Health Information Management

Tip: Comply with PCI DSS to help ensure the security of your patients' financial information

HIM-HIPAA Insider, March 2, 2009

The Payment Card Industry Security Standards Council updated its Payment Card Industry Data Security Standard (PCI DSS) on October 1, 2008. If you’re doing a good job complying with HIPAA, you’re probably also doing a good job complying with these standards, which help organizations that process credit card payments prevent fraud, hacking, and other security vulnerabilities. “Once you’ve got HIPAA down, you’re probably 80%–90% there,” says John C. Parmigiani, MS, BES, president of John C. Parmigiani & Associates in Ellicott City, MD.
 
But organizations must understand that although some of the same security good practices apply to HIPAA and PCI DSS, the latter requires a much more direct approach to security standards. The current version of the standard highlights the following 12 compliance requirements, organized into six related control objectives:
  • Build and maintain a secure network
    • Requirement 1: Install and maintain a firewall configuration to protect cardholder data
    • Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
  • Protect cardholder data
    • Requirement 3: Protect stored cardholder data
    • Requirement 4: Encrypt transmission of cardholder data across open, public networks
  • Maintain a vulnerability management program
    • Requirement 5: Use and regularly update antivirus software
    • Requirement 6: Develop and maintain secure systems and applications
  • Implement strong access control measures
    • Requirement 7: Restrict access to cardholder data by business need-to-know
    • Requirement 8: Assign a unique ID to each person with computer access
    • Requirement 9: Restrict physical access to cardholder data
  • Regularly monitor and test networks
    • Requirement 10: Track and monitor all access to network resources and cardholder data
    • Requirement 11: Regularly test security systems and processes
  • Maintain an information security policy
    • Requirement 12: Maintain a policy that addresses information security
 Editor’s note: This tip is excerpted from the article, “Protect your organization’s wallet: Comply with PCI DSS,” which appears in the March issue of the HCPro, Inc. newsletter, Briefings on HIPAA.

Most Popular