Fortinet

These days, healthcare organizations have their hands full when it comes to compliance. In addition to adhering to a slew of industry regulations, such as HIPAA and HITECH, designed to protect patients’ confidential information, medical facilities of all sizes are also facing increasingly stringent requirements from the Payment Card Industry Data Security Standard.

That’s right—PCI. PCI DSS, a series of 12 rigorous and detailed mandates governing customer data protection, applies to any organization that runs or processes credit card information—and that includes medical facilities from small doctors offices to major research hospitals. “If you take a Visa card, you have to be PCI compliant,” says Kevin Flynn, Fortinet senior product marketing manager.

Meanwhile, the healthcare industry is lagging behind other sectors in meeting the demands of PCI compliance, which holds especially true for the smallest doctors and dentist offices.

Some of it may be a lack of understanding within a healthcare industry playing “catch up” to other sectors in terms of security. No doubt, there is a lot of overlap between healthcare data protection standards and other compliance regulations. But just because an organization is HIPAA compliant, doesn’t necessarily mean that it’s meeting all the conditions for PCI, Flynn says. “In general, people can build on what they’re already doing with HIPAA, but specific regulations are required for PCI.”

More often the lag can be attributed to the high costs of compliance and lack of resources, IT staff and infrastructure characteristic of many small businesses.

So, what can small healthcare organizations do to take the sting out of PCI compliance?

Hands down, one of the most effective solutions is consolidation. In the whitepaper “Towards a Consolidated Approach For PCI DSS Compliance In Healthcare,” Flynn addresses the core disciplines of PCI compliance: networking – fixed and wireless; data and databases; IT assets/end-points; and web applications—and.how their specific requirements could be most efficiently met by cash strapped medical facilities.

For example, PCI requires that fixed networks be equipped with security measures such as real-time perimeter anti-virus, IPSec/VPN tunneling support, IDS/IPS, use of strong cryptography (SSL/IPSec), support of digital certificates, two-factor user authentication and event monitoring, among other things—which can be met cost effectively with an all-in-one Unified Threat Management device.

Likewise, a centrally managed data base solution is best for meeting PCI objectives such as specific vulnerability assessment and penetration testing, configuration management, access control assessment and real-time monitoring.

And for web applications, many headaches can be avoided by deploying a web application firewall that contains support for DoS and buffer overflow attacks at both the HTML and HTTP level; access control and web application user authentication; monitoring and management of error events; and a web application vulnerability scanning capability, among other things.

Even still,  Flynn warns that  PCI DSS, while comprehensive, is not a substitute for robust security infrastructure specific to your own IT environment.

“The nature of the industry is that by the time a regulation has come through, the technology has advanced and the threat environment has changed and evolved,” Flynn says. “That’s something to keep in mind.”