Faster Healthcare Payments

First off let’s dispel a common myth; “We’re HIPAA compliant therefore we are PCI compliant”.  Not necessarily, the principals are the same but “the devil is in the detail”.   While healthcare providers are familiar with privacy protection laws related to HIPAA, most are unaware of the particulars surrounding the Payment Card Industry Data Security Standards (PCI DSS) that all entities who accept credit cards, regardless of volume, must adhere to.

According to a survey conducted by MasterCard in 2008 and 2009, over 66% of physicians and 88% of hospitals accept credit cards.  For physician practices with greater than 6 providers credit card acceptance is as high as 96%.    With a majority of healthcare providers accepting credit cards it is surprising that up to 70% are not compliant with PCI DSS.

Many of us are familiar with the large well publicized credit card security breaches that have recently occurred.  However, a full 70 percent of all security breaches involve small companies with 32 percent of breaches occurring at companies with less than 100 employees.  As healthcare providers it is of the utmost importance that you protect your patient’s financial data.  It is not only the right thing to do, but it is good business.  As a “merchant” who accepts credit cards you are agreeing, whether you know it or not, to comply with the PCI DSS requirements.

Severe penalties and sanctions can be levied against organizations that fail to be PCI compliant:

• Fines up to $500,000 per incident levied by your bank and the card associations
• Banishment from accepting future credit cards payments
• Fines up to $100,000 per incident for not notifying customers of the probable thefts of their information levied by certain state governments

If you’re unsure of the answer to the question “Are you PCI compliant”, we advise you to contact industry experts and solicit some professional advice.  A good place to start is with the company that provides your merchant processing.  Recent updates to the PCI DSS have now required these entities to validate that all of their portfolio merchants are in fact complaint.

PCI DSS security standards include requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. The core of PCI DSS principles can be referenced on the Payment Card Industry’s website https://www.pcisecuritystandards.org/index.shtml

Here is a summary of the elements of the PCI DSS and how they may impact healthcare providers:

Build and Maintain a Secure Network – if you are storing credit card data you must ensure that you have installed and maintain a firewall configuration to protect cardholder data.   Practice Management Systems that process and/or store credit card information must be protected with the most up-to-date firewall protection.

Protect Cardholder Data – Protect stored cardholder data, do not store patient statements that have been returned with the cardholders credit card information in the patients chart.  All returned statements containing card data should be destroyed and the process for the handling and disposal process should be clearly documented.  Another strategy to protect cardholder data is to provide your patients with a patient payment portal and encourage them to utilize this tool as a method of making secure payments.

Maintain a Vulnerability Management Program – Use and regularly update anti-virus software and develop and maintain secure systems and applications.  If you store credit card data ensure it is encrypted and that only the last four digits of the payment method are visible.

Implement Strong Access Control Measures – Restrict access to cardholder data to only those personnel with a “need-to-know”.  If you utilize a payment gateway ensure that each user has a unique username and password known only to them. For security purposes and accountability at no time should application users share a username or password.  Additionally, ensure all activities surrounding the setting up of payments or running of transactions can be tracked to those individual users. Here are some username and password guidelines:

• Never use an email address as a username
• Do not use or relay on application generated usernames or passwords
• Ensure passwords contain at least 1 upper case character, 1 lower case character, and 1 numeric digit.
• Passwords should be changed every 30 days and new passwords cannot match any the 4 previous passwords
• Ensure access is removed immediately for terminated employees

Regularly Monitor and Test Networks – Track and monitor all access to network resources and cardholder data.  Regularly test security systems and processes.  For additional security you may want to limit card holder data access to those computers with a specific IP address.

Maintain an Information Security Policy – Maintain a policy that addresses information and Cardholder data security.  Ensure that all personnel involved with the handling of this data attend training and document attendance.

To ensure you know the correct answer to the question of “Am I PCI compliant?” we suggest you complete the self-assessment questionnaire provided by the PCI security council at https://www.pcisecuritystandards.org/saq/index.shtml#saq

Our product, the ClearGage Payment Accelerator is both HIPAA and PCI compliant and utilizes the most sophisticated security protocols available today.  Our security infrastructure includes:

• Physical System Security– our network security covers all three critical security areas: physical security; operational security; and system security.
• Firewalls – Built upon a hardened, purpose-built operating system for security services, our firewalls provide the highest level of security and have earned many industry accolades including ICSA Firewall and IPsec certification and Common Criteria EAL4 evaluation status.
• Anti-virus Protection – One of the 12 requirements that comprise the PCI DSS (Payment Card Information Data Security Standard) is to “use and regularly update anti-virus software. HIPAA also requires entities to implement “procedures for guarding against, detecting and reporting malicious software.” The ClearGage network Anti-Virus solution is powered by Sophos, a dominant force in IT security and control around the world.   Sophos provides complete protection and control by defending against known and unknown malware, spyware, intrusions, unwanted applications, spam, policy abuse and uncontrolled network access.
• VPN System Management Access is part of our standard firewall configuration.
• Intrusion Detection – Every second of every day we are closely monitoring our environment, guarding it against threats like worms, Trojans, BotNets and unauthorized intruders.