Simplified Solutions from Our Sponsor

Adhering to credit card industry standards not only reduces the risk of data breaches; it also reduces debit and credit card processing costs.

Cyber-attacks have become commonplace—almost inevitable—across a variety of industries. Consider Target’s 2013 data breach, which compromised 70 millioncustomers’ names, credit and debit card numbers, expiration dates, and card verification values (CVV), in addition to other personal information. In all, this prolonged event cost the retail giant more than $100 million in settlements, not to mention damage to consumer confidence in the company.  

When we think about data breaches, attacks on retailers such as Target often come to mind. Yet, between 2010 and 2015, criminal attacks on healthcare data actually increased by 125 percent, according to a Ponemon Institute survey. In 2016 alone, there were 329significant data breaches exposing more than 16 million records, according to the HIPAA Journal.  

In addition to harming patients, data breaches can be costly to providers. As patients’ financial responsibilities continue to grow, healthcare providers will need to find ways to effectively combat this trend, not only to secure patient information but also to protect their financial health and instill confidence in their organizations.  

Understanding Why Patient Data is Under Attack

Healthcare data has become an alluring target to cyber thieves for many reasons, primarily because detailed personal information including names, birthdates, social security numbers, and even financial information often can be obtained by hacking into just one provider’s system. Unfortunately, the following ingredients make healthcare providers an easy target for identity theft.

Historically, healthcare providers have not had to put much effort into protecting patients’ financial information unlike other industries such as retail, entertainment, and travel that have supported credit and debit card transactions for decades. Until recently, most medical bills were covered by health plans. Patients who owed money typically paid by check.  

With copayments, coinsurance, and other out-of-pocket responsibilities increasing, patients often use debit and credit cards, in addition to other forms of electronic payments, to pay their bills. These transactions can take place at the point of service, online through patient portals, through mobile apps or over the phone—in addition to the more traditional route of mailing checks or writing credit card information, sometimes with CVV codes, directly on statement slips.  

Because this is a more recent issue for providers, many have not invested in sufficient technology solutions or services to prevent or detect cyber attacks, making patient information even more vulnerable to data predators.  

Keeping Patient Financial Information Secure

As healthcare providers become more dependent on patient payments and as the number of patient payments has increased, they should consider the following strategies and best practices to secure patients’ personal data while reducing their costs and liabilities.  

Understand how PCI DSS compliance can help. More than 10 years ago, the Payment Card Industry (PCI) developed a set of standards that significantly reduce risk for data breaches during or following financial transactions. Specifically, participating organizations must meet 12 requirements outlined in the Data Security Standard (DSS)—now on version 3.2— to comply and recertify each year, including making additional changes to keep up with the evolving standard. Being PCI-compliant not only reduces the risk of data breaches; it also reduces debit and credit card processing costs, which are higher when merchants are not PCI compliant.  

Review internal processes and train staff accordingly. Provider organizations should start by reviewing their processes and monitoring how they are handling cardholder data. For example, they should make sure staff are not writing down information and then transcribing it later into payment devices. Rather, data needs to be entered directly into payment devices to reduce liabilities and ensure the data is protected.  

Likewise, when patients pay over the phone, it is ideal for them to call into an interactive voice response (IVR) system that stores all data in a secure, PCI-compliant manner, rather than entering the information in a local application that stores the information on a local server. If providers utilize call centers, they should make sure recorded conversations where cardholder data may be discussed are moved to controlled, PCI-compliant environments, or the conversations are transferred to an automated, IVR solution that is PCI compliant so that the cardholder data is not included in a recorded conversation that might be stored in a non-PCI compliant manner.  

Outsource to a solutions partner. Providers should find partners that offer solutions for handling cardholder data that remove provider environments from PCI scope. This means the PCI-compliant vendor should be the only part of the system that handles the cardholder data, using methods such as hosting specific fields or frames on web pages where actual card information is captured. Likewise, they should offer validated point-to-point encryption (vP2PE) terminals as well as support EMV (Europay, MasterCard, and Visa) chip cards, which route information directly to PCI-compliant vendors’ server rather than to providers’ servers. In addition, solutions partners should offer PCI-compliant interactive voice response (IVR) systems. Providers should also use PCI-compliant “lockbox services” for handling mailed checks and statement slips containing cardholder data.  

Remove financial processing—and liability—from your scope. Being non-compliant with PCI standards is costly to providers, as credit card merchant processors charge merchants more for processing services if the provider does not maintain PCI certification. This could also mean data is at higher risk for security breaches, which are also costly to remediate. However, PCI compliance is becoming increasingly expensive for merchants to achieve on their own. Hospitals and other healthcare organizations can remove their infrastructure from PCI-scope through outsourcing to the PCI-compliant vendors. In cases where a point-of-sale terminal is desired, the provider should select vendors that also have support for validated point-to-point encryption terminals.  

Partnering to Develop Solutions

As patient financial responsibility continues to grow, debit and credit card payments from consumers will likely grow along with it. The good news is that healthcare organizations don’t have to address challenges accompanying payment shifts on their own.

By engaging solutions partners with expertise in financial security and compliance, hospitals and other providers can secure patient financial data, decrease merchant processing costs and cost of PCI compliance, and reduce their liabilities while protecting their bottom lines.


Gary Word, Ph.D., is vice president, Consumer Payments, Change Healthcare.

Publication Date: Friday, May 19, 2017