Hospitals are well aware of the financial and reputational threats posed by non-compliance with HIPAA, Meaningful Use requirements, and the host of safety regulations governing their operations. They’re generally less informed about another major player in the compliance game: the PCI Security Standards Council (PCI SSC).

This council, originally formed by the major credit card companies, monitors “merchants” for adherence to PCI Data Security Standards (or PCI-DSS), the safeguards intended to protect credit card data. Because any location where a credit card is swiped or keyed in, and any network on which data is transmitted or kept in storage, is considered a “merchant”, modern hospitals are subject to their standards.

The compliance effort is appropriate, as rising out-of-pocket medical costs mean that patients are using credit cards more frequently in health care settings and data breaches are on the rise. In a 2015 study of five umbrella categories (including government/military and banking/credit/financial), health care came in second for the largest number of security breaches in the previous 12 months. All told, 112 million records were exposed as a result of these breaches.
The traditional approaches to achieving PCI compliance for processing and storing credit card data are expensive to implement and maintain. They also require regular lengthy audits. A new solution introduced by OnPlan Health and Bluefin Payment Systems this month may be a cost-effective alternative to those methods, and is the first system that combines PCI-validated Point-to-Point Encryption (P2PE) by Bluefin with OnPlan’s tokenization technology to vastly reduce the annual PCI-DSS audit and scope for health care providers.

Greg Cornwell, Bluefin’s SVP of Security Solutions, said, “The partnership between OnPlan Health and Bluefin Payment Systems has resulted in the first PCI-validated Point-to-Point Encryption Solution (P2PE) designed expressly for health care. The system arrives on the market at a moment of increased monitoring and proliferating threats to credit card data security.”

A tricky path to compliance

Currently, the large majority of hospitals are using web services on their local PCs to capture cardholder data — a configuration that puts them at great risk. Indeed, because the scope of a merchant’s obligation extends to any computer or terminal that is connected to the network on which credit card data was entered or transmitted, complying with security standards is more difficult than it may first appear.

Business Affairs Homepage