PCI-DSS - A Short Acronym for a Long Journey - Part 2
So it seems that I took a long coffee break since my last blog on PCI-DSS! And yes, that coffee did come from the fancy machine that took my credit card on the 4th floor of your hospital!! Would you like a memory refresher on what I was talking about? Click here to read Part 1 of my blog.
So where does a health care organization start when looking at compliance with these industry standards? Begin by assigning someone who understands the depth of PCI-DSS compliance to perform an inventory of your environment. A complete inventory of every kiosk, device, application, point-of-sale system or any other type of equipment that is used across the organization, and anything that transmits, stores, or processes credit card data needs to be considered. Ensure that management is onboard and understands the need for industry compliance. Having management support is a key factor in any security initiative and achieving PCI – DSS compliance is no different.
Where are these devices and equipment located, physically and/or logically on the network? What do they interact with? How is data transmitted? How much of that data traverses your network, and over what part of your network? Where are the servers located for the Point-of-Sale systems? Once you have completed the inventory, assign data owners to each of the systems. Scope out what systems and devices should be included in your assessment. Where is the risk minimal? Is there low hanging fruit that you can quickly fix? By reviewing each system, you are not only identifying the high risk systems but are also looking for opportunities where risk can be transferred or systems can be standardized. Once you have identified systems that are low risk vs. high risk, create a strategy to address each system. Understand the PCI- DSS requirements for each of the systems. Understand what can be quickly addressed (i.e., a software update on a device) vs. what needs an entire architectural revamp of your network.
Next comes planning! What is it going to cost to upgrade the hardware, software, devices, systems? When will the budget be available? How will we get management approval for upgrades that bring in no $$$??!! How will I management grasp the need for compliance? Here’s where ensuring that management has ownership and understands the risks becomes key in moving forward quickly.
“So can’t I just pay an external scanning vendor to scan my organization’s external IP addresses, and if I pass the PCI-DSS scan I’m compliant?”
Seriously? Did you just ask me that? Stay tuned for Part 3 of the series for my response to that question…
Ashini Surati is the Security and Compliance Manager at Park Place International. She has been working in the healthcare security and compliance realm for the past decade. Her passion is to ensure customers understand and comply with regulations and maintain a secure, compliant environment.