A patient places a lot of trust in their healthcare provider. Not only do they trust a provider will protect them from misdiagnosis or hospital-acquired infections (HAIs), but they also trust them with valuable information, from health records to personal identifiers to credit card data. Just as hospitals follow rigorous protocols to prevent HAIs, they must also take steps to protect patients’ personal information.
Rapidly rising deductibles (now averaging $1,655 per person annually) mean more patients than ever pay out-of-pocket, putting copays and deductibles on their credit cards. Healthcare providers offer a cyber home to ever-increasing amounts of cardholder data. To make matters more complicated, hackers target the healthcare sector, whose networks are vaults for credit card data, personal identifiers like social security numbers, and health records.
Cyberattacks can even shut down healthcare systems or hospitals, preventing providers from delivering care in addition to putting patient information at risk. (In one case, a provider was forced to shut down its digital networks and delay radiation cancer treatments for multiple days.)
Enter the Payment Card Industry Data Security Standard, known as PCI DSS or simply PCI. In 2000, major credit card companies such as Visa and MasterCard began developing standards for secure payment processing. This eventually gave rise to PCI, which is now recognized worldwide as the industry standard for protecting cardholder data. This set of security measures ensures vendors and merchants store and transmit financial data securely. If vendors fail to comply with PCI, the credit card company can prevent card use until vendors establish corrective measures.
PCI compliance is broken into six categories, each with its own specific requirements. All vendors and merchants who accept credit card information must:
- Build and maintain a secure network and systems through firewall installation and maintenance
- Protect cardholder data through encryption and safe storage
- Maintain a vulnerability management program to protect against malware and viruses
- Implement strong access control measures by limiting physical and digital access to data
- Regularly monitor and test network security systems
- Maintain an information security policy for all personnel
To certify compliance, the PCI Standards Security Council conducts rigorous, annual audits for its partners. With more than 300 questions, these audits trace the handling of credit card data, from how it’s entered to where it’s stored. Every step is accounted for, from the remote call center employee taking card details to encryption in the network’s storage.
In addition to preventing hacking and theft, PCI standards guard against negligence on the part of providers. (Disconcertingly, a study about healthcare cybersecurity revealed that more than half of all data breaches were due to negligence by employees.) PCI requirements account for these errors by requiring a security policy for all employees, and by restricting employee access to card data.
Guarding cardholder data is an important aspect of earning—and keeping—patient trust. PCI-compliant partners like Parallon help hospitals and physician practices build patient trust by simplifying security setup and reducing the burden of compliance. By following PCI standards, healthcare providers can protect their networks and, more importantly, their patients.
Want to learn more about Parallon’s PCI compliance attestation? Reach out to one of our experts.