Data Security: HIPAA vs PCI

Struggling with understanding HIPAA vs PCI Compliance? Want to make sure that your business is compliant?

When dealing with sensitive information security is paramount. That is why HIPAA and PCI regulations are required in hosting. The aim of this article is to provide insight into these topics, and hopefully, make it easier for you to do your part in protecting patient's and/or customer's data.

Let’s start with an overview to see how the two connect.

What HIPAA Compliant Hosting and Why is it Important?

HIPAA, the Health Insurance Portability and Accountability Act of 1996, is United States legislation that provides data privacy and security provisions for safeguarding medical information. Although the act also offers additional protections regarding insurance and other issues, the focus of this article is in relation to the privacy and security of data.

HIPAA compliant hosting is, therefore, hosting that utilizes additional security measures for Electronic Protected Health Information (EPHI).

It’s important to protect patient’s medical data not only because most people don’t want their medical data publicly available, but also to avoid heavy fines. HIPAA violations cost your practice. Federal fines for noncompliance can range from $100 to $50,000 per violation (or per record) depending on the level of perceived negligence within your organization at the time of the HIPAA violation, with a maximum penalty of $1.5 million per year for each violation.

So, if you can’t do it for the patients, do it for yourself. 

What is PCI Compliant Hosting and Why is it Important?

PCI compliant hosting refers to the Payment Card Industry Data Security Standard (PCI-DSS) and is often shortened to PCI Compliance. PCI compliance refers to a set of standards designed to keep credit card information that is accepted, processed, stored, or transmitted securely at all times.

It started in 2006 with a Council founded by American Express, Discover, JCB International, MasterCard, and Visa Inc., who share equally in governance and execution of the work. Before this time, each credit card network had its own standard, making compliance difficult for users. When the major Credit Card companies standardized rules to ensure data security, it greatly simplified securing Credit Card data, because it allowed businesses to track a single standard.

PCI compliance is important not only for the ease of doing business, but it is also important to protect the customers’ data.  There is a high price to pay for noncompliance, with fines ranging from $5,000 to $100,000 per month for the merchant and are at the discretion of the card brands and acquiring banks. 

According to a Ponemon Institute study, the average total consolidated cost of a data breach is $3.8 million. Each lost or stolen record costing an average $174, so even having 500 compromised payment records can cost the merchant over $75,000 in liability. And after that, you could face a PCI DSS audit from a qualified security assessor (QSA).

So, if you can’t do it for your customers, do it for yourself.

Now that we have a better understanding of what HIPAA compliance and PCI compliance are, let’s look into what is needed for each.

What’s Required for HIPAA Compliance?

HIPAA compliance is an ongoing process, so after you obtain HIPAA compliance you also need to maintain compliance.

Liquid Web is responsible for hardware and network security, while the customer is responsible for making sure that their application is secure and maintained.

Customers must hire a third-party HIPAA compliance auditor who will work closely with them since they are trying to become HIPAA compliant. Liquid Web can also sign a Business Associate Agreement (BAA) that outlines our responsibilities and ensures that your hosting environment is HIPAA compliant.

For us to guarantee that your hosting environment is HIPAA compliant, we provide you with a traditional dedicated server, locked cabinets, a hardware firewall, and also offer encrypted offsite data backups.

What is Required for PCI Compliant Hosting?

PCI compliance is also an ongoing process that also requires maintenance. Below are 12 steps to PCI compliance:

Objective: Build and Maintain a Secure Network

1. Configure, install, and maintain a firewall to protect cardholder data

2. Make sure to change system passwords and other security 

Objective: Protect Cardholder Data

3. Safeguard cardholder data that is stored

4. Maintain encryption of cardholder data across open, public networks during transmission

Objective: Maintain a Vulnerability Management Program

5. Regularly update and use anti-virus software on all systems commonly affected by malware

6. Maintain and develop systems and applications that are secure

Objective: Implement Robust Access Control Measures

7. Classify respective business groups for access to cardholder data

8. For each person with computer access, assign a unique ID

9. Restrict physical access to cardholder data

Objective: Regularly Monitor and Test Networks

10. Monitor and track all access to cardholder data and network resources

11. Test security systems and processes regularly

Objective: Maintain an Information Security Policy

12. Maintain a policy that addresses information security

While Liquid Web does not offer full PCI compliance certification, we do offer a separate service that scans your server to see that PCI-DSS requirements are met. This is a great tool during the compliance process. Our PCI scanning is updated with the latest threat intelligence and certified annually to meet all the PCI Security Standards Council requirements.

If vulnerabilities are identified you are presented with details about the vulnerabilities and remediation steps that can be used to address them. We also check for false positives and rescan if needed.

Comparing HIPAA vs PCI Compliance

Both require additional security measures to be taken on the customer’s side as well as by Liquid Web. HIPAA compliance tends to be broader and requires physical barriers to be in place for security measures, such as attestation of physical, on-site security. PCI compliance is more technical and requires scanning on various public ports.

How Can Liquid Web Help?

Liquid Web can help your business achieve is HIPAA compliance by signing a BAA, and fully managing your HIPAA servers. We also maintain internal policy enforcement and documentation of our administration of your HIPAA servers. You can choose from pre-configured solutions, or we can custom build one to suit your needs. We also offer PCI compliance scanning, and everything is backed by Support from The Most Helpful Humans in Hosting.