What are the obstacles preventing health care organizations from complying with the PCI DSS? Those of us who conduct PCI gap assessments can attest that the level of compliance varies widely between organizations. Determining the root causes of why there is a lack of compliance is the good first step towards resolving this issue.
Lack of PCI Compliance: Root Causes
PCI compliance includes a list of requirements and is a significant responsibility for organizations of all sizes. Additionally, maintaining PCI compliance is a continuous process that requires constant vigilance which incurs ongoing costs. The challenge for healthcare organizations is finding and implementing an approach that meets PCI requirements while avoiding the common pitfalls associated with complex activities impacting business processes, budgets, technologies and other resources.
Healthcare organizations have a tendency to underestimate the extent of achieving as well as maintaining compliance. Management may not fully appreciate the extent of the credit card payment environment and the number of systems, applications, databases and technologies that need to be PCI compliant. Remediation has the potential to be a costly endeavor. Ultimately, a cultural change is needed to improve three common areas that prevent health care organizations from complying with PCI:
- Awareness and Understanding
- Accountability and Responsibility
- Resources and Support
Awareness and Understanding
A report released in November 2012 titled, "A Tale of Two Merchants: The Fourth Annual Survey of Level 4 Merchant PCI Compliance Trends" highlighted the lack of awareness and understanding in achieving and maintaining PCI compliance. The 2012 report illustrates a trend of minimal improvement regarding awareness and an indifference in perceived risks of data breaches. Just over half of its respondents indicated they were aware of the PCI DSS. Only 47 percent of those surveyed were “unsure” or “not at all” familiar with the PCI DSS. That finding, combined with 79 percent of the respondents thinking they have little-to-no risk of a breach, indicates a serious lack of understanding.
Since PCI compliance was first mandated in 2006, the PCI Security Standards Council, payment card brands and acquiring banks have tried to ensure all organizations are aware of the PCI DSS. However, these efforts are still falling short in spite of a robust website providing ample information to include awareness, training and supporting documentation.
To help drive PCI compliance, healthcare organizations should develop and document awareness and training responsibilities for those key positions upon which the success of the program depends. The expectation of ensuring awareness throughout the organization should minimally be placed on representatives in finance, information security, legal and compliance. Every health care organization has assigned responsibility in at least one of these disciplines. These representatives need to provide awareness and understanding at all levels. Confirming stakeholders understand the PCI DSS implications and are aware of the consequences of failure will help push healthcare organizations closer to achieving compliance.
Accountability and Responsibility
After becoming familiar with the PCI requirements, health care organizations quickly learn that it is not just an information technology issue. These requirements do address securing information technology systems and infrastructure. But it is unfair to burden the information technology department with the entire compliance effort because there are other non-I.T. requirements relating to areas such as finance, human resources and physical security which should be engaged.
This leads to another reason healthcare organizations lag in their compliance efforts: a lack of defined and assigned accountability and responsibility. Without accountability and responsibility, healthcare organizations do not perform to their potential and standards are allowed to slip. Activities do not get accomplished in a timely manner, and because the organization is not performing as expected, morale can suffer as well. As a result, more of the responsibilities weigh on the shoulders of a few who carry the full burden of PCI compliance and they are often overwhelmed because the effort has not been shared equitably.
On the other hand, health care organizations with thriving accountability and responsibility look quite different. Accountability and responsibility enables management to create ownership for the organization on behalf of its workers. That means developing ownership for problems, successes, goals, initiatives, people and results. In essence, this is called getting things done. Accountability and responsibility sets the controls in place, drives the organization, and indicates what is and isn’t on track. Through accountability and responsibility, healthcare organizations make three important discoveries:
- Whether they’re on the right course
- Whether they’ve got the right people in the right places
- Whether they’re achieving goals
With these findings, health care organizations can gain perspective on instituting change and setting new objectives.
If management does not have accountability and responsibility in the plan to become PCI compliant, then it will be business as usual for all but a frustrated few. Accountability and responsibility help drive change. This means that each PCI requirement, measure, objective, data source and initiative must have an owner. It is essential for healthcare organizations to assign accountability for PCI compliance with clear roles and responsibilities defined.
Resources and Support
Not having enough resources, financial or staffing, is a factor hindering the ability of organizations to reach PCI compliance. Too often, a healthcare organization’s ambitions outstrip the resources they are willing or able to allocate in order to attain their goals. Organizations underestimate the amount of resources necessary for execution. This includes not only the amount of time needed, but capabilities of the individuals involved in the projects, the associated costs and the risks inherent with improper execution. In addition to the problem of having too few resources, the way in which limited resources are allocated can be another factor impacting the ability to execute PCI compliance efforts. When formulating a plan for achieving PCI compliance, it is critical to identify the resources and time frames realistically needed.
Due to the sheer breadth and scope of PCI compliance, a large part of the organization may be impacted by these efforts. Therefore, navigating the waters of PCI DSS is a task best undertaken with adequate staffing, financial resources and support to assist in the journey. One consideration is to enlist the help of those who have been there before and have the capability to make recommendations based on past experiences. This could mean the difference between costing and saving the organization time and money. Costs can vary dramatically based on several factors, with the most significant being resolving the PCI DSS requirements while doing so in a practical manner as there are literally a myriad of choices in the marketplace today. The role experienced professionals can perform is to pull these choices together into an integrated solution while saving time and money in the process.
Another consideration is to “operationalize” the PCI compliance initiatives. Many healthcare organizations use the term “operationalization” to refer to the act of relating concrete measurements and action plans to overall strategic initiatives. This method of breaking down strategies into more attainable and concrete goals is a necessity for proper execution. Allowing team members to see these operational goals on a consistent basis, such as in a Balanced Scorecard, can help create a uniformed focus on execution.
Despite the possibility of data breaches and the threat of fines and penalties, many healthcare organizations are still not complying with the PCI DSS. While it is tempting to focus on the downside of non-compliance. In reality, there are many positive aspects of PCI compliance. The PCI DSS provides a comprehensive information security framework that details technical controls interwoven with the policies, procedures and standards to make the controls effective on a day-to-day basis. By properly implementing the PCI DSS and achieving and maintaining compliance, health care organizations can be better prepared to prevent and detect a host of attacks against their information assets both at the network and physical levels. Ultimately, compliance can improve the security posture of healthcare organizations and in all likelihood lead to fewer breaches.
Brian Evans, CISSP, CISM, CISA, CGEIT, is a principal at Tom Walsh Consulting, which focuses on healthcare information security. Brian assists healthcare organizations in building regulatory compliant information security programs. With over 20 years of combined experience in healthcare IT management, consulting and information security, He previously served in the role of Information Security Officer at the University of Alabama Birmingham Health System, New York Hospital Queens, Fletcher Allen Healthcare, Atlantic Health and the Ohio State University Health System. He also led the Incident Response and Computer Forensic Investigations teams for Nationwide Insurance and was Vice President, IT Risk Management at KeyBank and JPMorgan Chase. Brian held IT management positions at the Ohio Department of Health and started his career as a medic in the U.S. Air Force. He has earned a Master’s in Public Administration from the University of Cincinnati and a B.S. in Business Management from the University of Maryland.