• HIPAA – PCI DSS and Banner’s 3.7 Million Breached Records

  • August 3rd, 2016, Banner Health Systems announced that on “July 13, 2016, they discovered cyber attackers may have gained unauthorized access to information stored on a limited number of Banner Health computer servers. The investigation revealed that the attack was initiated on June 17, 2016” and they “began mailing letters to affected patients on August 3, 2016.” In the letter to patients, it stated, “information may have included patients’ names, birthdates, addresses, physicians’ names, dates of service, clinical information, possibly health insurance information, and social security numbers if one was provided to Banner Health.”

    It appears that this cyber-attack gained access through Banner’s Credit Card system and within the 26 days preceding the first access, moved into the organization’s other systems.

    Because of the fact that the breach was report to have begun within the credit card system, not only is the U.S. Department of Health and Human Services (HHS) involved, there is also the PCI Security Standards Council. This organization oversees the security standard for the credit card industry.

    Banner, as with all merchants who handle credit cards, must maintain compliance with the Payment Card Industry (PCI) Data Security Standard (DSS) (PCI DSS). This is the proprietary information security standard for organizations who handle branded credit cards from the major card schemes including Visa, MasterCard, American Express, Discover, and JCB.

    There are three ongoing steps in maintaining compliance with PCI DSS:

    • Assess — identifying cardholder data, taking an inventory of your IT assets and business processes for payment card processing, and analyzing them for vulnerabilities that could expose cardholder data.

    • Remediation — fixing vulnerabilities and not storing cardholder data unless you need it.

    • Report — compiling and submitting required remediation validation records (if applicable), and submitting compliance reports to the acquiring bank and card brands you do business with.

    PCI DSS covers technical and operational system components included in, or connected to, cardholder data. Merchants, who accept or process payment cards, must comply with the PCI DSS.

    Below are the global data security standard which have been adopted by PCI DSS:

    1. Install and maintain a firewall configuration to protect cardholder data

    2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data

    3. Protect stored cardholder data

    4. Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program

    5. Use and regularly update anti-virus software or programs

    6. Develop and maintain secure systems and applications Implement Strong Access Control Measures

    7. Restrict access to cardholder data by business need to know

    8. Assign a unique ID to each person with computer access

    9. Restrict physical access to cardholder data by regular monitoring and testing of networks

    10. Track and monitor all access to network resources and cardholder data

    11. Regularly test security systems and processes. Maintain an Information Security Policy

    12. Maintain a policy that addresses information security for all personnel

    The PCI DSS Quick Reference Guide* states: 

    “Network Segmentation Scope can be reduced with the use of segmentation, which isolates the cardholder data environment from the remainder of an entity’s network. Reduction of scope can lower the cost of the PCI DSS assessment, lower the cost and difficulty of implementing and maintaining PCI DSS controls, and reduce risk for the entity.”

    Do you think that Banner Health followed the recommendations for Network Segmentation? If not, I believe they will now!


    Watch for the release date of JAL’s 2016 Edition of “Practical Guide to Understanding and Implementing HIPAA”

    Judith is an accredited Certified HIPAA Professional (CHP). As the owner of JAL, Judith is your subject matter expert providing guidance to organizations within HIPAA, GLBA, False Claim and other regulatory agencies. Judith provides reasonable and appropriate compliance policies, procedures within your Compliance Program. As a guru in compliance, Judith delivers compliance employee training programs, and participates in educational speaking engagements for the industries who handle Protected Health Information. To read more about the world of compliance subscribed to JAL’s insightful newsletter at www.jalconsultantsaz.com OR follow JAL on Twitter @ judithconsult

    “Copyright” © JAL Consulting 2016