By: Brandon Barney, CISSP
Your office probably has patient credit and debit cards on file for easy payments, refunds, and chargebacks. You likely keep those cards in easy-to-access spreadsheets, word processing programs, online accounts, printed binders, or e-wallets for future reference.
Let me tell you why that is a really bad idea.
Although electronically storing those numbers seemingly accelerates office procedures, in an unencrypted state, credit card information could seriously jeopardize your practice.
If data is stored without proper encryption, it makes the work of a hacker (stealing patient information) easier. If security precautions are made and credit card information is not stored, hackers may avoid spending the extra time hacking your network and move on to the next less secure office.
Hackers use unencrypted credit card numbers to open credit card accounts, start mobile contracts, order from online stores, take over existing accounts, and obtain copies of personal documents like passports�all while using the victim's information gleaned from an unsuspecting practice.
If you think you're safe, you're probably wrong
The PCI DSS (Payment Card Industry Data Security Standard) is a set of requirements created by Visa, MasterCard, American Express, and Discover to protect customer credit card information. It's kind of similar to HIPAA, except HIPAA protects health information instead of payment information.
By accepting credit cards, a practice accepts the responsibility to protect transactions, and therefore promises to become PCI compliant. Storing credit and debit card data in an unencrypted state is 100% against the PCI DSS.
Even if you think your business doesn't store unencrypted payment data, you should probably double check. According to SecurityMetrics' Payment Card Data Threat Report, 71% of organizations store unencrypted card data, often unknowingly. In addition, you should never store sensitive authentication data (the data on the back of the card), even if encrypted.
So what is unencrypted card data anyway?
Unencrypted payment card data is the primary account number, cardholder name, card expiration date, or card's three-digit service code.
Unencrypted data may be stored behind the scenes of your payment network, leaving data readily available for criminals to steal. It may accidentally be saved on point of sale terminals, web servers, office workstations, hard drives, or USB drives.
Obviously you understand how card numbers are stored in Excel files and online accounts. You put them there! But what about accidental storage? How does that happen? Oftentimes, accidental storage occurs because files are improperly deleted, payment processing software is improperly configured, or computer backups restore files that were supposed to be deleted.
Unencrypted card data also hides in places outside of the typical card transaction environment. Do you have a person or department in charge of accounting or payroll? Accounting departments have been known to gather card numbers for charge reversals on shared network servers.
What happens if I don't remove it?
If hackers manage to get inside your network, they're looking for something that's easy to take. Because it is unprotected (and you probably don't even know it's there), unencrypted payment card data is simple for a hacker to detect, scoop up, and steal.
Here's the worst-case scenario. If there is a compromise, the card brands may demand a forensic investigation. Because there was a security issue in a healthcare environment, the HHS might become involved. You pay for all cleanup costs, including fines, penalties, and potentially a class-action lawsuit. Worst of all, your patients may lose their trust in you and take their healthcare needs elsewhere.
Unfortunately, as breach investigators, we hear compromise horror stories like that from businesses and healthcare entities every day.
To minimize the impact of compromise, you must purge unencrypted card data from your system!
Your first assignment
Find that data and remove it!
The easiest and most resource-friendly way to find unencrypted payment data is by using a card data discovery tool. These inexpensive (sometimes free) tools alert you of card data's location so you can securely delete it. For example, PANscanĀ® is automated scanning software that runs to find all unencrypted payment data on your system. It's recommended to use discovery tools periodically, and especially in places you may not think to look.
The importance of encryption
As you are probably aware, not only is encryption crucial for payments security, it's crucial for HIPAA security. Encryption is a big deal in the HIPAA Security Rule. In fact, most of the breaches on the HHS Wall of Shame resulted from unencrypted laptops, unencrypted mobile devices, or unencrypted media.
The good thing about encryption is that it renders PHI unreadable and undecipherable. Even if a criminal manages to steal a doctor's laptop, if it's encrypted, that data will be worthless.
It's not just laptops that are recommended to be encrypted: individual folders, emails, USB drives, hard drives, and other media all have the potential to house PHI and are easy to steal, or lose. Healthcare entities that utilize these removable devices would benefit by implementing a strong level of encryption.
Just remember, hackers can't steal what isn't there. By using card data discovery tools, securely deleting unencrypted data, and encrypting other sensitive documents, you turn hackers away from your practice and onto easier targets.
Brandon Barney, CISSP, is the Security Support Director for SecurityMetrics,
a global data security and compliance company. SecurityMetrics offers HIPAA
solutions for small covered entities and can be reached at HIPAA@securitymetrics.com
or 877.364.9183.
Ā
