The growing number of data breaches in health care has become a major concern. In 2017 alone, 477 healthcare breaches were reported, affecting 5.6 million patient records.
Although any type of data breach is a major threat to healthcare organizations, breaches or leaks that compromise patients’ financial information are among the worst, causing reputational damage and carrying significant financial and regulatory risks.
PCI Compliance—a Key First Step
As the healthcare industry continues to be a target for patient data breaches, and more and more patients are using credit cards to pay their copayments or medical bills, healthcare organizations are expected to be compliant with the Payment Card Industry (PCI) Data Security Standard, administered by the Payment Card Industry Security Standards Council. A company—no matter the size—that stores, processes, or transmits credit card data must be compliant with this standard or face fees by its card processor.
The PCI compliance framework uses best practices that are required for a minimum level of security, such as external vulnerability scans, hardened antiviral protection on each workstation, password strength requirements, least-privilege access, and strong controls around remote access. Healthcare organizations should use tools that are available through the PCI compliance framework to help identify compliance gaps. The PCI-required Self-Assessment Questionnaire (SAQ) is a great tool for this purpose. The Prioritized Approach tool, which is available through the PCI Council at no cost, also can help organizations prepare their networks for compliance. This tool helps identify and prioritize requirements that tend to carry the most risk.
Although costs for PCI compliance vary, limiting PCI scope to as small a part of the production system as possible can save healthcare organizations time and money both in reaching compliance and in enabling compliance sustainability over time. All PCI rules apply to all systems that are in-scope, so PCI rules that are challenging to begin with are multiplied exponentially with each in-scope system. Scope can be limited with firewalls or other networking technology or architecture that exercises strong access control. Keep in mind, no matter the size of an organization’s PCI compliance project, the costs and hassles are almost certainly smaller than dealing with a breach.
A Security-First Environment
Ideally, compliance and security go are meant to go hand-in-hand, but they don’t always match up in practice. This is especially true when using a “check-box” approach to compliance and not taking an organization’s entire payment environment into account. A sustainable and meaningful, or security-first, approach is key, because compliance is validated annually.
Healthcare executives and IT departments focused on building a security-first environment are better positioned to react quickly and strategically after a data breach, and they may even be able to prevent breaches from occurring the first place. They look at PCI compliance not as a list of check-boxes, but as one of the many tools in their arsenal to help mitigate business risk. Security is most effective when it is part of the organizational culture. In a world of global connectivity, data security must always be top-of-mind for organizational leaders and staff.
The following security practices can help limit PCI scope and offer alternatives
Point-to-point encryption. This process obfuscates data from the point of interaction (when a patient swipes a credit card or types out the credit card number) until the data reach a secure decryption site outside the merchant environment.
Tokenization. This practice involves assigning a reference token to the credit card number so a PCI-certified third party can store the card data for an organization while the organization only retains the token, which holds no value to hackers.
E-commerce third-party redirects. This method takes patients to a secure, PCI-validated third-party payment page when they are ready to make a credit card payment. If a healthcare organization uses or is considering this approach, it is critical for it to make sure all service providers outside of its own production systems that store, process, or transmit patients’ credit card data on its behalf are PCI compliant.
Network segmentation. Networks that have no segmentation are referred to as “flat” networks. Maintaining such a network is a bit like operating a bank with guards at the front door and no security measures inside. If attackers get through the front door (firewall), they have free rein. Instead, healthcare organizations can prevent hackers from wandering freely throughout their production systems by building in-network segmentation with strong access controls that act as additional security checkpoints throughout the system and that can limit attackers’ progress or the amount of data they can access.
Healthcare organizations should keep a few general security best practices top-of-mind and regularly share reminders and conduct training organizationwide. Examples include routinely installing up-to-date versions of security software, as well as individual security patches; ensuring there are strong backup practices to protect against different types of attacks (e.g., ransomware); and considering an update to next-generation antivirus software that uses machine learning and artificial intelligence to detect malicious software behavior instead of relying on legacy virus signatures.
Another proven best practice is to regularly educate employees on the dangers of phishing and opening attachments or clicking on links in suspicious emails. Phishing is the catch word for criminals attempting to get employees inside of organizations to either open attachments or click on links that contain malicious software that can steal the employee’s login credentials, for example. All levels of staff should be educated and occasionally tested on social engineering—that is, the practice of manipulating people into sharing customer information. There is no silver bullet, so organizations should focus on layered protections.
By adopting a “security-first” mindset, healthcare organizations can protect themselves against breaches and more quickly recover should a breach occur.
Doug Buan is director of risk management at Wind River Financial, Madison, Wisc.