No Industry is Exempt from PCI DSS Compliance
While companies work hard to achieve the PCI compliance standards put in place by the PCI SSC, there is still one industry that seems to be lagging behind: the healthcare industry. This news may be a bit alarming to many, as an industry that harvests such sensitive information hasn’t taken the necessary steps to protect it.
Achieving compliance isn’t a new concept for healthcare practitioners, as they currently have to comply with the Health Insurance Portability and Accountability Act (HIPAA) of 2005. However, there are now more than one set of regulations in places for these practitioners to meet. The focus on compliance to HIPAA may be causing these healthcare professionals to overlook the PCI compliance regulations that have been forth, and as a group, they are falling behind the average small businesses that are PCI compliant. There have been several publicly known data breaches of healthcare providers, such as the South Shore Hospital in Weymouth, MA and the Hartford Healthcare and its Midstate Medical Center affiliate in Meriden. Midstate experienced a data breach the first week of April 2011 that may have compromised medical records of 93,500 patients. The information that was accessed included patient names, medical record numbers, addresses, dates of birth, and Social Security numbers.
Connecticut Attorney General, George Jepsen, has been investigating the Hartford Healthcare data breach. Jepsen is concerned with the lack of security for patient records and believes that hospitals “have a duty to protect that information from unlawful disclosure.” He has asked that the hospital provide two years of credit monitoring services, identity theft insurance and reimbursement for security freezes costs for the affected patients.
For the most part, larger hospitals and institutions have been following the PCI standards, but it is the smaller practices that seem to struggle with achieving the PCI DSS requirements. This puts these smaller, independent medical and dental offices at greater risk for data breaches, because they now become easy targets for hackers. In part, the risk is created because their networks are not as sophisticated as those of larger institutions, and they don’t have IT teams updating and securing their information as frequently. Even practices that continue to keep and use paper records need to comply with PCI DSS, as data stored in hard copy formats is also addressed in these requirements.
While it is easy to think that an independent practice or small institution would face less of a need to achieve PCI compliance, this is not the case. Ultimately, any industry, any size, that is not PCI DSS compliant is susceptible to data breaches. Any size businesses that store, process or transmit sensitive cardholder data must follow the PCI DSS requirements and be PCI compliant. Choosing to not satisfy the requirements of these standards may result in non-compliance fees, possible termination of the ability to process credit cards, and any retribution costs for patients, clients or customers who are affected by a data breach through a non-compliant business.
For more information, read our PCI Compliance Guide.