PCI-DSS and HIPAA
The security standards share common ground
By Ross Federgreen, founder of CSRSI
One of the greatest challenges that the electronic transactions industry faces today is the issue of security requirements under various rules and regulations. For most people in the industry, the issue is focused on the specifics of the Payment Card Industry Data Security Standard (PCI DSS), but the issue may be much broader than that.
Many other security sets are currently operative and they interface with the merchant population that the industry serves. Federal legislation with security requirements includes HIPAA (the Health Insurance Portability and Accountability Act) of 1996 Title II, the Graham-Leach-Bliley Act of 1999, the Sarbanes Oxley Act of 2002 and FACTA (Fair and Accurate Transaction Act) of 2003.
Covered Entity
Of those federal regulations, the one with the broadest reach among the merchants that the industry serves is HIPAA. Under the terminology associated with HIPAA, their merchant equivalent in terms of effect is the “covered entity.’ According to the Department of Health and Human Services, there are at least 4 million covered entities are merchants.
Wayne Orkin, president of One Health Systems, has a strong background in the merchant services field. His company has been an active ISO for more than 10 years and represents thousands of merchants. Orkin was one of the first to understand the fundamental relationship between PCI and HIPAA because of his focus on the health-care community.
“It is very clear to me that no healthcare facility can survive today without accepting merchant services and further, no health care facility can survive without total compliance with HIPAA,” he says, adding, “one of the greatest challenges that we as an organization face is helping our merchants comply both with the rules of HIPAA and the rules of PCI. I am constantly amazed by how much similarity exists.”
Breina Montalvo, owner of COCARD and a former member of the Electronic Transactions Association’s Best practices Committee, is a longtime advocate of PCI-DSS compliance. She believes compliance is critical for the preservation of the electronic payment system. She has often stated that she believes the responsibility of the ISO community is to provide the merchant with the tools necessary to become compliant. Like Orkin, she has noted over the years that the similarities between the security requirements of HIPAA and PCI-DSS are striking. She has spent a considerable amount of her time developing these themes with merchants that she works with.
“Doing compliance right is not an easy thing but, with the correct tool kit, this task is made manageable and doable, she says. “By attaining compliance with PCI, many of my healthcare merchants have been able to better understand and meet the requirements of HIPAA Title II.”
HIPAA
HIPAA consists of multiple titles that correspond to broad issues sets. Title II consists of a number of components, including security. The full name for the security standard is the “Security Standards for the Protection of Electronic Protected Health Information.” The final security rule is divided into three broad categories of safeguards: administrative, physical and technical. The security rule addresses the security needed to support the privacy rule.
Title II is focused on security as a business process. Although HIPAA is generally associated with the health profession, under the concept of business associates of healthcare organizations, its reach is deep and broad. Businesses that can be affected by the HIPAA rules include those in the banking, accounting and financial services industries.
In essence, any organization that provides services involving patients’ confidential data from a healthcare organization is required to adhere to the same standards for security and protection as the healthcare organization. The rule requires each covered entity to take into account a number of factors when implementing the rule set, including evaluating their risk, mitigation of identified risk and acceptance of remaining risk as the cost of doing business. The rule set imposes a constant state of vigilance. Each entity must be prepared to be tested on its compliance at any time.
Failure to comply with the security rule can lead to both civil and criminal penalties. The Office of Civil Rights of the Department of Health and Human Services administers HIPAA. There have been approximately 575 referrals from the Office of Civil Rights to either the Department of Justice or the Centers for Medicare and Medicaid Services for criminal referral. Civil fines can range up to $25,000 per year per incident, and criminal penalties range from fines of $50,000 and up to one year in prison to fines of $250,000 and 10 years in prison.
Title II Specifications
There are numerous standards or specifications under Title II. It is important to note that the security rule applies only to electronically protected health information, while the privacy rule under HIPAA applies to protected health information in electronic, paper or spoken form.
The specifications are divided into two categories: addressable and required. Addressable standards are those standards that must be assessed on an individual basis. This is to determine within the specific covered entity if implementation would make or contribute to the safeguard of electronic health information. Required standards are those that must be implemented.
Addressing Addressable Standards
To determine if an addressable standard should be implemented, perform a three-part test. Part One: To determine the entity’s risk, ask “what current circumstances leave the entity open to unauthorized access and disclosure of electronic protected health information?” Part Two: To determine the entity’s security, ask “what security measures are already in place or could be reasonably put in place?” Part Three: To determine the entity’s financial capacity, ask “how much will implementation cost?”
The security standard is divided into three groupings of safeguards. Administrative safeguards are the administrative functions that should be implemented to meet the security standards. Examples of these include the security management process, assigned security responsibility, work force security, security awareness and training, security incident procedures and others. Physical safeguards protect electronic systems, equipment and data from threats, environmental hazards and unauthorized intrusion. Examples of these include facility access controls, workstation use, workstation security and device and media controls. Technical safeguards automate the process used to protect data and control access to data. Examples of these include access controls, audit controls, integrity, person or entity authentication, and transmission security.
PCI-DSS
The PCI-DSS is the underlying rule set for electronic payment compliance. PCI-DSS affects all entities that store, process or transmit cardholder data in any manner. Under the current rules, payment configuration is not a carve out for compliance.
PCI-DSS compliance requirements are driven by several interrelated metrics. These are the number of transactions that are touched on an annual basis, the risk to the payment system that a merchant represents and certain intangible factors that are used by the individual card brands in determining the merchant compliance level or category.
PCI-DSS compliance for merchants consists of two broad components. The first is successful completion of the annual assessment questionnaire. The second is successful completion of quarterly penetration scans. The annual assessment questionnaire is meant to test specific functional compliance with the various requirements of the standard. The current questionnaire consists of 75 questions, all of which must be answered either in the affirmative or with the indicator N/A (non-applicable). For each of the 20 of the 75 questions for which the N/A might be used, a full written explanation for the N/A must accompany the document when it is filed with the acquirer.
The requirements of PCI-DSS are divided into the six major groupings listed below.
• Build and maintain a secure network
• Protect cardholder data
• Maintain a vulnerability management program
• Implement strong access control measures
• Regularly monitor and test networks
• Maintain an information security policy
These are further divided into 12 requirements, which require specific policies, procedures and practices.
Common Rules
HIPAA and PCI-DSS requirements have many areas in common. These include management of the security process, assignment of security responsibility, information access, security training, security incident reporting, contingency planning, facility access, workstation use and disposal requirements.
For example, requirement 9 of the PCI-DSS standard version 1.1 addresses physical security, and HIPAA’s sections 164.310(a)(1) and 164.310(a)(2)(ii) address similar concerns.
Section 9.1 of PCI-DSS v1.1 states: Use appropriate facility entry controls to limit and monitor physical access to systems that store, process or transmit cardholder data.
HIPAA standard 164.310(a)(1) states: Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed while ensuring that properly authorized access is allowed.
HIPAA standard 164.310(a)(2)(ii) states: Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering and theft.
A second example relates to the establishment of the security management process.
Section 12.1 of PCI-DSS v1.1 states: Establish, publish, maintain and disseminate a security policy that accomplishes the following:
12.1.1 Address all requirements in this specification
12.1.2 Includes an annual process that identifies threats and vulnerabilities and results in a formal risk assessment.
HIPAA standard 164.308(a)(1) states: Implement policies and procedures to prevent, detect, contain and correct security violations.
HIPAA standard 164.308(a)(II)(A) states: Conduct an accurate and thorough assessment of the potential risks and vulnerability to the confidentiality, integrity and availability of electronic protected health information held by the covered entity.
Insurance Perspective
Greg Richmond, principal of Doeren Mayhew Risk Management LLC, brings a very knowledgeable perspective to the issue.
“HIPAA was originally meant to control the flow of medical information regarding employees to employers and benefit portability, while PCI-DSS was meant to protect consumer private date,” he says. He added that current HIPAA risk insurance is provided under a fiduciary liability policy. In the case of PCI-DSS insurance, the available policy is a manuscript policy, which is custom developed for the specific needs of the at-risk population seeking coverage. The policy, which addresses the issues of PCI-DSS compliance with the merchant base in mind, has been developed by Royal Group Services and is titled “Compromised Data Expense Reimbursement Contractual Liability Insurance Policy.”
Conclusion
PCI-DSS and HIPAA are two compliance standards that have wide applications and implications. Detailed knowledge of these standards, and their history and areas of overlap, will allow the ISO to be of greater value to many of the 4 million HIPAA-covered entities that accept merchant service.
