Health Information Management

Tip: Comply with PCI DSS to help ensure the security of your patients' financial information

HIPAA Weekly Advisor, March 2, 2009

Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!

The Payment Card Industry Security Standards Council updated its Payment Card Industry Data Security Standard (PCI DSS) on October 1, 2008. If you’re doing a good job complying with HIPAA, you’re probably also doing a good job complying with these standards, which help organizations that process credit card payments prevent fraud, hacking, and other security vulnerabilities. “Once you’ve got HIPAA down, you’re probably 80%–90% there,” says John C. Parmigiani, MS, BES, president of John C. Parmigiani & Associates in Ellicott City, MD.
 
But organizations must understand that although some of the same security good practices apply to HIPAA and PCI DSS, the latter requires a much more direct approach to security standards. The current version of the standard highlights the following 12 compliance requirements, organized into six related control objectives:
  • Build and maintain a secure network
    • Requirement 1: Install and maintain a firewall configuration to protect cardholder data
    • Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
  • Protect cardholder data
    • Requirement 3: Protect stored cardholder data
    • Requirement 4: Encrypt transmission of cardholder data across open, public networks
  • Maintain a vulnerability management program
    • Requirement 5: Use and regularly update antivirus software
    • Requirement 6: Develop and maintain secure systems and applications
  • Implement strong access control measures
    • Requirement 7: Restrict access to cardholder data by business need-to-know
    • Requirement 8: Assign a unique ID to each person with computer access
    • Requirement 9: Restrict physical access to cardholder data
  • Regularly monitor and test networks
    • Requirement 10: Track and monitor all access to network resources and cardholder data
    • Requirement 11: Regularly test security systems and processes
  • Maintain an information security policy
    • Requirement 12: Maintain a policy that addresses information security
 Editor’s note: This tip is excerpted from the article, “Protect your organization’s wallet: Comply with PCI DSS,” which appears in the March issue of the HCPro, Inc. newsletter, Briefings on HIPAA.



Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!

Most Popular

Related Articles