Tips on PCI DSS ComplianceHow PCI Compliance Can Also Help With HIPAA Compliance
"If an organization can meet all of the requirements of PCI, it's going to be in great shape when it comes to HIPAA security compliance," Walsh contends. "The problem is that most organizations just can't afford right now to invest in their infrastructure as well as all of the controls required to meet all the standards required in PCI. If they could, it would be a great help with HIPAA."
Large payment card transaction volume merchants, including many hospitals, must have independent audits and frequent vulnerability tests, Walsh explains. Those with smaller payment card transaction levels are required to conduct a self-assessment and complete a "self-assessment questionnaire." All merchants are required to complete an "attestation of compliance."
In an interview (transcript below) with Howard Anderson, executive editor of HealthcareInfoSecurity.com, Walsh offers an overview of PCI DSS and suggests key compliance steps, including:
- Creating a diagram that shows how credit transactions are handled;
- Identifying all applications and systems involved and creating an inventory of all card reading devices;
- Conducting an initial self-assessment and creating a plan to remediate any problems identified;
- Creating a credit card handling policy and training staff annually on how to carry it out.
On May 18, Walsh will conduct an in-depth webinar on PCI DSS compliance in partnership with Information Security Media Group.
Walsh, CISSP, is president of Tom Walsh Consulting, an Overland Park, Kan.-based firm that advises healthcare organizations on information security in healthcare. He has conducted numerous presentations on PCI and has helped dozens of healthcare organizations conduct PCI self- assessments. Walsh also serves as information security officer at San Antonio Community Hospital on an outsourced basis.
HOWARD ANDERSON: For starters, please briefly describe the Payment Card Industry Data Security Standard and who must comply.
TOM WALSH: ... To counter the threat of fraud, and unintentional security breaches, the major credit card companies worked collaboratively to create a common industry standard. ... In September of 2006, the five major credit card companies formed the organization called the PCI Security Standards Council, and what the council tried to do was come up with a set of standard data security criteria that they wanted all the organizations that handle or process credit cards to follow.
The standard itself covers both technical and operational system components associated with the card holder data environment. It includes things like the access to credit card data, transferring the information, storage of the information, retention and disposal. They've been updating the standard over the years, and the current version of the PCI Data Security Standard is Version 2.0.
...Mainly the goals are to build and maintain a secure network, protect the card holder data, maintain a vulnerability management program, implement strong access control measures, regularly monitor and test the networks, and then maintain an information security policy. These are all good things and generally considered common practices.
One thing I want to point out is that many people get confused, and they wonder whether this applies to the entire network and to the entire organization. But it really pertains only to those systems or applications that are used for the storage, processing or transmission of cardholder data. That is why a lot of organizations try to segregate out credit card data transactions from their other operations.
Security ControlsANDERSON: Many healthcare organizations have been focused heavily on complying with HIPAA's privacy and security rules, while sometimes overlooking other industry standards, such as PCI. So tell us about security controls that PCI requires.
WALSH: Many organizations are worried about complying with HIPAA, and they've forgotten that PCI applies globally to any organization that stores or processes or transmits card holder data. So most healthcare organizations accept credit card for payment for co-pays or for paying for their services outright. As part of this, they have to go in and look at these security requirements and they have to do what's called a self-assessment, and that is a questionnaire form they have to fill out and it has certain criteria. The criteria are based on the environment in which your credit card processing takes place. ...
... While the council is really responsible for managing the data security standards, each of the credit card brands maintains its own separate compliance and enforcement program, which makes it a little bit of a challenge. Each card brand has their own determination for validation of compliance, and most of it is based on reporting, and the reporting is usually a requirement for the acquiring financial institutions or banks, or the merchant service processors that work with the organization when they process credit cards. ... Generally they'll ask for ... some kind of a letter to provide evidence or proof that the healthcare organization that is processing the credit cards is, indeed, in compliance with the PCI data security standard.
Now sometimes a breach may occur, and that is when these organizations will get involved, and then they'll want to see proof that you've been compliant over the years. ...
One of the things I've seen, which is a trend, is that the banks or merchant service processors are now sending letters to [certain] organizations and they are asking them to prove that they're compliant by going online to a website and completing their self-assessment questionnaire. ...
The other part about this that can be difficult is that when you go on the website to complete the self-assessment questionnaire, many times what is included in that registration process is a vulnerability scan that will be conducted by the organization that the bank or merchant service processor has contracted to go out and conduct the scan. ...
The other thing is, who gets these letters? Generally it's not going to end up with IT or information security; it usually will end up with whoever in the organization has the relationship with the bank or the credit card company. So the bad news is, somebody could be getting this letter and not know what to do with it, and either hold on to it or ignore it. And meanwhile, the folks who really know what they should be doing about it aren't getting the word.
So as far as a compliance audit ... you should be doing it on an annual basis. ... In most cases, my clients, when they go through this, they'll hold on to the result of it and won't turn it over unless they are asked to produce it.
ANDERSON: So what are a few of the steps that an organization can take to assess whether they are PCI compliant now?
WALSH: Well some of the things that they need to look at is to figure out who in their organization is handling or processing credit cards. So you've got to look at the various departments. Now in a hospital, it will typically be the departments such as admitting, registration or patient access ... where the patient first checks in and pays for a co-pay. It could be the cashier at the hospital. Patient financial services, which does the patient billing, handles credit cards [as do the] gift shops, cafeteria, any of the outpatient services, such as the pharmacy ... or clinics or urgent care centers or if the organization sells or rents medical equipment and supplies. So those would be areas where credit cards are being handled. So the first step is really getting a handle on the environment itself.
The next step would be to determine who really owns the PCI project. ... They need a high-level executive to take ownership of it. You need to determine what merchant level and type you are -based on the number of transactions you process, and the environment that you process it in - are you using just point-of-sale terminals or are you using some secure website for processing transactions. Then create a transaction work flow map or a diagram that shows how credit card transactions take place in the organization, and where all the data may reside so you have an idea then of what you need to assess. Then identify the applications and systems associated with the processing, storage and transmission of the credit card data. You might want to do an inventory of any of your point-of-sale terminals or cash register systems, or card readers that attach to a workstation. ...
Then you would conduct your initial self assessment, filling out the self assessment questionnaire. Sometimes [those doing this for the] first time ... may want to call upon a vendor for some help with that. Once they have done the assessment, they will probably find some shortcomings, and that would be something you would put in a report of findings to your executive management to make a determination of the next steps through some type of an action plan, and what is it going to cost to remediate these. What kinds of resources do we need?
Some simple things ... that need to be done include creating a credit card handling policy and then conducting awareness training for all your employees. Now the requirement is to train everyone who is handling credit cards when they are newly hired and then annually. And part of that annual training is that the employee has to acknowledge that they received a copy of the credit card handling policy and understand what their responsibilities are. So those are some of the key steps that need to be taken right away.
HIPAA, PCI OverlapANDERSON: And is there any overlap between what HIPAA requires and what PCI requires?
WALSH: Well there is some overlap. The HIPAA security rule is kind of vague. It was written that way so it could be scalable. So it doesn't give you a lot of detail, whereas the PCI Data Security Standard is very specific and detailed in its requirements. So for example ... within the HIPAA security rule there is really no specification for passwords other than under the standard of security awareness training that we have to conduct password management training and we have to teach people how to manage their passwords. But when you look under the technical safeguard section, it talks about authentication but it doesn't specify passwords, which is probably the most commonly used method today in healthcare of authenticating a user. When you look at PCI, they have eight specific requirements on passwords. So they specify things like minimum password length and complexity, history and password expirations; it's very detailed.
So, if an organization can meet all of the requirements of PCI, you're going to be in great shape when it comes to HIPAA security compliance. The problem is that most organizations just can't afford right now to invest in their infrastructure as well as all the controls that are required to meet all the standards in PCI. If they could, it would be a great help with HIPAA.
ANDERSON: Finally, you'll be offering a webinar on PCI compliance strategies May 18, so tell us what information you are planning to provide in that event.
WALSH: In that webinar, I'm going to go into more detail about the PCI Data Security Standard. I'll also be talking about some of the common mistakes that I've seen in healthcare organizations as far as addressing the standard. We'll provide a more detailed action plan. ...