Financial transactions between multiple parties make the exchange of financial data commonplace in a connected environment like an integrated health system. Some payments are so seamless, consumers might not even realize a complex series of transactions is taking place. There are many opportunities in large, integrated healthcare delivery networks for Cardholder Data (CHD) to be handled, transmitted or stored improperly, which is where the Payment Card Industry Data Security Standard (PCI-DSS) comes in. Simply following the guidance of HIPAA does not ensure compliance with other information security standards such as those set forth in PCI-DSS.
The Payment Card Industry Data Security Standard (PCI-DSS) has been in the information technology space since 2006 and is headed by the PCI Security Standards Council. This council was created to promote safer handling of payment card information across all industries for merchants and vendors and is led by the largest financial institutions. As of March 2018, PCI-DSS is in Revision v3.2. Within the healthcare environment, additional standards and regulations must be followed.
Big Picture PCI-DSS Compliance Strategies
When it comes to compliance with PCI-DSS, there are unique differences between consumer-focused and healthcare-based entities. Not all customers in a transaction are patients, but all patients ultimately become customers or consumers when a payment for care is made with either a credit or debit card. This calls for even greater responsibility when handling, transmitting or storing CHD, Personally Identifiable Information (PII), Protected Health Information (PHI) and electronic Protected Health Information (ePHI), including the risk associated with third-party exposure.
“Big picture” strategies for PCI-DSS compliance include:
- Network Segmentation – This is the separation of all PCI-DSS traffic and storage onto its own secured and encrypted portion of a network.
- Point-to-Point Encryption – This involves a combination of secure devices, applications and processes that encrypt data from the point of interaction to receipt at the processor’s endpoint.
- Avoiding the retention of cardholder data (CHD) and the use of alternate methods for reoccurring transactions (e.g., token transaction systems)
Future Planning Considerations
On June 30th, 2018 entities that require PCI-DSS compliance will need to disable SSL/Early TLS protocols. Many entities still use these encryption protocols for backward compatibility purposes, yet they have not been considered secure for years. Network traffic should be monitored for the use of these protocols to determine if any payment information is being sent using these protocols.
Currently, biometric data (e.g., using your fingerprint to pay for a product or service) does not count as a protected piece of financial information under PCI-DSS. This does not absolve an organization of its responsibility to protect this type of Personally Identifiable Information (PII), as it still needs to be protected as part of HIPAA. PCI-DSS might be updated to require protection of this information in the future. Key examples of payment workflows involving the use of biometrics are Apple Pay, where a consumer authorizes a credit card transaction through the use of his or her fingerprint or facial recognition.
Where Are You Vulnerable?
PCI-DSS compliance goes well beyond the requirements of HIPAA, and the complex financial transactions processed by healthcare organizations put them at considerable risk. A thorough analysis of health system operations is required to understand exposure points and quantify risk associated with handling payment card information. Developing an understanding of what payment card information is processed by an entity (if any) is critical to determining the remediation required to reach PCI-DSS compliance.
For more information on PCI-DSS compliance, visit: https://www.pcisecuritystandards.org/pci_security/