Written by Adrienne Parkhurst on Jan 11, 2022
Strategies To Stop Healthcare Payment Data Breaches Before They Happen
Salucro is a leader in delivering innovative patient payment and billing technology to healthcare providers, all through a user-friendly platform that provides enhanced payment security and compliance safeguards to stop data breaches in their tracks.
Patients continue to bear a greater portion of their healthcare costs through larger deductibles, co-pays, and growing self-pay obligations, and many providers have employed a renewed focus on the use payment devices at the point-of-service to aid in driving patient collections where consumers are most likely to act, with a safe and secure transaction.
Like nearly every industry, the COVID-19 pandemic further accelerated the growth of digital payments in healthcare. Since the spring of 2020, consumers have increasingly sought out digital and contactless payment options as a means to limit in-person interactions at medical facilities, and providers need to be as vigilant as ever when it comes to payment security.
Security breaches occurred across several industries in 2020 and 2021 as organizations rapidly expanded their digital footprint to serve customers virtually. The healthcare industry has recently seen a host of breaches, non-compliance, and other frustrations relating to security, regulatory, and related compliance obligations involved with this more digitally-driven approach to patient payments.
While all organizations are responsible for securing their data, this is especially complex for healthcare providers who process patient payments with security requirements coming from a variety of sources, including HIPAA and PCI DSS. As healthcare providers evolve their payment offerings, they should continue to evaluate security implications when choosing digital payment technology partners, implementing new solutions, and educating staff how to use them.
In 2020 cyber-attacks increased by 73% in the healthcare industry.
According to the 2021 Data Protection Report there was a 73% increase in healthcare cyber-attacks resulting in 12 billion pieces of protected health information being breached in 2020 alone. Within the healthcare industry, external threat actors caused the majority of healthcare data breaches in 2020, according to Verizon’s 2021 Data Breach Investigations Report. Phishing and ransomware attacks both increased in 2020 - and these threats are ongoing.
Healthcare data breaches are the costliest of any industry at an average of $9.23 million per incident. Breaches or weak safeguards in patient systems can affect millions of individuals over a short amount of time. Not only do these breaches threaten healthcare providers’ bottom lines, they impact their reputations, with 54% of surveyed consumers saying that a data breach would have a major impact on their provider’s reputation.
It is also highlighted in Elavon’s Healthcare Payments Insight Report that healthcare providers have a unique opportunity to reinforce consumer confidence by communicating the actions they are taking to keep patient financial data safe.
According to Salucro’s Patient Payment Technology Report, more than a third of respondents want providers to modernize their digital payment options due to security concerns - 60% of surveyed patients were concerned about their credit or debit card information being stolen.
Receiving payments directly from patients poses obstacles unique to the healthcare industry.
The security standards for patient payments are much different than traditional requirements. The patient payment transaction is an often-underestimated source of confusion and under-compliance.
Often providers don’t know a patient’s final bill amount when they collect up-front, and many patient payments must be accounted for and tracked across more than one department, facility, or even practitioners. These types of obstacles slow the collection process, introduce margins for error, and pose data security and compliance risks.
Overcoming these obstacles in a way that minimizes business disruption and maximizes cash flow requires a deep understanding of patient payments while ensuring compliance associated with the applicable payment types. The compliance requirements under HIPAA, PCI DSS, and other information privacy and security frameworks impose overlapping but distinct obligations for providers.
In other words, just because you’re compliant with one security framework doesn’t mean you’re compliant with all of your obligations.
Given the broad scope of liability, providers need to implement healthy compliance programs for patient payments. Yet, compliance programs at hospitals and other medical facilities are difficult to manage and keep current, highlighting the importance of selecting a healthcare payments partner who can ensure you’re protecting patient data and working with the most recent security standards.
Now more than ever, healthcare providers should seek out ways to reduce the burden of compliance on their staff.
PCI DSS is the Data Security Standard established by the Payment Card Industry, and it applies to all entities that store, process, or transmit cardholder data. Its scope includes physical possession of cards, point-of-sale devices, and network components that store or transmit information like an online patient portal.
Healthcare providers must ensure PCI DSS compliance with those parts of their system network and devices that process, store, or transmit cardholder data. Depending on how a healthcare provider has structured its network, the cardholder data environment could be very complex and large and branch out across many integrated systems. This creates a significant compliance burden for providers to avoid costly data breaches.
Recent security concerns involving point-of-sale payment devices are causing many providers to reconsider their device strategy, and in some cases replace their entire device inventory to ensure proper security and compliance that protects cardholder data. Partnering with a healthcare payments provider who offers industry partnerships with leading device manufacturers can help you make the right device strategy and investment decisions from the beginning, avoiding costly overhauls entirely.
Three Key Strategies to Prevent Healthcare Payments Data Breaches
The sophistication and frequency of security attacks are on the rise. With the new reliance on a digital first approach to billing and payments and the always evolving and expanding threat environment, providers must continually monitor their security and compliance. When assessing security and compliance solutions, providers need to consider three key strategies to reduce liability with data breaches:
Data breach exposure can be reduced through network segmentation, which involves separating payment systems from other systems of a healthcare provider through network design and architecture. Network segmentation allows a provider to focus its compliance efforts on the specific components of a payment system that are subject to PCI DSS requirements.
However, providers still bear the burden of implementing and monitoring the network system that is put in place, and ensuring it stays in compliance.
Point-to-Point Encryption (P2PE)
P2PE technology enables a provider to reduce PCI DSS data compliance obligations relating to patient payments. A P2PE solution protects the cardholder data from the point of interaction to the payment processor or gateway. P2PE solutions are established based on specific Payment Card Industry standards and are provided by a third party through a series of secure devices and software that encrypts sensitive payment card information. But even with P2PE-secured devices, providers need to be vigilant about the partnerships and devices they select, as highlighted by recent security concerns around the usage of PAX terminals leading some payment processors to call for their replacement to reinforce payment security.
P2PE solutions greatly reduce the PCI burden on healthcare providers. It also removes the need for network segmentation and helps avoid potential liabilities, like audits, legal costs, fines, and penalties. In addition to allocating liability to a third party, the healthcare provider can save on the costs of continued monitoring and compliance that may be required without encryption solutions.
Payment Solutions Service Providers
Healthcare providers can further reduce PCI DSS liability by shifting the compliance obligations through contracts with payment solutions service providers.
Engaging a qualified third party to perform - and take ownership of - specific functions involving PCI DSS and similar compliance requirements can be an efficient way to shift these obligations away from your organization. These functions can include software licensing, device acquisition and maintenance, and data management.
How to Identify the Right Payment Solutions Service Partner
Finding the right technology partner is critical when it comes to maintaining the highest levels of security and compliance.
Healthcare organizations need to understand how to identify a technology provider that can offer a more flexible approach to streamline the payment process, who can enhance payment security and better manage PCI (EMV, P2PE, Tokenization), and limit the amount of sensitive payment data that goes through the healthcare revenue cycle system, from the point-of-sale to an online patient portal.
It’s important for providers to find a technology partner that offers a variety of secure solutions and allows them to accept payments at any point in the continuum of care that include:
- Omni-channel Options: Providers should search for a healthcare payments partner that offers omni-channel solutions, allowing patient payments to be accepted through a variety of methods including in-person and online.
- Integrated Solutions: Your technology partner should offer integrated solutions that send cardholder data directly from the card reader to your payment processor or gateway, ensuring that it never passes through your healthcare applications or network.
- P2PE: Additionally, a technology partner can help providers reduce their PCI scope with a certified and validated point-to-point encryption (P2PE) security solution.
It’s important to ensure that your technology partner has deep experience working with a variety of healthcare customers. Payment technology can be complicated, and not all partners are equal when it comes to knowledge, experience, innovation, and industry qualifications. Maintaining and protecting data is more important than ever, as the trend of shifting payment obligations directly to the patient is accompanied by increased scrutiny by regulators, industry parties, and actors seeking to exploit non-compliant or weak systems.
As the shift to a more digital first payment environment continues to be the new standard, healthcare organizations need to evaluate their strategies to prevent a data breach. Finding a trusted technology partner will help healthcare providers achieve success with implementing and maintaining secure and compliant patient payment solutions.
Connect with Salucro today to learn how you could better reduce your scope and minimize risk when accepting healthcare payments in the future.