSC.
In order to do this, the PCI Council created a body of security standards: PCI-DSS (Payment Card Industry Data Security Standards). These standards are made up of 12 requirements, which are broken down into six objectives:
The above implementations must be made by all companies that wish to store, process or transmit any cardholder data. However, a formal validation process to ensure that companies comply with this rule is not mandatory for all entities.
At the time of this writing, just MasterCard and Visa require merchants and service providers to be validated as complying with PCI-DSS.
PCI and HIPAA are both concerned with the healthcare industry (obviously, PCI isn’t exclusively). However, it would be a big mistake to think the two were interchangeable. It would be equally disastrous to assume that the difference between the two was minimal.
In fact, these two forms of regulation only have two things in common:
That being said, the differences between the two are far more important to understand. The information they protect is different. Such differences include:
For this reason, it’s essential that you not mistake one for the other or think that following one means that you’re automatically in compliance with the other.
HIPAA compliance falls under the jurisdiction of Health and Human Services (HHS). Auditing companies to check for this compliance, though, is carried out by the Office of Civil Rights (OCR). Technically, they outsource the work to companies like KPMG, but it is still their domain. The point is that HIPAA is overseen by the government.
On the other hand, the PCI SSC, as we explained earlier, is a completely private entity that is responsible for ensuring that PCI rules are followed. There are no federal laws in the United States that force companies to adopt these rules (though there are some local laws that reference PCI-DSS directly).
As you might expect, the requirements for complying with these two sets of rules are also quite different. When you look at HIPAA, it’s primarily focused on:
It’s also much more subjective in terms of application with a number of broad guidelines that must be followed but that also leave plenty of room for companies to work within their unique structures.
That’s not to say that HIPAA compliance is in any way open to interpretation. The law makes it very clear that companies must safeguard PHI and even lists about a dozen requirements that must be met in order to be in compliance.
By comparison, the requirements for healthcare PCI compliance are much more prescriptive. The PCI SSC is:
At the same time, it lacks specifics when it comes to what companies should enact in terms of policies, procedures for following the above demands, and training for employees.
One final requirement that differs between the two has to do with business associate agreements. Under HIPAA, any companies that work with covered entities in a manner that involves handling PHI must enter into a business associate agreement. This gives the covered entity an added level of protection and extends the liability of working with this data to the business associate.
In healthcare, PCI has no equivalent to a business associate agreement that companies must enter into with third parties with which they work.
As we mentioned earlier, the consequences for non-compliance are different where both sets of rules are concerned too. Obviously, as a federal law, if your company isn’t complying with HIPAA, you’ll run afoul of the government. This means facing:
Simply put, stakeholders could get hit with huge fines, but they may also find themselves in jail.
Even without those severe consequences, most companies would have a tough time coming back from the PR nightmare of having to post press releases to the public in traditional media outlets warning patients that their stolen information may have been compromised. However, this is a consequence that no organization can legally dodge.
Not complying with PCI could also result in some serious fines, but there aren’t any grounds for pursuing criminal charges. No one is going to go to jail for falling out of compliance, but that doesn’t mean that the consequences are anything to take lightly. Suffering a breach could come with a fine of thousands or even millions of dollars.
Potentially even worse, the company that suffered the breach may lose certain card-processing privileges, which would mean much larger losses as time goes on. As with a HIPAA non-compliance incident, there could also be the losses that come with a damaged reputation.
We’ve mentioned that HIPAA and PCI both have their places in the healthcare industry, but are also both very different sets of rules. Nonetheless, they do share some overlap, which is worth bringing up.
Specifically, recall that PCI is more explicit when requiring how your company safeguards credit card information – far, far more so than you’ll find with HIPAA. This could be an area of overlap, though, as you can use PCI’s requirements as the foundation for creating security measures based on HIPAA’s directions (which leave much more to the company’s discretion).
Both HIPAA and PCI place an emphasis on documenting risk assessment efforts and management plans, so this is another area of potential overlap where your company can pursue compliance of both at the same time.
The most efficient way for an organization to be compliant both in PCI and HIPAA would be to lay out the guidelines from each that apply to your business, look for where there is overlap, and then focus your resources jointly.
This approach will also make it obvious where the two diverge and you’re better off putting those measures in the hands of different people/teams.
Some of the things your company needs to know about healthcare PCI compliance have already been covered. Namely, that it’s not the same as HIPAA compliance and that there are serious consequences for not following the rules.
However, PCI compliance for a hospital or some other organization in the healthcare industry also means understanding some unique features specific to this industry. Let’s look at the most important ones in detail:
The use of credit cards isn’t slowing down, which means your healthcare company can expect to see more people paying this way. The trend of credit card use at hospitals has been going up for a while now and there’s no reason to think that will change. As a result, your organization should look at their PCI-DSS compliance efforts in light of the fact that it will probably be put under greater stress as the years go by.
That last section regarding PCI compliance for a hospital or other healthcare-related organization shouldn’t be too scary. You just need to stress-test your approach to make sure it will hold up as credit card use increases
However, what is scary is that most hospitals capture cardholder data on their local PCs using web services. Hackers love this because it makes the information extremely vulnerable and credit card information combined with PHI is especially tempting for these cybercriminals.
This is something that must be addressed by your organization ASAP. Aside from avoiding problems where PCI-DSS compliance is concerned, it could also save you from a class-action lawsuit.
High deductible health plans (HDHPs) are increasing in popularity. While this means covering medical expenses out of pocket, it generally involves using a credit card:
– Roughly 25% of those with HDHPs have problems paying their medical bills.
– 38% of them also reported that these medical bills had increased their credit card debt as well.
This is one more reason healthcare PCI DDS compliance must be a priority. Constantly revising your efforts must be a priority too as the threat of a breach is going to become more and more likely with the increased consumption of HDHPs.
Speaking of which, this is already happening to some degree. Over the past year, the healthcare industry has been the second biggest victim of security breaches. This amounted to 781 breaches in 2015, at least those that were publicized. Sadly, the number could also be a lot bigger because of organizations without proper measures in place that never realized they had been hacked. As a result of those 781 successful attacks, over 112 million records were accessed by unauthorized parties.
At the moment, complying with healthcare PCI DDS demands is difficult almost entirely because of the costs involved. Many hospitals still have outdated networks but remain in compliance by constantly leveraging comprehensive audits on everything from staff members’ mobile devices to the laptops of their executives.
This enterprise approach is far from affordable, though, which is why so many hospitals opt for network segmentation. By segmenting their network, only some portions need to meet PCI-DSS standards.
While it saves money, segmentation also means using separate terminals specifically to process credit cards. It’s also still going to cost hundreds of thousands of dollars every year.
Fortunately, help is on the way. The PSI SSC’s international director, Jeremy King, recently mentioned that his favorite security solution was P2PE (point-to-point encryption). The first version of this specific to the healthcare industry was just launched too, which means help is on the way.
PCI-DSS may not be legally mandated, but if your healthcare company wants to process credit cards, you’ll need to comply with the PCI SSC’s rules. The above should help you understand what it involves and how it relates to HIPAA.