Helping US Healthcare Providers Treat a Security Problem

Transcription

1 WHITE PAPER Helping US Healthcare Providers Treat a Security Problem

2 1 We ve diagnosed a problem in US healthcare Many providers may not knowingly realize that they are risking serious embarrassment and damage to their business security by failing to meet industry worldwide standards for safeguarding consumer card data. Almost 90 percent of US hospitals and two-thirds of the country s doctors now take payment by plastic and for practices with more than six physicians, credit card acceptance is as high as 96 percent. 1 Add to these estimates the healthcare sector s often slow collection processes, the business of seeking payment before treatment and the danger of industry members falling victim to security breaches and the situation can become at best awkward and at worse a legal minefield. Many prominent headlines about high value card data breaches can lead organizations to assume only the largest companies are vulnerable. However, the fact is that 70 percent of breaches affect small companies and 32 percent happen to businesses with less than 100 staff; so everyone is at risk. 2 1 Survey conducted by MasterCard in 2008 and Quoted in Are You PCI Compliant? on (March 22 nd 2010)

3 2 Meeting PCI DSS To enforce high protection standards for card payment data across all business sectors and reassure consumers, the Payment Card Industry Data Security Standards (PCI DSS) were introduced in The standards are supported by all major card issuers and every organization accepting card payments must comply so if you ve got a terminal or a way in which you accept card payments, you ve agreed knowingly or not to comply with PCI DSS. Currently, it s believed almost 70 percent of US healthcare providers fall short of the standards, despite the consequences for their businesses being potentially disastrous. 2 What does PCI DSS mean to you? The PCI DSS requires that you: Build and maintain a secure network Protect cardholder data in all primary, secondary and tertiary applications Maintain a vulnerability management program Implement strong access control measures Regularly monitor and test networks Maintain an information security policy 3 In practice, PCI compliance is relevant to all organizations who accept card payments, including healthcare providers, and requires implementing security best practices to protect cardholder data by taking steps like installing firewalls, encrypting all relevant information, implementing detailed processes to safeguard username and password security; and arranging documented training for staff. 2 Quoted in Are You PCI Compliant? on (March 22 nd 2010) 3 See 4 Quoted in PCI DSS: Not on Healthcare Providers Radar, by Jim Lacy, on (June 19 th 2009) Risk of complications Meeting the PCI DSS standards requires you re in adequate health. But if you re not fit, you risk: Fines of up to $500,000 per breach, levied by your bank and the card providers Banishment from accepting future card payments Fines assessed by some state governments of up to $100,000 per occurrence for failing to notify customers about probable thefts of their data 2 In addition to the aforementioned sanctions, the indirect cost of lost reputation through bad publicity can be catastrophic to any business, including healthcare businesses that end up a victim of fraud or theft. Why is this healthcare payment card security compliance risk so widespread? Various urban myths seem to have arisen in the healthcare sector about PCI DSS compliance which need to be quashed. Among them are: Compliance doesn t affect Medicare reimbursement, so it s not that important Reaching PCI DSS compliance is always expensive You don t need to bother if you only process a few credit card payments Compliance with the Health Insurance Portability and Accountability Act (HIPAA), which mandates the security of protected health information, is a substitute for PCI DSS. 4

4 3 Is self-medication an option? Yes you can attempt to achieve and maintain PCI DSS compliance without expert assistance, but this can be a demanding and time-consuming exercise that requires detailed knowledge of business processes, security and technology. And, it can get expensive at a particularly difficult time in the economic cycle. If you go down the self-help road, you ll probably be increasing expenses like provisioning for new infrastructure and engaging PCI qualified security assessors to carry out penetration tests, which are often priced at more than $2,000 a day. On top of that, recent research showed the largest merchants typically pay $225,000 for compulsory on-site PCI audits each year, with the largest 10 percent outlaying more than $500,000! 5 The prescription for cost-effective compliance Everyone in healthcare knows recovering fully from a serious condition usually only happens when an expert manages the treatment regime. Compliance with PCI DSS is no different and TNS has the expertise and knowledge to provide you with the guidance you require helping you towards achieving PCI DSS compliance. In outsourcing your payment services and infrastructures to us you re hiring one of the world s leading managed network and processing service providers, with a 20-year record in providing purpose-built secure networking solutions and processing transactions for some of the biggest names in the card payments industry. We re proud of our unrivalled reputation for experience, security and reliability. We were also one of the first global players to achieve PCI DSS compliance after the standard was introduced in 2006 and we ve retained that status ever since. Calling on our expertise and utilizing our solutions will therefore allow you to remove clear cardholder data from your payment network and take other giant strides towards offloading the compliance burden. If you d like to know more about how TNS can help relieve the pain of PCI DSS compliance please contact us; health@tnsi.com Call: Visit: 5 Study conducted by Ponemon Institute, March 2010

5 4 About TNS Transaction Network Services (TNS) is a leading provider of fast, reliable and secure transaction-oriented services for the world s leading retailers, banks/processors, telecommunications companies, financial markets, and healthcare organizations. We combine innovation, advanced technology, experience and expertise to offer complete end-to-end solutions, allowing customers of all types to maximize their communications capabilities and increase efficiencies while reducing overhead and cost. Visit us at: for more information. December 2010