We’ve noticed a trend in our quest to provide free PCI compliance for everyone. It seems that as far as network and information security goes, healthcare practitioners, as a group, are woefully behind the average small business. This becomes a problem when you add the fact that the incidence of information theft due to data breaches is on the rise in the healthcare field. Large hospitals and medical facilities also have other sensitive data that is often stolen and exploited. For the larger institutions however, big gaps in data security is more the exception than the rule. Because of their size they usually already have an internet technology (IT) department, so becoming PCI compliant is just another of the endless upgrades and procedures that IT personnel deal with on a daily basis.
It’s the smaller, independent medical or dental practice that is the more likely target, and frankly, the easier pickings. Many doctors and healthcare practitioners seem to feel like they’re flying under the radar and either too small or too seemingly remote to seriously consider the importance of PCI compliance. This is especially true of those medical care merchants who have resisted the advent of business office technology and think if they still keep paper records that they are safe and have no need to be PCI compliant. That may be somewhat true from the standpoint that a computer hacker can’t electronically steal what isn’t in electronic format, but that only means that your stored data is cyber safe. PCI DSS requirements also address the protection of data stored in hard copy format and it’s always been standard practice to at least lock up patient records and other sensitive files. But what about protection of data in transit, you ask? All a business needs is to follow the PCI compliance guidelines with regard to protecting and securing data in transit.
A recent report says that the Ottawa Regional hospital discovered some malicious spyware in their system in March of 2010. This breach caused them to have to inform all customers of a potential threat if they had paid bills online since 2006! Though no reports have come in confirming that the exposed data was used, some of the data included patient healthcare records and information on some ongoing police investigations. This should make all you healthcare practitioners out there take notice, whether large or small. See our homepage for more information on protecting your business.