Compliance TODAY July 2014 a publication of the health care compliance association www.hcca-info.org What s the key to successfully merging two large hospital systems? an interview with Michael R. Holper Senior Vice President, Integrity & Audit Services CHE Trinity Health See page 16 27 Overcoming the challenges of conducting a thorough and meaningful risk assessment Charro Knight-Lilly 31 Getting ahead of the ACA compliance program mandate Thomas A. Vallas 39 Provider-based departments: Managing risk Stephen Sonnenfeldt-Goddard 43 Ensuring ADA compliance: Revising the employment and medical staff application process Andrea Bell This article, published in Compliance Today, appears here with permission from the Health Care Compliance Association. Call HCCA at 888-580-8373 with reprint requests.
by Tod Ferran HIPAA? Check. PCI? Unknown. Although similar, HIPAA and PCI security standards protect different information. Payment card-accepting entities are required to comply with the PCI DSS. Unlike ambiguous healthcare requirements, PCI compliance includes specific action items. PCI compliance may include quarterly scans, annual self-assessment, and remediation. Remote access and misconfigured firewalls are serious cardholder security threats. Tod Ferran (tod@securitymetrics.com) is a security analyst at SecurityMetrics in Orem, UT. Ferran Healthcare entities prove they care about patients healthcare data by adhering to HIPAA Privacy and Security Rules. But what about patients credit card information? Regulations similar to HIPAA, called the Payment Card Industry Data Security Standard (PCI DSS), 1 control the security of payment data. Covered entities and business associates that accept credit, debit, or other payment cards are required to comply with the PCI DSS. No buts. Even if you only process one credit card transaction per year, you are still required to comply with PCI. Let me quickly address this mandate s origins. PCI DSS was established in 2006 by the major card brands (Visa, MasterCard, American Express, etc.) to regulate and enforce payment card security. Your card processing environment determines which PCI DSS requirements apply to your entity. HIPAA vs. PCI Now that the history lesson is out of the way, you should know that HIPAA compliance does not equal PCI compliance. HIPAA was designed by government committees to protect citizens data. PCI DSS isn t regulated by the federal government, (although some states, such as Nevada, now require it) and was designed by a private industry to reduce fraud-related costs. By signing the payment card contract confirming the desire to accept credit and debit cards at your organization, you agreed to follow card brand rules. That means you also promise to follow the PCI DSS. PCI at a glance PCI standards have gone through several clarifying iterations and are generally very focused. Most PCI requirements have multiple validation points. Validation (or proof) is mandated by some merchant processors and is a way to document your compliance. For example, reviewing policy documentation is a validation. To summarize, PCI DSS 2.0 contains 292 requirements with 1,030 validation points. HIPAA at a glance Even though HIPAA regulations have existed for about as long, they haven t gone through an audit/feedback improvement cycle. Because they were created without a sound basis of the types of technology required to secure 888-580-8373 www.hcca-info.org 69
patient data, these standards are vague. Even after a thorough examination of the standard, it s difficult to know what really must be implemented to meet each requirement. To summarize, the HIPAA Security Rule contains 75 requirements with 254 validation points. While there is some overlap between the two standards, it is surprisingly not as much as one might expect. In fact, HIPAA requirements only cover about 31% of PCI compliance. The point is, if you are required to comply with both PCI and HIPAA mandates, you should understand they are distinct and require mostly different security procedures and protections. Just because you re compliant with HIPAA, doesn t mean your card processes are secure, and vice versa. Fines and penalties enforce PCI In much the same way as HIPAA, if you re found non-compliant with the PCI DSS, you are more vulnerable to data compromise. Generally speaking, a merchant bank enforces PCI DSS compliance through fines and penalties. But card brands can also get involved when compromise occurs. Fines for PCI breaches are much more common than Department of Health and Human Services (HHS) fines resulting from HIPAA violations. What is required to become PCI compliant? As with HIPAA, there is a generally advised process to become PCI compliant. Typical steps for organizations to become PCI DSS compliant include, but are not limited to: The point is, if you are required to comply with both PCI and HIPAA mandates, you should understand they are distinct and require mostly different security procedures and protections. Addressing requirements found in a self-assessment questionnaire (SAQ); Completing and reporting quarterly results of vulnerability scans; and Annually attesting to compliance. Part 1: Self-assessment questionnaire A PCI SAQ is similar to a HIPAA risk management plan. Unlike a risk management plan however, nine specific SAQ forms are provided to organizations. Organizations choose SAQs based on how they handle payment card information. Requirements in a SAQ vary from 13 to 270, and include action items such as installing and maintaining a firewall, using anti-virus software, and restricting physical access to cardholder data. Here s an example of the different SAQs. SAQ A organizations outsource every cardholder data process. Because they don t handle, process, or transmit card data, they aren t required to fulfill as many requirements. On the opposite end of the spectrum, SAQ D organizations electronically store cardholder data, transmit data over the Internet, and must fulfill quite a few more requirements. 2 Part 2: Vulnerability scanning All entities who process/handle/maintain/ store/transmit payment card data over the Internet (most of you), are required by the PCI DSS to complete vulnerability scanning. Vulnerability scans are automated, highlevel tests that identify known weaknesses in 70 www.hcca-info.org 888-580-8373
software, hardware, and network structures. Some scans are able to identify more than 50,000 unique external weaknesses. This is an important aspect of PCI, because cybercriminals discover new and creative ways to hack businesses daily. By scanning at least quarterly, organizations stand a better chance of remediating known issues that hackers might take advantage of with networks and systems. Vulnerabilities that aren t remediated render all completed scanning (and other security precautions) worthless. Part 3: Annually attest to compliance In both HIPAA and PCI, security is like a living, breathing organism that needs to be nourished to survive. Even though compliance attestation is required every year, that doesn t mean compliance is a one-and-done method. It s an ongoing process. As servers and pointof-sale (POS) terminals are upgraded or replaced, or software patches and updates are released, your PCI DSS compliance status may change, requiring you to reassess and implement new technology or processes in order to remain PCI DSS compliant. What are the most important parts of PCI? I ve found that prioritization is a great way to maintain sanity and quickly reduce the highest threats. If you only have one hour per week to spend on PCI, get those highrisk items done first. Don t waste time on PCI requirements that don t provide immediate protection. Not at the beginning, anyway. If I were creating a plan for a healthcare entity, I would ensure these seven risks are taken care of first: 1. Remote access, Req. 8.3: By far, the leading method attackers employ to breach merchant computer systems is compromising weakly configured remote access applications. If you use pcanywhere, VNC, LogMeIn, Remote Desktop, or any other remote access tool, ensure it requires two independent methods of authentication. For example: your user name and password, and an authorized onsite person to allow each remote access session. 2. Default/weak/nonexistent passwords, Req. 2.1: During one investigation, SecurityMetrics discovered an IT company that set up 50 merchants with the same software configuration and passwords. Default passwords for many payment applications are a mere Google search away, so make sure you change your default passwords. 3. Firewalls, Req. 1.3: According to the SecurityMetrics forensic investigation team, nearly 50% of all small merchants investigated do not have a firewall in place, and many that do, don t configure them properly. Processing credit cards without a firewall is a virtual time bomb. Properly configured firewalls make it difficult for hackers to get into your system, and even harder to export data out. 4. Payment processing software, Req. 6.1: In a study by GFI Software, 3 50% of businesses suffer critical IT failure from operating with non-secure payment processing software and from installing bad software patches. Even a compliant POS application can be configured to improperly store unencrypted credit card numbers. Your payment applications should be validated as compliant 4 (PA-DSS) and properly configured with the latest updates and patches. 5. Wireless security, Req. 4.1: This was the Achilles heel of T.J. Maxx, the US retailer reported to have lost 45.7 million credit cards to hackers. 5 The fix is simple. Do not employ wireless technology in the credit card processing environment. Even when a wireless network is protected by strong encryption, the method to hack 888-580-8373 www.hcca-info.org 71
that encryption may be right around the corner. (The more recent Target breach was not a wireless incident.) 6. Employees, Req. 12.4: According to SailPoint Research, 6 22% of US employees would feel comfortable selling their employer s data. Background checks, security cameras, and unique employee login credentials will help you monitor employee conduct. Ensure employees know their actions are being monitored and that data theft will be dealt with through termination and prosecution. 7. Incident Response and Training, Req. 12.9: The Target breach will likely become the poster child for actually responding when an attack is underway. Two different security applications, FireEye and Symantec, created alerts during the early stages of the attack, before any data was stolen. If the security teams had been trained properly and responded in a timely manner, the loss of 110 million customer records could have been prevented. If any of those requirements didn t make sense, or if you don t feel qualified to begin a PCI compliance process, that s where a Qualified Security Assessor (QSA) comes in. A QSA s job is to help entities properly get through the PCI compliance process. Visit the PCI DSS website for more information. 7 1. PCI Security Standards Council: Payment Card Industry Data Security Standard, Requirements and Security Assessment Procedures, version 2.0. October 2010. Available at http://bit.ly/1tyzhba 2. PCI Security Standards Council, Self Assessment Questionnaire. Available at http://bit.ly/1hkauzy 3. GFI Software, Press Center: 50% of Businesses Have Suffered IT Failures Due to Bad Software Updates. June 21, 2011. Available at http://bit.ly/1kelbvg 4. PCI Security Standards Council, Validated Payment Applications. Available at http://bit.ly/1tz0hq1 5. Mark Jewell: T.J. Maxx theft believed largest hack ever. NBC News website: March 30, 2007. Available at http://nbcnews.to/1ume6n0 6. Joan Goodchild: Many employees would sell corporate information, finds study. CSO website, July 26, 2011. Available at http://bit.ly/1hbjehc 7. PCI Security Standards Council: PCI SSC Data Security Standards Overview. Available at http://bit.ly/1pdalhl Don t forget to earn CEUs for this issue Complete the Compliance Today CEU quiz for the articles below from this issue: Ensuring ADA compliance: Revising the employment and medical staff application process by Andrea Bell (page 43) HIPAA? Check. PCI? Unknown. by Tod Ferran (page 69) Innovation for compliance excellence in healthcare by Vanessa Pawlak and Jim Moran (page 73) To complete a quiz: Visit www.hcca-info.org/quiz, log in with your username and password, select a quiz, and answer the questions. The online quiz is self-scoring and you will see your results immediately. You may also email, fax, or mail the completed quiz. EMAIL: ccb @ compliancecertification.org FAX: 952-988-0146 MAIL: Compliance Certification Board 6500 Barrie Road, Suite 250 Minneapolis, MN 55435 United States To receive one (1) CEU for successfully completing the quiz: You must answer at least three questions correctly. Only the first attempt at each quiz will be accepted. Each quiz is valid for 12 months, beginning on the first day of the month of issue. Quizzes received after the expiration date indicated on the quiz will not be accepted. Questions: Call CCB at 888-580-8373. 72 www.hcca-info.org 888-580-8373