Healthcare Organizations Also Need a PCI Compliance Plan
While many healthcare organizations are very familiar with their roles in maintaining HIPAA compliance, many aren’t as certain about where they stand regarding Payment Card Industry (PCI) regulations.
These organizations have spent years with HIPAA regulations as their primary focus and they don’t always see the same volume of payment card use as retailers, so the maturity of their PCI compliance programs aren’t as robust.
But, if your healthcare organization stores, processes or transmits debit and credit card data, you must adhere to the same standards as retailers and financial institutions.
Just because you may have had a risk assessment as a result of your HIPAA compliance efforts does not mean that you have scoped the vulnerabilities in your payment card systems and processes. A gap analysis and remediation plan can also help you determine where to focus as you prepare to meet PCI compliance.
Another thing to keep in mind when pursuing PCI compliance is to evaluate the product or products your organization uses to process, store and transmit this sensitive data. Your vendors should have a Qualified Security Assessor (QSA)-validated PCI certification for the scope of their work.
Ask your card processor or bank if your vendors’ solutions are acceptable and you should not enter into any contractual agreements with these vendors until you’ve confirmed they’ve met PCI compliance goals.
Many healthcare organizations may choose to work with a QSA who is trained to evaluate the status of their organization’s PCI compliance program, provide insights into how best to address certain challenges and guide the organization through the maze of PCI compliance.
But the most important advice to remember is that PCI, like HIPAA, is an ongoing process. Completing your assessments, gap analysis and remediation plan isn’t the end. Instead, these are the tools to begin your compliance journey.
HIPAA and PCI regulations both force your company to maintain some security standards, but they don’t address all the aspects you need in order to have a robust risk management program. Most data breaches are opportunity-driven, which means your healthcare organization should engage with security experts who can implement a comprehensive security and compliance program.
At Sword & Shield, we don’t do “drive-by” assessments. As a security and compliance company, we work to ensure that your organization not only meets both your HIPAA and PCI compliance needs, but we stay with you to ensure the security of your organization’s networks, data and other information.
Request a consultation to see how we can become your partner for a secure future.