Add comment on this guide

The PCI Solution for Healthcare is a set of configurations and recommendations to protect data at rest and data in motion on wired and wireless networks. The solution is designed to conform to the Payment Card Industry (PCI) Data Security Specification (DSS) 1.1. The solution was built and tested using point-of-sale (POS) systems, payment devices, wireless client devices, data encryption software, Cisco network infrastructure, and validated by a PCI Qualified Security Assessor (QSA) audit partner. The result is a set of designs for hospitals, healthcare offices/clinics, data center and Internet edge deployments that simplifies the process of a healthcare facility becoming PCI compliant.

Any company that processes credit card transactions has the responsibility to adhere to the standards described in the PCI DSS 1.1 standard, regardless of transactional volume levels. As a result, healthcare organizations worldwide are under pressure by their respective banks to become PCI compliant. New business applications are making PCI a "top of mind" topic, through self-registration kiosks, bedside payment services, and online payment of medical expenses. In addition, the healthcare industry has had a sharp rise in targeted attacks.

A Secure Works study reports an 85% increase in attacks from January 2007 to January 2008. Theft of medical information has resulted in credit card fraud, and theft of credit card information has resulted in medical information mistakes. The addition of new applications also raises the healthcare entity's PCI merchant level, bringing them "onto the radar", where in the past they could stay unnoticed. Healthcare organizations, as a result, will start receiving monthly fines for not being PCI compliant.

The healthcare market for PCI is comprised of multiple healthcare facilities that process credit card transactions for either payment of services or identification for patient registration:

• Hospitals
• Remote Offices and Clinics
• Medical Centers and Schools
• Critical Care Centers
• Healthcare Payment and Insurance Providers
• Dental Offices
• Animal Hospitals

To pass PCI compliance, a healthcare provider must address its procedures, security policies, and technical infrastructure so that it can demonstrate adherence to the PCI DSS v1.1 specification sub-requirements. Once a company becomes compliant, there are ongoing requirements to maintain compliance. The PCI Solution for Healthcare demonstrates how to build the infrastructure, secure data in transit and at rest, and how to monitor and maintain the configurations. Figure 1-1 shows the PCI Solution for Healthcare conceptual view.