Point-of-sale systems are responsible for 48% of assets compromised in healthcare data breaches. -2012 Verizon Study
The above study was quoted by Modern Healthcare regarding the latest large-scale healthcare cyberattack. Last week, Banner Health disclosed a breach that may have affected up to 3.7 million patients, the 8th largest data compromise for a healthcare provider to date (payer Anthem’s 2015 breach affected 78 million). Interestingly, the initial cyberattack was not targeted at the EHR system or key employees. Instead, the hackers targeted the systems that processed credit card payments for food and beverage purchases at Banner facilities. They then leveraged that data to gain access to patients’ medical records and other information.
However, that was not the only payments security breach last week. Security researchers suggested that an exploit in Oracle MICROS cash registers may have exposed tens of millions of consumers’ personal data. While not a healthcare-specific attack, it goes to show that it only takes one vulnerability to expose sensitive customer data. In this case, 330,000 cash registers in 180 countries may have been compromised.
Protecting More Than Just Health Records
HIPAA compliance is gospel among healthcare providers, but protecting customer and employee data isn’t limited to protected health information (PHI); in fact, the emphasis placed on PHI suggests that providers are most concerned with securing this data, and rightly so. That said, providers nor consumers alike can afford to neglect the other potential points of entry for hackers and ‘spear-phishers’, particularly when the data from one system can be used to access other systems. This is how criminals attack at scale- by gaining access to a network through a single entry point.
Besides PHI, the most sensitive patient data to which healthcare providers have access is credit card and/or banking data. While HIPAA compliance is absolutely required and emphasized at every healthcare-related business, the regulatory environment around payments is less defined. While Payment Card Industry (PCI) standards are typically followed by payment processing vendors, they don’t have the same federal oversight that holds providers accountable to policies like HIPAA. It goes without saying that every part of your payments solution should meet the highest level of PCI-compliance.
Most providers and practice managers have neither the time nor expertise to manage the complex chain of vendors required to accept, process, and post patient payments. Given the unique nature of healthcare transactions, a patient payment may come from as many as 7 different sources. For some providers, this means contracting with multiple vendors for each source while still having to manually reconcile and post all payments back into the EHR/PM system. Every additional vendor increases vulnerability in the event of a cyberattack.
The Patient Payment Technology Platform Approach: One Vendor for All Payment Processing Activities
Using a patient payment technology platform consolidates risk by eliminating as many as 10 vendors from your data ecosystem. This consolidated risk makes it easier to manage while being isolated from the systems that manage patient health records. Processing all patient payments on one platform enables automatic consolidation, deposit, and posting back to the system without the security risks of doing these tasks manually. Payment platforms also allow providers to store patient credit card information with proper encryption so that both patients and staff can enjoy the convenience of automatically making a payment (or payments, if on a payment plan).
Cybersecurity is a constantly evolving struggle that requires technology partners who will repeatedly rise to the challenge of defending evolving threats. Choose a payment processing partner who can meet your needs and protect your patients’ data from bad actors.