No surprise! The Payment Card Industry (PCI) is raising the bar when it comes to performance of an annual risk assessment a.k.a. risk analysis.  It’s no surprise after all since completing an annual risk analysis is foundational for any legitimate information security program.  In fact, many HIPAA Covered Entities and Business Associates have to meet both HIPAA and PCI Data Security Standard (PCI DSS) requirements.   Here’s today’s big tip – kill two birds with one stone by completing a bona fide risk analysis according to NIST SP 800-30! 


HIPAA Security Risk Analysis Tips & PCI Risk Analysis Tip!

When the Payment Card Industry (PCI) Security Standards Council updated the PCI Data Security Standard (PCI DSS) Requirements and Security Assessment Procedures with Version 2.0 in October 2010, they included the explicit requirement to complete an annual risk assessment in Section 12.1.2 which states:

12.1 Establish, publish, maintain, and disseminate a security policy that accomplishes the following:

12.1.1 Addresses all PCI DSS requirements.
12.1.2 Includes an annual process that identifies threats, and vulnerabilities, and results in a formal risk assessment. (Examples of risk assessment methodologies include but are not limited to OCTAVE, ISO 27005 and NIST SP 800-30.)
12.1.3 Includes a review at least annually and updates when the environment changes.

The PCI DSS auditing / testing procedures for 12.1.2 risk assessment requirement include:

12.1.2.a Verify that an annual risk assessment process is documented that identifies threats, vulnerabilities, and results in a formal risk assessment.
12.1.2.b Review risk assessment documentation to verify that the risk assessment process is performed at least annually.

In November 2012, the Risk Assessment Special Interest Group (SIG) of the PCI Security Standards Council published the Information Supplement: PCI DSS Risk Assessment Guidelines.

The objective of this PCI DSS Risk Assessment Guidelines document is to provide supplemental guidance and recommendations for performing a risk assessment in accordance with PCI DSS Requirement 12.1.2. A risk assessment, as required in the PCI DSS, is a formal process used by organizations to identify threats and vulnerabilities that could negatively impact the security of cardholder data.

Two Birds One Stone – Meet Both PCI DSS and HIPAA Security Requirements At Once

Both PCI DSS V2 and the latest PCI DSS Risk Assessment Guidelines cite a number of industry-accepted methodologies that can be used to meet the PCI DSS risk assessment requirement. One of these methodologies is that detailed in “NIST SP800-30 Revision 1 Guide for Conducting Risk Assessments“.

Organizations adopting the NIST SP800-30 approach for conducting a risk analysis can comply with both HIPAA Security Rule and PCI DSS risk analysis requirements with this one approach.

Please avail yourself of any of these free resources which you may access now by clicking on the links below:

Series Navigation<< HIPAA Security Risk Analysis Tips – a BYOD Resource ToolKitHIPAA Risk Analysis Tips – $50K Penalty vs. Does Size Matter? >>

Bob Chaput

CEO at Clearwater Compliance
Bob Chaput is widely recognized for his extensive and in-depth knowledge of healthcare compliance and cyber risk management, and is one of the industry’s leading authorities in healthcare information security today. As a leading authority safeguarding health data, Chaput has supported hundreds of hospitals and health systems to successfully manage healthcare’s evolving cybersecurity threats and ensure patient safety.