News Release

Cisco Enhances Data Security for Healthcare and Retail Organizations

Cisco offers validated data security design and implementation guidelines to meet PCI challenges specific to vertical markets
Jul 30, 2008

SAN JOSE, Calif., July 30, 2008 - Expanding on the success of its Payment Card Industry (PCI) for Retail Solution, Cisco today introduced its first validated architecture to address PCI compliance in healthcare settings. Specifically, the PCI Data Security Standard is providing healthcare organizations with a prescriptive model for how to safeguard patient financial transaction data and other personally identifiable information that is captured and processed within a healthcare facility or settings such as retail pharmacies.

The PCI for Healthcare Solution offers comprehensive design and implementation guidance to protect credit card, sensitive patient demographic, and employee information. Cisco's PCI solutions for healthcare and retail offer a holistic approach to specific data security challenges. Cisco also announces its membership in the PCI Security Standards Council to help shape future data security policy.

"Survey data tell us that healthcare consumers are just as concerned that their identity may be stolen or abused as they are that private information will be released," noted Frances Dare, director, Cisco Internet Business Solution Group (IBSG) healthcare practice. "The PCI standards help a wide range of healthcare organizations protect essential patient demographic and financial information in addition to the tremendous work by hospitals and others to protect personal clinical data," Dare said.

Security Solutions for Healthcare

External data security related attacks on the healthcare industry have increased 85% between January 2007 and January 2008 (1) . One challenge is that one in four healthcare executives does not know where their sensitive data is located (2) . Also, many organizations do not have a security framework in place to provide optimal protection.

The prescriptive nature of Cisco's PCI for Healthcare solution strengthens the Cisco Medical Grade Network design architecture by establishing a model to secure sensitive data while at-rest and in-motion. It also offers broader enterprise policy direction on how healthcare organizations should protect critical assets such as patient medical and financial information.

Beyond the new PCI standards for healthcare, data security is an increasing are of focus for both health organizations and Cisco. Both Cisco's Unified Wireless Networks and Ironport email security appliances have received endorsement from the American Hospital Association.

"The privacy of patient information is foundational to the healthcare industry," said John Halamka, MD, CIO of Harvard Medical School and CIO of CareGroup Health System. "The new PCI security standards are important additions to the larger data security picture for health organizations," noted Dr. Halamka, who also serves as chairman of the Health Information Technology Standards Panel. "In addition to these standards, legislation currently moving in Congress signals other security requirements that may soon affect healthcare. This is an important time for healthcare leaders to strengthen their security policies, practices and technologies."

PCI Solution for Retail

Protecting customer credit card information has been at the forefront of retailers' minds for several years. Data theft is also moving downstream from large retail organizations to include regional chain store establishments.

Announced at the National Retail Federation show in January, Cisco's PCI Solution for Retail is a set of PCI reference architectures designed to help retailers manage the complexities associated with the PCI Data Security Standard. The solution includes design recommendations for securing remote environments such as retail stores, e-commerce sites and data centers. The Cisco PCI Solution for Retail has been tested and deployed in Cisco's labs and validated for both the wired and wireless environment by outside PCI auditor (QSA) Verizon Business.

"In an era of declining consumer confidence, it is more important than ever to deliver a seamless secure payment experience to our customers," said Carrie Peters, vice president of information technology of Jones-Onslow Electric Membership Corporation. "Cisco understands the specific challenges retailers are facing and has helped Jones-Onslow create a comprehensive approach to securing sensitive customer information."

Data Security Challenges for Vertical Markets

Moving forward, it is important to recognize that protecting critical assets within an organization is an ongoing systems process rather than simply a checklist of items to meet compliance requirements. Four key areas to ensure that an organization's critical assets are secure include:

    1.Education: Identify what the business critical data assets are and where these assets are located

    2.Operations (Process): Safeguard critical data while "at rest" and "in motion". Isolate access to those assets and network segments where the assets are with a layered defense approach.

    3.Regulatory and Corporate Policy Compliance: Adopt a security program that focuses on safeguarding critical data and addresses government and regulatory compliance requirements such as Sarbanes-Oxley, PCI, and HIPAA.

    4.Technology: Implement a solid security infrastructure and portfolio of technologies that satisfies the education, operations and policy steps.

Shaping the future of data security

Cisco approaches data security not only through technology but also by influencing future policy formation to help provide intelligent counsel to customers. By joining the PCI Data Security Standards Council, Cisco will help to evolve this key data security standard in the months ahead. Similarly, as a board member of the HITRUST Alliance, Cisco can help drive security best practices learned over the years to benefit healthcare organizations. Cisco actively participates in public policy discussions and Congressional hearings about data security advancements and will continue to play a role moving into the fall legislative season.

IPTV Roundtable

On July 30, 2008, Cisco and two information/security executives from the retail and healthcare industries will host a live, interactive Internet TV broadcast about the threats, challenges and approach to achieving PCI compliance and data security.


  • John Halamka, MD, CIO of Harvard Medical School and CIO, CareGroup Health System
  • Carrie Peters, vice president of information technology, Jones-Onslow Electric Membership Corporation
  • Ed Jimenez, director of vertical market solutions, Cisco
  • Frances Dare, director, healthcare practice, Cisco Internet Business Solutions Group (IBSG)
  • Host: Terri Quinn-Andry, senior manager of PCI solutions, Cisco

When: Wednesday, July 30, 2008, 8:00 - 9:00 a.m. PST

Where: The broadcast can be accessed at the following URL:
Attendees should go to this URL on July 30 at 8:00 a.m. PST and select "Play" to launch the live presentation.