HIPAA – PCI DSS and Banner’s 3.7 Million Breached Records
August 3rd, 2016, Banner Health Systems announced that on “July 13, 2016, they discovered cyber attackers may have gained unauthorized access to information stored on a limited number of Banner Health computer servers. The investigation revealed that the attack was initiated on June 17, 2016” and they “began mailing letters to affected patients on August 3, 2016.” In the letter to patients, it stated, “information may have included patients’ names, birthdates, addresses, physicians’ names, dates of service, clinical information, possibly health insurance information, and social security numbers if one was provided to Banner Health.”
It appears that this cyber-attack gained access through Banner’s Credit Card system and within the 26 days preceding the first access, moved into the organization’s other systems.
Because of the fact that the breach was report to have begun within the credit card system, not only is the U.S. Department of Health and Human Services (HHS) involved, there is also the PCI Security Standards Council. This organization oversees the security standard for the credit card industry.
Banner, as with all merchants who handle credit cards, must maintain compliance with the Payment Card Industry (PCI) Data Security Standard (DSS) (PCI DSS). This is the proprietary information security standard for organizations who handle branded credit cards from the major card schemes including Visa, MasterCard, American Express, Discover, and JCB.
There are three ongoing steps in maintaining compliance with PCI DSS:
Assess — identifying cardholder data, taking an inventory of your IT assets and business processes for payment card processing, and analyzing them for vulnerabilities that could expose cardholder data.
Remediation — fixing vulnerabilities and not storing cardholder data unless you need it.
Report — compiling and submitting required remediation validation records (if applicable), and submitting compliance reports to the acquiring bank and card brands you do business with.
PCI DSS covers technical and operational system components included in, or connected to, cardholder data. Merchants, who accept or process payment cards, must comply with the PCI DSS.
Below are the global data security standard which have been adopted by PCI DSS:
1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program
5. Use and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications Implement Strong Access Control Measures
7. Restrict access to cardholder data by business need to know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data by regular monitoring and testing of networks
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes. Maintain an Information Security Policy
12. Maintain a policy that addresses information security for all personnel
The PCI DSS Quick Reference Guide* states:
“Network Segmentation Scope can be reduced with the use of segmentation, which isolates the cardholder data environment from the remainder of an entity’s network. Reduction of scope can lower the cost of the PCI DSS assessment, lower the cost and difficulty of implementing and maintaining PCI DSS controls, and reduce risk for the entity.”
Do you think that Banner Health followed the recommendations for Network Segmentation? If not, I believe they will now!
Watch for the release date of JAL’s 2016 Edition of “Practical Guide to Understanding and Implementing HIPAA”
Judith is an accredited Certified HIPAA Professional (CHP). As the owner of JAL, Judith is your subject matter expert providing guidance to organizations within HIPAA, GLBA, False Claim and other regulatory agencies. Judith provides reasonable and appropriate compliance policies, procedures within your Compliance Program. As a guru in compliance, Judith delivers compliance employee training programs, and participates in educational speaking engagements for the industries who handle Protected Health Information. To read more about the world of compliance subscribed to JAL’s insightful newsletter at www.jalconsultantsaz.com OR follow JAL on Twitter @ judithconsult
Personal Information Collected Online
•Personal Information means personally identifiable information such as information provided via forms, surveys, applications or other online fields including name, postal or email addresses, telephone, fax or mobile numbers, or account numbers.
•Before or at the time of collecting personal information, JAL will identify the purposes for which the information is being collected.
•JAL will collect and use personal information solely for the purpose of fulfilling specific contracted engagements or for other compatible purposes, unless consent is obtained from the company and/or individual concerned or as required by law.
•JAL will retain personal information as long as necessary for the fulfillment of a specific contract or for a specific purpose.
•JAL will collect personal information as deemed lawful and where appropriate with the knowledge and/or the consent of the individual or company.
•Personal data should be relevant to the extent of necessary purposes and should be accurate, complete and up-to-date.
•JAL will protect personal information by reasonable safeguards against loss or theft, as well as unauthorized access, disclosure, copying, use or modification.
•JAL will make readily available to customer’s information about our policies and practices relating to the management of personal information. Terms and Conditions
JAL is committed to conducting our business in accordance with these principals in order to ensure that the confidentially of personal information is protected and maintained. By accessing this website, you are agreeing and bounded by these Website Terms and Conditions of Use, all applicable laws and regulations. If you do not agree with these Terms and Conditions, you are prohibited from using or accessing this website. The materials contained in this Web Site are protected by all applicable copyright and trade mark laws.
Our Online Notices are subject to change. Please review it periodically. If we make changes, we will revise the “Last Updated” date at the top of this Notice. Any changes will become effective the date the revised Notice is posted on the Site.