It’s easy to see why the healthcare industry is one of the industries most heavily targeted by cyberattacks. Healthcare organizations manage treasure troves of sensitive medical records and financial information that are highly sought after by cybercriminals. Plus, the widespread digital transformation in healthcare is inadvertently creating new vulnerabilities that hackers can exploit.  

 

A notable vulnerability is the increasing use of payment card systems. More than ever, people are paying their medical bills using credit cards and debit cards, which creates new opportunities for cybercriminals to steal data. Healthcare organizations must therefore take reasonable precautions to prevent cardholder data from falling into the wrong hands, and the best way to do so is through PCI DSS compliance.  

What is PCI DSS?

The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements for all organizations that process, store, and transmit credit and debit card information. This includes hospitals, clinics, health insurance providers, and other healthcare companies with card payment systems. 

 

Developed by major card brands (i.e., Visa, Mastercard, American Express, Discover, and JCB), PCI DSS helps businesses secure payment card transactions and prevent data breaches. It covers best practices for fortifying company networks, handling and encrypting cardholder data, setting access restrictions, and protecting user devices. 

Why should healthcare organizations comply with PCI DSS?

There are several reasons why PCI DSS compliance is vital for healthcare organizations: 

1. Defending against data breaches

There have been several high-profile attacks on healthcare institutions in 2021. For instance, the medical insurance company, Florida Healthy Kids Corporation, suffered one of the largest healthcare data breaches of all time. Reports found that hackers exploited vulnerabilities through the company’s web hosting provider, breaching the records of 3.5 million individuals. The types of information exposed included names, Social Security numbers, and financial information. 

 

Another Florida-based company, 20/20 Eye Care Network, also discovered that the information of 3.3 million individuals was compromised and potentially removed. Class action lawsuits were later filed against the company for failure to protect medical records, contact details, and insurance information. 

 

These large-scale breaches serve as a reminder that healthcare organizations must protect cardholder data and other sensitive information. Complying with PCI DSS helps organizations build a network that has multiple layers of security. A strong network utilizes secure network access points, anti-malware software, next-generation firewalls and network monitoring, regular patch management, and periodic vulnerability assessments. By implementing these solutions, healthcare companies make their systems much more difficult for cybercriminals to hack. 

2. Protecting client privacy and safety 

Healthcare organizations that don’t comply with PCI obligations can leave their patients’ financial and personal information exposed. For example, cybercriminals may use a victim’s stolen credit card information and medical records to get prescription drugs, make outrageous purchases, or submit false health insurance claims. These cases of identity fraud can prevent patients from getting the medication, treatment, and money they need. 

 

Healthcare organizations must comply with PCI DSS because doing so promotes a host of strategies to protect patient information and prevent identity fraud. One such strategy involves limiting access privileges to cardholder data and systems based on the user’s role within the organization. Another strategy requires companies to encrypt cardholder data at rest and in transit using 256-bit Advanced Encryption Standard (AES) keys. This converts data into indecipherable code that can be accessed only by those with unique decryption keys tied to each file.  

3. Maintaining compliance with HIPAA 

The Health Insurance Portability and Accountability Act (HIPAA) has many security standards that overlap with PCI DSS. For starters, HIPAA requires organizations to ensure the privacy and integrity of protected health information (PHI) through encryption, access restrictions, and company-wide information security policies. It also broadly recommends the use of the latest network security solutions to prevent cybercriminals from gaining access to PHI and company devices. 

 

PCI DSS essentially requires organizations to implement the same measures, only it’s intended for the protection of payment card information. This means ongoing compliance with PCI DSS also sets up organizations to easily meet HIPAA requirements, killing two birds with one stone. 

 

Related reading: How do HIPAA and PCI DSS requirements overlap?

4. Avoiding fines and lawsuits 

If organizations do not meet PCI DSS requirements, they can fail compliance audits and face steep fines. PCI DSS fines can range from $5,000 to $100,000 a month based on the payment processor, severity of the infraction, size of business, and duration of noncompliance. There could also be fines ranging from $50 to $90 for each customer whose information was compromised during a data breach. 

 

In addition, healthcare organizations may face even heftier fines and lawsuits from patients if a data breach resulted from negligent cybersecurity practices. Such lawsuits can be expensive to dispute, and may cost organizations millions of dollars.  

5. Preventing reputational damage

Clients and patients trust healthcare providers to handle their data with the utmost discretion. However, providers can easily lose this trust if they’re not PCI-compliant and experience a data breach. News of a provider’s security blunder can spread like wildfire, creating a negative reputation within the healthcare industry. Organizations may even lose clients and patients, which can be catastrophic for their bottom line.  

6. Reducing costs

According to a recent report, the average cost of healthcare data breaches in 2021 is $9.42 million. Generally, the biggest sources of costs associated with data breaches include the following:

 

  • Time and resources to investigate and remediate a data breach
  • Resources spent to recover lost data
  • Costs of notifying individuals whose information has been compromised
  • Expenses related to credit monitoring services for affected individuals
  • Fines levied by government agencies and credit card companies
  • Class action lawsuits filed by patients whose information has been compromised
  • Loss of revenue due to damage to the organization’s reputation

 

While many large corporations can bounce back from these damages, smaller healthcare companies may not be so lucky. PCI compliance gives companies a better chance of preventing data breaches, thereby mitigating the losses. 

What steps should healthcare companies take to be PCI-compliant?

There are eight major areas healthcare companies should focus on to be PCI DSS-compliant. These include: 

 

  1. Implementing advanced firewalls and anti-malware software
  2. Encrypting cardholder data
  3. Implementing strong access control measures
  4. Setting strong passwords and multifactor authentication for company accounts
  5. Limiting physical access to cardholder information (e.g., point-of-sale systems)
  6. Establishing company-wide data security and sharing policies
  7. Providing comprehensive security training (e.g., identifying phishing scams)
  8. Regularly monitoring networks for suspicious attempts to access cardholder data
  9. Conducting monthly vulnerability assessments 

 

Compliance with PCI DSS is not a one-time requirement but an ongoing effort healthcare companies must take as seriously as their HIPAA obligations. To better manage PCI compliance, it’s worth enlisting a managed IT services provider with extensive experience working with the healthcare industry. 

 

If your healthcare company needs an expert in data security and PCI DSS compliance, Dynamic Solutions Group is the answer. We provide thorough security consulting services and implement a cybersecurity framework that adheres to the latest compliance standards. Call us today to get started.