Healthcare information security

Applicable Non-healthcare Regulations

September 8, 2016 by Infosec

Healthcare companies have to follow a long list of rules. HIPAA is prime example. However, if they accept credit card payments, they also need to comply with another set of rules known as PCI-DSS.

What Is PCI Compliance?

PCI stands for payment card industry. It isn’t the name of any official organization, but refers to the overall industry. That being said, there is an unofficial, international organization that is seen as an authority in this field. That would be the PCI SSC.

A Quick Summary of the PCI-DSS

  • The PCI SSC (Payment Card Industry Security Standards Council) was formed in 2006.
  • It is a private organization dedicated to ensuring the integrity of the credit card industry.
  • PCI SSC is actually the result of collaborative efforts by MasterCard, Visa, Discover, American Express and JCB (Japan Credit Bureau). While this council claims to act independently of their respective employers, it’s also not hard to see why all of these companies would be invested in the future of credit cards.

The 12 PCI-DSS Requirements

In order to do this, the PCI Council created a body of security standards: PCI-DSS (Payment Card Industry Data Security Standards). These standards are made up of 12 requirements, which are broken down into six objectives:

  • Build and maintain a secure network
    • Install and maintain a firewall configuration to protect cardholder data
    • Do not use vendor-supplied defaults for system passwords and other security parameters
  • Protect cardholder data
    • Protect stored cardholder data
    • Encrypt transmission of cardholder data across open, public networks
  • Maintain a vulnerability management program
    • Use and regularly update anti-virus software on all systems commonly affected by malware
    • Develop and maintain secure systems and applications
  • Implement strong access control measures
    • Restrict access to cardholder data by business need-to-know
    • Assign a unique ID to each person with computer access
    • Restrict physical access to cardholder data
  • Regularly monitor and test networks
    • Track and monitor all access to network resources and cardholder data
    • Regularly test security systems and processes
  • Maintain an information security policy
    • Maintain a policy that addresses information security

The above implementations must be made by all companies that wish to store, process or transmit any cardholder data. However, a formal validation process to ensure that companies comply with this rule is not mandatory for all entities.

At the time of this writing, just MasterCard and Visa require merchants and service providers to be validated as complying with PCI-DSS.

How Is PCI Compliance Related to HIPAA Compliance?

PCI and HIPAA are both concerned with the healthcare industry (obviously, PCI isn’t exclusively). However, it would be a big mistake to think the two were interchangeable. It would be equally disastrous to assume that the difference between the two was minimal.

In fact, these two forms of regulation only have two things in common:

  • They both affect the healthcare industry.
  • They’re both concerned with keeping sensitive information private.

That being said, the differences between the two are far more important to understand. The information they protect is different. Such differences include:

  • The safeguards you need to implement.
  • The guidelines you need to follow for auditing compliance of your organization.
  • The consequences you, your staff and/or your company could face if a breach occurs.

For this reason, it’s essential that you not mistake one for the other or think that following one means that you’re automatically in compliance with the other.


HIPAA compliance falls under the jurisdiction of Health and Human Services (HHS). Auditing companies to check for this compliance, though, is carried out by the Office of Civil Rights (OCR). Technically, they outsource the work to companies like KPMG, but it is still their domain. The point is that HIPAA is overseen by the government.

On the other hand, the PCI SSC, as we explained earlier, is a completely private entity that is responsible for ensuring that PCI rules are followed. There are no federal laws in the United States that force companies to adopt these rules (though there are some local laws that reference PCI-DSS directly).

Requirements for Compliance

As you might expect, the requirements for complying with these two sets of rules are also quite different. When you look at HIPAA, it’s primarily focused on:

  • Policies
  • Processes
  • Training

It’s also much more subjective in terms of application with a number of broad guidelines that must be followed but that also leave plenty of room for companies to work within their unique structures.

That’s not to say that HIPAA compliance is in any way open to interpretation. The law makes it very clear that companies must safeguard PHI and even lists about a dozen requirements that must be met in order to be in compliance.

By comparison, the requirements for healthcare PCI compliance are much more prescriptive. The PCI SSC is:

  • Very specific about what companies need to do if they want to stay out of trouble.
  • Clear about the technical requirements, which are written out in plain English.
  • Explicit in the demand that companies carry out daily log reviews and apply encryption to all open and public networks.

At the same time, it lacks specifics when it comes to what companies should enact in terms of policies, procedures for following the above demands, and training for employees.

Business Associate Agreements

One final requirement that differs between the two has to do with business associate agreements. Under HIPAA, any companies that work with covered entities in a manner that involves handling PHI must enter into a business associate agreement. This gives the covered entity an added level of protection and extends the liability of working with this data to the business associate.

In healthcare, PCI has no equivalent to a business associate agreement that companies must enter into with third parties with which they work.

The Consequences for Non-Compliance

As we mentioned earlier, the consequences for non-compliance are different where both sets of rules are concerned too. Obviously, as a federal law, if your company isn’t complying with HIPAA, you’ll run afoul of the government. This means facing:

  • Possible fines
  • Possible civil penalties
  • Possible criminal charges

Simply put, stakeholders could get hit with huge fines, but they may also find themselves in jail.

The Risk of PR Problems

Even without those severe consequences, most companies would have a tough time coming back from the PR nightmare of having to post press releases to the public in traditional media outlets warning patients that their stolen information may have been compromised. However, this is a consequence that no organization can legally dodge.

Serious Fines Will Result

Not complying with PCI could also result in some serious fines, but there aren’t any grounds for pursuing criminal charges. No one is going to go to jail for falling out of compliance, but that doesn’t mean that the consequences are anything to take lightly. Suffering a breach could come with a fine of thousands or even millions of dollars.

[cta id=”1473343424015″ post=”37286″]

Loss of Customers Would Occur

Potentially even worse, the company that suffered the breach may lose certain card-processing privileges, which would mean much larger losses as time goes on. As with a HIPAA non-compliance incident, there could also be the losses that come with a damaged reputation.

HIPAA and PCI Overlap

We’ve mentioned that HIPAA and PCI both have their places in the healthcare industry, but are also both very different sets of rules. Nonetheless, they do share some overlap, which is worth bringing up.

Specifically, recall that PCI is more explicit when requiring how your company safeguards credit card information – far, far more so than you’ll find with HIPAA. This could be an area of overlap, though, as you can use PCI’s requirements as the foundation for creating security measures based on HIPAA’s directions (which leave much more to the company’s discretion).

Both HIPAA and PCI place an emphasis on documenting risk assessment efforts and management plans, so this is another area of potential overlap where your company can pursue compliance of both at the same time.

The most efficient way for an organization to be compliant both in PCI and HIPAA would be to lay out the guidelines from each that apply to your business, look for where there is overlap, and then focus your resources jointly.

This approach will also make it obvious where the two diverge and you’re better off putting those measures in the hands of different people/teams.

What Do Healthcare Organizations Need to Know About PCI Compliance?

Some of the things your company needs to know about healthcare PCI compliance have already been covered. Namely, that it’s not the same as HIPAA compliance and that there are serious consequences for not following the rules.

However, PCI compliance for a hospital or some other organization in the healthcare industry also means understanding some unique features specific to this industry. Let’s look at the most important ones in detail:

  • Credit Card Use Is on the Rise

The use of credit cards isn’t slowing down, which means your healthcare company can expect to see more people paying this way. The trend of credit card use at hospitals has been going up for a while now and there’s no reason to think that will change. As a result, your organization should look at their PCI-DSS compliance efforts in light of the fact that it will probably be put under greater stress as the years go by.

  • Hackers Love the Current Standard

That last section regarding PCI compliance for a hospital or other healthcare-related organization shouldn’t be too scary. You just need to stress-test your approach to make sure it will hold up as credit card use increases

However, what is scary is that most hospitals capture cardholder data on their   local PCs using web services. Hackers love this because it makes the information extremely vulnerable and credit card information combined with PHI is especially tempting for these cybercriminals.

This is something that must be addressed by your organization ASAP. Aside from avoiding problems where PCI-DSS compliance is concerned, it could also save you from a class-action lawsuit.

  • An Increasing Number of HDHPs Means More Credit Card Use

High deductible health plans (HDHPs) are increasing in popularity. While this means covering medical expenses out of pocket, it generally involves using a credit card:

– Roughly 25% of those with HDHPs have problems paying their medical bills.

– 38% of them also reported that these medical bills had increased their credit card debt as well.

This is one more reason healthcare PCI DDS compliance must be a priority. Constantly revising your efforts must be a priority too as the threat of a breach is going to become more and more likely with the increased consumption of HDHPs.

  • Hackers Are Going After Hospitals

Speaking of which, this is already happening to some degree. Over the past year, the healthcare industry has been the second biggest victim of security breaches. This amounted to 781 breaches in 2015, at least those that were publicized. Sadly, the number could also be a lot bigger because of organizations without proper measures in place that never realized they had been hacked. As a result of those 781 successful attacks, over 112 million records were accessed by unauthorized parties.

Traditional Compliance Options Are Burdensome

At the moment, complying with healthcare PCI DDS demands is difficult almost entirely because of the costs involved. Many hospitals still have outdated networks but remain in compliance by constantly leveraging comprehensive audits on everything from staff members’ mobile devices to the laptops of their executives.

This enterprise approach is far from affordable, though, which is why so many hospitals opt for network segmentation. By segmenting their network, only some portions need to meet PCI-DSS standards.

While it saves money, segmentation also means using separate terminals specifically to process credit cards. It’s also still going to cost hundreds of thousands of dollars every year.

Fortunately, help is on the way. The PSI SSC’s international director, Jeremy King, recently mentioned that his favorite security solution was P2PE (point-to-point encryption). The first version of this specific to the healthcare industry was just launched too, which means help is on the way.

PCI-DSS may not be legally mandated, but if your healthcare company wants to process credit cards, you’ll need to comply with the PCI SSC’s rules. The above should help you understand what it involves and how it relates to HIPAA.

Sources SCC%20QRG%20August%202014%20-print.pdf

Posted: September 8, 2016
View Profile