Cisco PCI Solution for Healthcare Design and Implementation Guide
Solution Overview
Download this chapter
Solution OverviewSolution Overview
Download the complete book
Cisco PCI Solution for Healthcare Design and Implementation GuideCisco PCI Solution for Healthcare Design and Implementation Guide (PDF - 11 MB)
give_us_feedback

Table Of Contents

Solution Overview

Executive Summary

Solution Justification

Target Market

Applications and Services Supported by the Solution

Solution Benefits

Solution Features and Component Highlights

Network Systems

Hosts and Servers

Monitoring and Management

Encryption

Data at Rest Encryption

Data in Motion Encryption

Authentication

Policy

Other Applications and Services

Scope of the Solution

Architecture

PCI Compliance

Solution Results


Solution Overview

Executive Summary

The PCI Solution for Healthcare is a set of configurations and recommendations to protect data at rest and data in motion on wired and wireless networks. The solution is designed to conform to the Payment Card Industry (PCI) Data Security Specification (DSS) 1.1. The solution was built and tested using point-of-sale (POS) systems, payment devices, wireless client devices, data encryption software, Cisco network infrastructure, and validated by a PCI Qualified Security Assessor (QSA) audit partner. The result is a set of designs for hospitals, healthcare offices/clinics, data center and Internet edge deployments that simplifies the process of a healthcare facility becoming PCI compliant.

Any company that processes credit card transactions has the responsibility to adhere to the standards described in the PCI DSS 1.1 standard, regardless of transactional volume levels. As a result, healthcare organizations worldwide are under pressure by their respective banks to become PCI compliant. New business applications are making PCI a "top of mind" topic, through self-registration kiosks, bedside payment services, and online payment of medical expenses. In addition, the healthcare industry has had a sharp rise in targeted attacks.

A Secure Works study reports an 85% increase in attacks from January 2007 to January 2008. Theft of medical information has resulted in credit card fraud, and theft of credit card information has resulted in medical information mistakes. The addition of new applications also raises the healthcare entity's PCI merchant level, bringing them "onto the radar", where in the past they could stay unnoticed. Healthcare organizations, as a result, will start receiving monthly fines for not being PCI compliant.

The healthcare market for PCI is comprised of multiple healthcare facilities that process credit card transactions for either payment of services or identification for patient registration:

Hospitals

Remote Offices and Clinics

Medical Centers and Schools

Critical Care Centers

Healthcare Payment and Insurance Providers

Dental Offices

Animal Hospitals

To pass PCI compliance, a healthcare provider must address its procedures, security policies, and technical infrastructure so that it can demonstrate adherence to the PCI DSS v1.1 specification sub-requirements. Once a company becomes compliant, there are ongoing requirements to maintain compliance. The PCI Solution for Healthcare demonstrates how to build the infrastructure, secure data in transit and at rest, and how to monitor and maintain the configurations. Figure 1-1 shows the PCI Solution for Healthcare conceptual view.

Figure 1-1 PCI Solution for Healthcare—Conceptual View

Solution Justification

The PCI DSS version 1.1 affects all healthcare facilities that process, store, or transmit credit or debit card information over their networks. Many Cisco healthcare customers have asked for a comprehensive recommendation on how best to prepare a network for a PCI audit and how to remediate the non-compliant parts of the network to achieve a successful audit. They have also asked about how to manage and monitor their network on an ongoing basis after it has passed a QSA PCI audit so that in the next annual review of the network, they stand the greatest chance of passing the audit once again. The PCI Solution for Healthcare helps such customers answer these questions.

Target Market

Healthcare facilities that process payment transactions are required to meet PCI DSS guidelines. By modeling healthcare networks, data center and the Internet edge infrastructures, the solution is adaptable to many different healthcare deployments. PCI Merchant Levels shown in Table 1-1 lists and describes the different PCI merchant levels for the United States and Europe. Table 1-2 through Table 1-5 show the PCI merchant levels for Canada, Asia, Latin America, and Central Europe Middle East and Africa (CEMEA)—source VISA.

Table 1-1 PCI Merchant Levels for US and Europe

Merchant Level
Description
1

Any merchant, regardless of acceptance channel, processing over 6,000,000 VISA transactions per year.

Any merchant that has suffered a hack or an attack that resulted in an account data compromise.

Any merchant that VISA, at its sole discretion, determines should meet the level 1 merchant requirements to minimize risk to the VISA system.

Any merchant identified by any other payment card brand as level 1.

2
Any merchant, regardless of acceptance channel, processing 1,000,000 to 6,000,000 VISA transactions per year.
3
Any merchant processing 20,000 to 1,000,000 VISA e-commerce transactions per year.
4
Any merchant processing fewer than 20,000 VISA e-commerce transactions per year, and all other merchants, regardless of acceptance channel, processing up to 1,000,000 VISA transactions per year.

Table 1-2 PCI Merchant Levels for Canada

Merchant Level
Description
1

Any merchant, regardless of acceptance channel, processing over 6,000,000 VISA transactions per year.

Any merchant that has suffered a hack or an attack that resulted in an account data compromise.

Any merchant that VISA, at its sole discretion, determines should meet the level 1 merchant requirements to minimize risk to the VISA system.

Any merchant identified by any other payment card brand as level 1.

2

Any merchant, processing 150,000 to 6,000,000 e-commerce VISA transactions per year.

3

Any merchant processing 20,000 to 150,000 VISA e-commerce transactions per year.

4A

Any merchant processing 1,000,000-6,000,000 transactions per year.

4B

Any merchant processing <20,000 e-commerce transactions per year.


Table 1-3 PCI Merchant Levels for Latin America

Merchant Tier
Description
1

High risk merchants with 80% transaction volume (capable of storing credit card data)

E-commerce merchants with 80% transaction volume

Any merchant that has suffered hack or an attack resulting in account data compromise

2

High risk merchants with remaining 20% of transaction volume E-commerce merchants with remaining 20% of transaction volume

3

All other merchants


Table 1-4 PCI Merchant Levels for Asia

Merchant Level

Description

1

Any merchant that processes > 50,000 Visa accounts per MONTH

Any merchant that has suffered a hack or an attack that resulted in an account data compromise.

Any merchant that VISA, at its sole discretion, determines should meet the level 1 merchant requirements to minimize risk to the VISA system.

Any merchant identified by any other payment card brand as level 1.

2

Any merchant, regardless of acceptance channel, processing 10,000 - 50,000 accounts per month

3

Any merchant processing <10,000 accounts per month


Table 1-5 PCI Merchant Levels for CEMEA

Merchant Level
Description
1

Any merchant, regardless of acceptance channel, processing over 6,000,000 VISA transactions per year.

Any merchant that has suffered a hack or an attack that resulted in an account data compromise.

Any merchant that VISA, at its sole discretion, determines should meet the level 1 merchant requirements to minimize risk to the VISA system.

Any merchant identified by any other payment card brand as level 1.

2

Any merchant, processing < 6,000,000 VISA transactions per year.


Applications and Services Supported by the Solution

The primary applications that are supported by the PCI Solution for Healthcare include:

Highly secure transport of payment card information across the wired and wireless network.

Highly secure storage of data at rest, at the electronic POS system (cash register), on an in-store server, or in the data center.

Network and systems management, monitoring and remediation services.

Solution Benefits

The solution demonstrates how to design healthcare networks that conform to PCI DSS 1.1 guidelines. Customers can simplify the process of becoming PCI compliant by building a similar network with the recommended configurations and best practices outlined in this design guide. In addition, the solution provides the following benefits:

Insight into the Cisco Medical-Grade Network architecture based on global best practices

A scalable set of reference designs that can be used during the PCI compliance process.

A detailed analysis and mapping of Cisco and partner components to the PCI DSS sub-requirements that are satisfied by leveraging features in those products.

Insight into compensating controls and best practices to harden healthcare network and data systems.

A centralized management "tool kit" that provides operational efficiency compared to managing the distributed endpoints individually.

Insight into the PCI audit process by providing a lab model and associated Report on Compliance (ROC) from Verizon Business (QSA).

Solution Features and Component Highlights

The solution features and components consists of the following:

Network Systems

Hosts and Servers

Monitoring and Management

Encryption

Authentication

Policy

Other Applications and Services

Network Systems

Routing—Cisco Integrated Services Router (ISR) and 7xxx headend routers provide IP routing services across the healthcare network. Each healthcare facility uses either a single or pair of ISRs to consolidate WAN services, routing, identity, and security services into a single platform with local and centralized management services. The same platform can also serve as the hub for network quality-of-service (QoS), voice call control, and other application services. The WAN aggregation and Internet Edge routers are Cisco 7206VXR routers that support a wide variety of WAN interfaces and allow specific types of traffic into the data center.

Switching—Cisco Catalyst Ethernet switches connect endpoints to the IP routed network. All Cisco Catalyst switches facilitate the use of VLANs, access control and quality-of-service to segment LAN traffic based on security or business requirements. Cisco Catalyst 6500's provide the high-performance, highly scalable and highly available platform to transport payment traffic from the hospitals WAN routers, across the core switches and down to the Server Access Layer. Cisco Catalyst switches support LAN speeds from 10Mbps to 10Gbps over a variety of physical transports. They can also integrate Power over Ethernet (PoE) services over Category 5 Ethernet cable to power wireless access points, IP telephones, and other 802.3af based devices.

Wireless—Cisco Unified Wireless network provides centrally managed wireless connectivity to mobile computers, medical devices and phones. The same wireless infrastructure includes integrated wireless intrusion detection, highly secure connectivity, WPA/WPA2 encryption, and central management through the Wireless Control System (WCS). Each wireless healthcare network share the same dual-radio infrastructure regardless of the size or layout of the healthcare facility. It also provides adequate path isolation and segmentation to ensure that payment data is logically separated and encrypted from the other types of healthcare clinical data. The Unified Wireless network can operate in two distinct modes, first as a distributed access point design with centralized management, or as a centrally managed wireless-controller-based system. Wireless controllers, part of the Cisco Unified Wireless architecture, centralize the control and management of wireless infrastructure installed across the network.

Storage—Electronic cash registers, POS servers, and other PCs are used to recreate a typical healthcare payment services and patient registration environment. A Storage Area Network director class switch connected to EMC storage disks recreate a typical healthcare data center storage environment. Other servers and hosts connected to the inside of the Internet edge simulate web application servers.

Hosts and Servers

Host and Server Security—CSA is a combination of software installed on each Windows or Linux-based POS device in the store including payment devices, POS registers, and POS servers. CSA is also installed on each of the solution management servers in the data center. Cisco Security Agent (CSA) delivers application firewall, file integrity, host intrusion prevention, and data loss prevention services. CSA can also be installed on facility manager PCs and any other desktop or server installed at the healthcare location.

Point-of-Sale—NCR POS terminals and SurePOS servers running the NCR Advanced Checkout System software were used to recreate a typical healthcare environment. Earlier version of the solution used IBM and Wincor-Nixdorf POS devices. These devices use a combination of RSA data security applications to encrypt access to critical payment or administrative data on the system. CSA can stop "day zero" attacks and be customized to meet the wide-ranging requirements of healthcare focused applications at the cash register, desktop, kiosk, or server level.

Payment Devices—VeriFone and IBM payment devices were used to simulate a healthcare payment environment. These devices must meet PCI Payment Encryption Device specifications to be used in the solution.

Monitoring and Management

Centralized Cisco management services—Manage, monitor, provision, analyze, remediate, and report on all elements of the distributed system. These services can also create reports for audit and forensic requirements.

Cisco Security Manager (CS-M)—The central provisioning platform for the security services distributed across ISR routers and security appliances. It can design, provision, and report on firewall, IDS/IPS, and VPN services throughout the healthcare networks.

Cisco Security Monitoring, Analysis and Response System (CS-MARS)—Central log monitoring, correlation, and reporting platform for Cisco network device security alerts (e.g., ASA/FWSM/ISR firewall logs and IDS/IPS alerts) within the large, medium, and small healthcare office and hospital environments, as well as the data center environment. In addition, Cisco Security Agent alerts and wireless alerts are forwarded to CS-MARS.

Cisco Security Agent Management Center (CSAMC)—The central management, provisioning, and reporting system for the CSA software installed on POS and healthcare specific devices and servers in each healthcare facility network.

Wireless Control System (WCS)—The central manager of the Unified Wireless network infrastructure and services installed in each healthcare facility network.

CiscoWorks LAN Management System (C-LMS)—Supports the central control and collection of running and startup configurations from a wide array of Cisco network devices such as switches and routers.

CiscoWorks Network Compliance Manager (C-NCM)—Device configuration and change management services, NCM tracks and regulates configuration and software changes throughout the network infrastructure. NCM provides superior visibility into network changes and can track compliance based on PCI guidelines and company policy. It creates reports specific to PCI requirements, and reports which devices were changed, and whether those changes impact the state of PCI compliance.

Encryption

Data at Rest Encryption

RSA File Security Manager—File level encryption system used to encrypted sensitive data in the hospital/offices or data center.

RSA Key Manager—Enterprise class key management system used to manage the secure delivery and use of encryption keys throughout the hospital/office

Data in Motion Encryption

Cisco Virtual Private Network (VPN) software—Used to encrypt payment data as it is transmitted across any public network segments. VPNs typically use IPSec with either 3DES (triple DES) or 256-bit AES encryption.

Secure Socket Layer (SSL) services—Used to encrypt traffic from Internet-based web applications and when remotely administering infrastructure devices (SSHv2).

Wi-Fi Protected Access version 2 (WPA2)—Used between wireless clients and Cisco access points uses AES encryption for POS and payment data transmitted across the in-facility wireless LAN (WLAN).

Authentication

Cisco Secure Access Control Server (CS-ACS)—The central AAA service broker of the infrastructure and remote access elements of the solution, CS-ACS is used to enforce the management and control policy for operational access to the network devices and services running on the network. CS-ACS provides access control for network, host, and servers used throughout the solution.

RSA Access Manager—The access control system required for the RSA applications in the solution.

RSA Authentication Manager software—Works with RSA Authentication Agents to enhance security with strong, two-factor user authentication provided by the time synchronous-based RSA SecurID tokens. This solution was required of remote users accessing healthcare applications or VPN-based connections to the Internet edge.

Policy

Cisco Security Manager (CS-M)— Central management and provisioning platform for the security services distributed across Cisco routers and security appliances. It can design, provision, and report on firewall, IDS/IPS, and VPN services throughout the healthcare facility's network.

Cisco Security Agent (CSA) —Enforces host and server-level policy by limiting access to specific files, folders, and services . CSA is managed through the CSA Management Console which maintains and distributes the central policy and can quickly ensure that new devices meet a baseline-level of requirements through its behavioral approach threat deterrence.

Other Applications and Services

The following application services and partner products were required to create the operational environment and meet the PCI requirements but are not specifically part of the overall solution set:

Microsoft Active Directory

Microsoft DNS/DHCP server

Microsoft Exchange server for alert notification services

Microsoft Retail Management Server POS software

Intermec wireless handhelds

Network Time Protocol server for central time management

Wincor-Nixdorf POS hardware

IBM POS hardware

These are covered in more detail in Chapter 4, "Implementing and Configuring the Solution,"and the appendices.

Figure 1-2 shows the PCI Solution for Healthcare architectural view.

Figure 1-2 PCI Solution for Healthcare—Architectural View

Scope of the Solution

Architecture

Cisco and its solution partners have a wide range of product portfolios that could potentially be used to address the PCI DSS 1.1 specification. The products selected for this solution were chosen for their immediate relevance to a healthcare network and data security environment, while allowing auditing and lab testing within the project timelines.

This solution guide includes healthcare reference designs that connect hospitals and other healthcare branch locations to a central data center over a wide area network (WAN) or directly across an Ethernet-based campus. It also includes Internet edge reference designs that transport Internet-based users to the Extranet or De-Militarized Zone (DMZ). The solution includes and assumes centralized management, but does not include central connection to an actual healthcare service payment or adjudication service.

This release of the PCI Solution for Healthcare can be used as a foundation to build upon additional products and location reference designs in the future. This solution includes the following:

Remote clinic locations that connect to a central data center over a private WAN.

Remote clinic locations that connect to a central data center through the campus (direct Ethernet connection).

Data center design and centralized management servers that assist a healthcare organization in satisfying PCI requirements.

An Internet edge design that connects Internet-based patients, employees, partners and payers to data center or DMZ-based applications.

The solution does not include the following:

Data center connections to the actual payment service provider, acquiring bank or other merchant services.

Actual e-commerce architecture, systems and applications.

PCI Compliance

The PCI DSS Version 1.1 standard ( https://www.pcisecuritystandards.org/index.htm) focuses on policy, procedure, and technology within a business. The Cisco PCI Solution for Healthcare provides Cisco networking equipment, partner software applications, reference architecture, and configurations to satisfy technology requirements of the PCI compliance process. Although this solution does provide related guidance to some of the policy-based sub-requirements, companies seeking to become PCI compliant should contact a security service provider for assistance with their security policy and company procedures.

The Cisco and partner products used in this solution successfully addressed the PCI specification within this specific set of configurations. Healthcare facilities purchasing these products to address PCI should consult a QSA for their own particular environment because elements within it may differ from this solution.

Note As of the publication of this document, PCI DSS 1.1 is the current version of the standards document. However, as has been the pattern so far, the PCI Security Standards Committee typically releases a new version of the standards every 18 to 24 months. Currently, the expected publication of the PCI DSS 1.2 version is October 2008.

Solution Results

These results are applicable to the specific solution that was created and audited in the Cisco lab. For detailed notes on each solution feature and the audit findings, strengths, and weaknesses, seeChapter 3, "Solution Components—Best Practices and PCI." Specific implementation and configuration details are provide in Chapter 4, "Implementing and Configuring the Solution." Finally, for a complete audit report by Verizon Business on this specific lab, see Appendix F, "Report on Compliance (ROC)."

Table 1-6 summarizes the solution features per PCI requirement for the solution.

Table 1-6 PCI Requirements Satisfied by the Cisco PCI Solution for Healthcare 

Solution Feature
PCI Value
Requirement 1: Install and maintain a firewall configuration to protect cardholder data

Cisco Firewall Service Module (FWSM), Cisco Adaptive Security Appliance (ASA)

Network security (firewall segmentation/filtering), stateful filtering

CiscoWorks (LMS and NCM), C-SM

Configuration management/secure configurations

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.

ISRs, FWSM, ASA, switches, wireless devices, WCS, CS-ACS, CiscoWorks (LMS and NCM), Cisco Security Agent (CSA), CS-M

Vendor defaults changed

WCS/wireless controllers

Wireless security (WPA/WPA2, SSID broadcast disabled)

ISRs, FWSM, ASA, switches, wireless controllers (CSA Manager, CS-M, CiscoWorks (LMS)

Best practice security parameters enabled

ISRs, FWSM, ASA, switches, wireless controllers (CSA Manager, CS-M, CiscoWorks (LMS), CS-MARS, CS-ACS, WCS)

Non-console encrypted administrative access

Requirement 3: Protect stored cardholder data

NCR Advanced Checkout Solution (NCR-ACS) software and terminals

Certified to PCI PIN entry device standard requirements

Verifone VX and MX payment devices

Certified to PCI PIN entry device standard requirements

RSA File Security Manager and Key Manager application

Encrypt access to secure data stored on POS devices and servers

Requirement 4: Encrypt transmission of cardholder data across open, public networks

Wireless controllers

WPA wireless security

ISRs, Cisco 7200VXR -series routers, ASA

Provide IPSec VPN encryption for data across the Healthcare provider's WAN or Internet-based network circuits.

Requirement 5: Use and regularly update anti-virus software or programs

Cisco Security Agent (CSA)

Anti-virus protection, malware/spyware protection, alerting

Requirement 6: Develop and maintain secure systems and applications

CiscoWorks (LMS and NCM), CS-M (Workflow mode)

Change control and enforcement of compliance configurations

Cisco ACE XML Gateway with WAF

Web application protection from OWASP attacks.

Requirement 7: Restrict access to cardholder data by business need-to-know basis

ISRs, Cisco 7200VXR, FWSM, ASA, switches, wireless controllers, CSA Manager, CS-M, CiscoWorks (LMS), CS-MARS, CS-ACS, WCS, RSA applications and NCR-ACS

Least-privilege, role-based access

Requirement 8: Assign a unique ID to each person with computer access

ISRs, Cisco 7200VXR, FWSM, ASA, switches, wireless controllers, CSA Manager, CS-M, CiscoWorks (LMS), CS-MARS, CS-ACS, WCS, RSA applications and NCR-ACS

Unique user IDs, authenticated access, encrypted passwords, no group/shared IDs/passwords

Password strength requirements

Account lockout requirements

Requirements 9: Restrict physical access to cardholder data

No products were tested or audited for this requirement at this time.

See note below 1

Requirement 10: Track and monitor all access to network resources and cardholder data

ISRs, Cisco 7200VXR, switches, wireless devices, WCS, CS-ACS, CiscoWorks (LMS) CSA, NCR applications

Audit trails, time synchronization

NCR-ACS terminals, RSA File Security Manager, RSA Key Manager, Cisco CSA

Audit access to actual cardholder data and audit trail data

Ciscoworks (LMS and NCM)

Centrally archive audit log records

Requirement 11: Regularly test security systems and processes

Wireless controllers

Rogue wireless AP/device detection

ISRs, ASA, IDSM2 (sensor), CS-M (policy, signature updates)

Network IDS

CSA

Host-based IDS

File integrity

Requirement 12: Maintain a policy that addresses information security for employees and contractors

Verizon Business, Cisco Advanced Services

Creation and maintenance of security policy

1 Cisco video surveillance and access control systems can be implemented to meet this requirement, but this was out of scope of this phase's solution testing effort.