Common PCI Compliance Mistakes When Processing Patient Payments

By Patrick Creagh, Marketing Specialistshutterstock_126973799

Lately the headlines have been filled with reports of data breaches across every industry, but the largest and most frequent targets have been healthcare organizations and their business partners. Medical records carry a higher value than credit card data, so it makes sense that hackers would target hospitals and other healthcare providers. The purpose of this post is to educate you on the difference between HIPAA and PCI compliance and how you avoid vulnerabilities slipping through the cracks of your security plan.

Two Sets of Data Security Guidelines

Every healthcare provider should be familiar with the HIPAA guidelines regarding patient data. However, healthcare organizations (and their associated partners and vendors) need to also take a closer look at the payment card industry data security standards (PCI DSS or PCI) as part of their cybersecurity audit. While HIPAA covers the appropriate handling, usage, and disclosure of protected health information (PHI), the PCI guidelines offer technical security specifications as well as procedures for handling credit/debit card transactions. Both HIPAA and PCI are mission critical to protecting patient data as the two often intersect during an episode of care.

Just because hackers are targeting hospitals for their medical information doesn’t mean they won’t try to access their patient financial transaction data as well. In fact, if a hospital is deemed vulnerable to a breach of medical information, it’s likely that there are cracks in its financial data security as well.

Cost of Non-compliance

While HIPAA violations and ransomware are costly obstacles for providers, a breach of financial data that occurs due to lack of PCI compliance has its own set of high stakes. In addition to damaging your reputation with patients, you may be blocked from processing credit card transactions for non-compliance, making post-incident patient transactions very difficult. Legal liability is a concern as well, as many recent companies who have experienced a breach paid for credit monitoring services for all those affected.

If you currently process patient transactions online or at the point of service, make sure you aren’t making the mistakes listed below:

Mistake #1: Recording Financial Transaction Data on Paper

This is one of the most common sources of vulnerability we see in visits to potential provider clients. Often times, patients or administrators record credit card data along with identifying information on paper forms which are later entered manually into a computer for processing. In addition to being a slow, manual, outdated process, paper transaction forms leave patient financial information floating around a business office for unknown periods of time. Sometimes providers may keep this information on hand for recurring charges or payment plans- each time this information is accessed for a charge, the information is further exposed to risk from outside and inside the organization.

If you must store credit card data on a paper form for any reason, keep that information locked in a safe and shred the paper as soon as that data has served its purpose. Patientco recommends not putting any financial data on paper at any time.

Mistake #2: Weak Link in Your Technology Stack

In cybersecurity, you are only as secure as the weakest point in your technology stack. End to end encryption of all financial transactions is non-negotiable. Look at the path a patient transaction takes from swipe or data entry to posting. How many vendors are involved in this transaction and are all of them PCI compliant? You should have a business associate agreement (BAA) in place for each vendor/partner but know that a BAA only covers HIPAA compliance- vet them for PCI compliance as well. Each vendor involved in a patient financial transactions adds a new dimension of risk.

It’s important that both your software and hardware are secure. EMV credit card readers with point-to-point encryption are now required for credit card transactions in the US; merchants who have yet to transition to these special readers are liable for chargebacks and fraudulent transactions. EMV card readers are also a sign to patients that you prioritize data security and will help build trust when making a payment.

In addition to your terminals, evaluate the security of your internet service provider and the computers/servers used to manage and store this data. Staying on top of security patches is your responsibility and most technology companies issue security updates regularly.

Mistake #3: Not Planning Ahead

For all the preparation dedicated to handling and protecting patient medical data with HIPAA-compliance training, HIPAA does not necessarily cover the risks associated with processing credit card transactions, especially ones that may be linked to healthcare information. Consider a PCI compliance audit and make financial transactions a part of your breach plan.

Fostering a “culture of compliance” with your employees can prevent a crippling financial blow to your organization. This is especially important for your end users, as these employees are often targeted with phishing* attacks or other scams to compromise data.

Conclusion

No provider wants to be a headline related to a cybersecurity incident. While fostering a culture of compliance and carefully evaluating your payment processing technology stack will insulate you from attacks, no organization is invincible. Improving your data security should be an ongoing, proactive process, and doing so will help ensure you have diminished your risk of your patient’s financial data and worse, their trust.

Heading to HFMA’s 2016  ANI Conference? Schedule a demo to learn how Patientco can help you increase patient revenue and process patient payments more efficiently.