How a Payments Standard Could Influence a Healthcare Law

What the Healthcare Industry Might Learn from Payments and the PCI Data Security Standard

At first thought, you might not think that addressing the challenges of securing private patient information or valuable intellectual property in the healthcare industry has much to do with the world of payments and credit cards. However, with mounting privacy legislation across healthcare, a closer look at the Payment Card Industry Data Security Standard (PCI DSS) could be well worth the time.  But remember, there is a big difference between a law and a standard.

Just like vital patient information in healthcare, securing consumer’s payment card data is critical for merchants who accept credit cards whether online or in physical stores. Yet, the vast proportion of data records lost or stolen are still credit card numbers. To overcome this, credit card companies, payment processors, large retailers and smaller merchants work together to define and enforce the PCI DSS. The standard goes far beyond the vague language of most privacy legislation.

It defines a set of 12 specific requirements that span traditional technologies such as anti-virus and firewalls, newer data protection approaches such as tokenization and associated management practices. Compliance with the standard is assessed annually and depending on transaction levels could involve external, PCI certified assessors.

It’s important to recognize that virtually nothing in the PCI DSS is limited to credit card information. Almost all of its requirements could be applied to healthcare data assets and so there are several comparisons that can be drawn to protecting healthcare data. It has taken more than five years to iron out the wrinkles in implementing PCI DSS and security practitioners in the healthcare sector can take advantage of that experience.

Furthermore, a number of technology markets such as databases and storage systems have reacted to the needs of PCI DSS and dramatically simplified the process of deploying notoriously complex technologies such as encryption and key management – advances that can be easily adopted in healthcare.

However, although there are many similarities, there are also significant differences that probably mean that if the healthcare industry is to evolve to specific technology mandates it still might look quite different than a healthcare version of PCI DSS. Here’s an overview of some of those differences:
 

• PCI DSS is a global standard whereas the healthcare industry is administered on a much more regional basis.
• The standard is managed by an industry body comprising of powerful and expert players that have a strong influence on the future (Visa, MasterCard, etc.) whereas healthcare is often regulated by government or other entities, typically with less technical and subject to political motives. Technology, and more importantly security, leaders will need to emerge in the healthcare industry to help create manage and enforce a standard.
• PCI DSS is focused on protecting a narrow set of data types, most of which have very distinct formats (credit card numbers, expiry dates) whereas healthcare data tends to be much less structured - X-ray images, medication histories, hospital schedules are obvious examples. Also, the volume of healthcare data is much greater. This all needs to be carefully considered by technology and security experts when it comes to protecting data. 
• In most cases credit card data comes from a tightly controlled number of sources (Point of Sale (POS) card readers, ATMs, etc.) whereas healthcare information originates from a wide variety of sources including clinics, hospitals and doctors. The standard would have to encompass medical devices, application software and paper documents at all of these organizations.
• Credit card data is not widely used once it is captured; in most cases cardholder data is used in real-time to conduct a transaction and can then be erased. Whereas healthcare information is retained for long periods and widely shared by numerous interested parties that all need access to the data, probably on a highly selective basis.
• The payments industry has a strong commercial incentive to make security work correctly, while the healthcare industry is focused, quite rightly, on helping people. It’s always a goal of security practitioners to make security transparent (assuming you’re not the attacker), but it’s very rarely achieved – in healthcare that goal may be significantly harder to achieve and could well force important trade-offs to be made. The right decision makers, including some from outside of the industry should be consulted so the proper standard can be developed.

Although there are unique challenges and possibly a long road ahead for a healthcare standard on securing patient data, at one point payments industry was in the same situation and now they have PCI DSS. Fortunately for healthcare, they can look at PCI DSS to help map out a standard, identify expected roadblocks and solve these challenges - all the goal of securing valuable patient data.

Richard Moulds is the executive vice president and data protection expert at Thales e-Security

Want to learn more about the latest in communications and technology? Then be sure to attend ITEXPO East 2012, taking place Jan. 31-Feb. 3 2012, in Miami, FL. ITEXPO offers an educational program to help corporate decision makers select the right IP-based voice, video, fax and unified communications solutions to improve their operations. It's also where service providers learn how to profitably roll out the services their subscribers are clamoring for – and where resellers can learn about new growth opportunities. For more information on registering for ITEXPO registration, click here.

Stay in touch with everything happening at ITEXPO. Follow us on Twitter.