“PCI” stands for “payment card industry,” commonly associated with the longer-named Payment Card Industry Data Security Standard (PCI DSS). This is a set of rules that outlines the accepted security standards for credit and debit cards, whether they’re used online or in person.
From multinational corporations to small startups that take credit cards, most businesses have a plan for achieving and maintaining PCI compliance. They face fines and penalties otherwise!
“HIPAA” stands for “Health Insurance Portability and Accountability Act,” and it is host to extensive rules about how medical information is shared and transmitted. Health records have to clear a higher standard of security because they not only must be stored securely, but need to be freely reachable by anyone with permission to see them. Because there are people without permission trying desperately to see them.
Data is power, so cybercriminals have real incentive to steal data in search of leverage or influence. As they contain medical records for thousands and thousands of people, healthcare organizations from hospitals to insurance companies are a prime target. As an e-commerce company might retain many thousands of credit card numbers, they’re fundamental targets as well.
But HIPAA and PCI compliance were both designed with malicious bad guys in mind. According to a 2013 report by the Identity Theft Resource Center, there were more than 47 million PCI breaches in the business world and almost 5 million HIPAA breaches in the medical realm. Those numbers would be far higher if not for the associated security standards outlining best practices.
PCI and HIPAA standards are high bars to clear, but these standards make it possible to know which companies are actively protecting the information you share with them. Here are some of the ways in which they specifically differ.
Health records are to be secured, exchanged and portable, while credit card numbers are to be secured.
In other words, health records need to move through a more considered digital environment than the everyday credit card transactions we conduct. Health records are a category of data might be feature-rich with charts, images, or other supporting documentation of a patient’s condition. It’s not just simple numbers here.
Multiple forms and formats of data should be protected more thoughtfully than the raw numbers that confirm various credit card transactions. These transactions are so rote by now that they can be executed and processed by algorithms. But medical records are creatures of a different sort, and require a different touch.
Where credit card networks lean on their own computer systems to process and verify transactions, it’s mostly a medical staff’s human brains that can process a medical record. Doctors need access to a wide variety of data, qualitative and quantitative alike, in order to reach a satisfactory diagnosis of a patient’s condition. When detailed medical records move securely to reach an attending doctor, the patient receives improved care.
Unlike finite PCI requirements, HIPAA encompasses security, rights, privacy, and safety.
HIPAA even has guidelines for eliminating fraud, waste, and abuse. The main takeaway is that HIPAA compliance is a higher standard to achieve than PCI compliance. Managing someone’s medical data is an activity loaded with subtlety, and healthcare industry success requires a deep awareness of subtleties.
There are strict rules in medicine about who’s allowed to know someone’s medical details, and how doctors might inform those people. This sector takes data rights seriously — processing medical records to arrive at a diagnosis or course of treatment is a far more human interaction than processing credit card numbers.
Thoughtful use of these standards protects us from theft, unauthorized access, and loss of the data we share.
A health record bearing basic health insurance information is worth 10-20 times more than a valid credit card number and CVV code. Hackers are far more incentivized to steal your health record than your credit card number, but you wouldn’t necessarily want to lose either one of them.
When we pay better attention to which the standards we ought to be depending on, we ask improved questions of the healthcare provider we’re with. Asking questions about how your patient data gets handled is more closely related to being a thorough healthcare consumer than it is to hassling your X-ray technician. It helps the humans involved in the interaction remember that their work in the healthcare field probably does, in some small way, depend on something a computer can do.
Even though healthcare is rather resistant to change, the internet has had a transformative impact on how businesses operate in this sector within just 25 short years. There’s a real link between healthcare cybersecurity practices and improved patient outcomes. When medical professionals use a computer in the course of their work, it should only ever make them more effective at achieving a goal. It shouldn’t come with pangs of anxiety that your data is potentially unsafe.
Do I need to comply with PCI if I already comply with HIPAA?
The answer is almost definitely yes. These security standards are closely related, but they still diverge in ways that matter. Just because you’re successful on one front doesn’t mean you’re successful on the other.
Each has their own validation points. Across its rules for breaches, security, and privacy, HIPAA has 157 requirements and 535 validation points. The latest version of PCI standards, PCI DSS 2.0, contains 292 requirements and 1,030 validation points. PCI has more requirements and validation points, but they are about different things.
In terms of how these standards specifically compare, PCI accounts for none of HIPAA’s 281 breach rule/privacy rule validation points. PCI covers just 70 of HIPAA’s 254 security rule validation points. And HIPAA itself only addresses 316 of PCI’s 1,030 validation points. These standards overlap, but they aren’t identical by a long shot.
Both PCI and HIPAA compliance are about protecting our data, but they protect different kinds of data. Companies should pursue compliance with both as needed, because it only improves their overall cybersecurity posture
Download Our PCI DSS Checklist
Assess where your organization currently stands with being PCI DSS compliant by completing this checklist. Upon filling out this brief form you will receive the checklist via email.