Health care providers have never been more vulnerable to data breaches and cyber attacks. Healthcare is the second largest industry in the U.S. and is even more vulnerable in the sense that not only is hacker meddling costly in terms of time and money, it can threaten lives as well. In 2017, the healthcare sector in the U.S. experienced more than twice the number of cyber attacks of other industries – an average of 32,000 intrusion attacks per day per organization compared to 14,300 per organization in other industries. [Techcrunch]

While cyber attacks present a very real and growing threat to every kind of organization, they pose a particular danger to healthcare providers because typically such organizations have a very low tolerance for service outages and downtime, and of course hackers are well aware of this and leverage this vulnerability to hold them to ransom. Hackers these days are looking for a wide variety of potentially valuable information including health care information, personal information, and of course credit card data.

Given this type of environment, healthcare providers have an obligation to ensure that their security systems and procedures are up to date and their patients have a right to expect that their confidential information is being protected. Now, more than ever it is important for businesses in the healthcare sector to take the necessary steps to ensure PCI compliance for the protection of both their customers and the financial health of their businesses.

What is PCI Compliance?

PCI (Payment Card Industry) Compliance, is a security standard that was developed by major credit card brands just a little over ten years ago to help assist service providers and merchants better protect the credit card data as it’s transmitted and stored in their organization. All industries – including healthcare- are required to comply with PCI. If your organization doesn’t know what level of compliance fits your transaction volume, there are four (4) different levels and you can get additional information about these levels from your credit card processor.

The steps you will need to take to become PCI compliant will depend in part on what method or methods that patients are using to pay their bills. For example, if you are sending out bills by mail and allowing patients to mail back payment with their credit card #s enclosed, you need to be aware of the risks associated with this particular practice. While many have phased out this method, others have not. For those that still collect payments in this manner there are important things that they need to consider. For starters, PCI Compliance standards do NOT just apply to digital data. PCI Requirement #9 contains many compliance requirements related to paper records and the need to secure those records properly. It includes among other things references to data retention, data disposal, cross cut shredding, limited access and secure transmission. Credit details on paper, have been susceptible to fraud and theft long before digital payments were even an option, so that concern has always been there and it’s not going away.

Another common method of receiving and processing payments is having patients call in to settle their bill by talking to a live staffer and giving him or her their credit card information. There are certain security- related pitfalls associated with this method. First off, how secure is the environment in which a staffer or staffers are entering payment information? Are their computer stations locked down i.e. are they only set up to be used for entering information in one spot, as opposed to people having multiple windows open to perform a variety of other tasks? Are the people entering the credit card information allowed to have their smartphones at their desk? Pens and notepads?

Other factors to consider more from a customer service and efficiency standpoint are convenience and opportunity for error. Chances are, the pay over the phone option is only available during certain set working hours as opposed to 24/7. Customers may feel frustrated by long wait times when they call in as well as the fact that they have jobs and other duties during the day which make it difficult being put on hold for who knows how long, only to discover when they finally reach a live human being that they need to be transferred to a different department. As well, in a lot of healthcare organizations, processing payments is just one of the duties performed by their staff and during those times when the workload is heavy errors can and do occur which end up diverting time and energy away from other necessary activities in order to fix.

Why is PCI Compliance Important?

It’s not just the really big organizations that are subject to PCI Compliance anymore. In the not so distant past, if you were only doing five to ten transactions a month you didn’t have to worry about PCI compliance. Now, ANY merchant that accepts card payments must comply with PCI mandates. Failure to do so not leaves you vulnerable to data breaches and the bad publicity associated with those as well as their significant financial consequences in the form of fines, related fees and lost business.

Even if this has yet to happen to you there are other ramifications to consider for businesses that are not PCI compliant. These include significantly higher transaction fees from both acquirers (the financial institutions that processes credit and/or debit card transactions) and processors (the companies that communicate with the issuing banks to facilitate transactions and ensure payment). Sometimes these take the form of fines or extra processing fees that can be upwards of thousands of dollars more per month just for processing one particular credit card brand. Multiply that by all the credit cards that your patients are using and that’s a potentially big financial hit, irrespective of the bigger one you can take in the aftermath of a data breach. In extreme cases a credit card brand will just refuse an organization permission to accept their credit card, but this is (so far) quite rare for the simple reason that the credit card companies themselves don’t want to cut themselves off from these revenue streams.

How Can You Become PCI Compliant?

Many options exist today to help you become PCI compliant. Obviously, there is online credit card processing which is widely used (perhaps too widely in the opinion of some security experts). Other options are Point of Sale terminals at the actual health care institute or organization where you just come in with your credit card or debit card and process it right there on the spot as well as direct bill payments via your bank.

IVR Payments (Interactive Voice Response) also known as Automated Pay By Phone is another excellent option that is both compliant and cost-effective and therefore worth exploring because it can be done either internally or outsourced to a certified third party. Often outsourcing is the preferable option since many of these companies have platforms in place that can significantly reduce the overall scope of your PCI compliance. This technology allows your patients to make bill payments over the telephone via an automated phone system, as opposed to interacting with a live person. Protecting the confidentiality of your patients’ financial info is one of the key advantages to be gained by installing an IVR PBP system for your healthcare organization. Not only can they make a bill payment anytime that it’s convenient to them (even if that time is outside of your normal operating hours), by removing the need for interaction with a live person when paying their bill, your patients can rest assured that their sensitive personal information has not been compromised.

Conclusion

Ensuring PCI compliance need not be an onerous and stressful thing. Work with your acquirer, work with your bank, or you credit card firm. Make sure they aren’t assuming that you’re PCI compliant or that you’re not aware that you need to be. The best way to avoid the fines and to keep the acquirers happy is usually just engage yourself with the PCI assessor (often referred to as a QSA) and just do a GAP assessment. Find out how much security you already have or how much you need to become PCI complaint and try to keep up to date on emerging threats and making sure that your systems are not susceptible to them.

At Datatel, we help healthcare providers automated and secure payment transactions that take place over the telephone. Our Automated Pay-By-Phone and Payment Reminder services are comprehensive, cost-effective, and simple to implement and maintain, and will save you thousands in operational costs.