Talk to a Specialist

Healthcare Providers More Vulnerable Than Ever to Cyber Attacks

The Case for PCI Compliance Now

June 27, 2022

As the second largest industry in the US, Healthcare is often a popular target for data breaches. This puts not only their data at risk but also the data of their patient’s as well. According to the Sophos The State of Ransomware in Healthcare 2022 66% of healthcare organizations were hit by ransomware last year, up from 34% in 2020. This is a 94% increase over the course of a year, demonstrating that adversaries have become considerably more capable at executing the most significant attacks at scale. According to the same study - Across all sectors, the average cost to an organization to rectify the impact of the most recent ransomware attack was US$1.4M in 2021.

While cyber-attacks present a very real and growing threat to every kind of organization, they pose a particular danger to healthcare providers because such organizations have a very low tolerance for service outages and downtime, and of course, hackers are well aware of this and leverage this vulnerability to hold them to ransom. Hackers are looking for a wide variety of potentially valuable information including health care information, personal information, and of course credit card data.

Given this type of environment, healthcare providers have an obligation to ensure that their security systems and procedures are up to date and their patients have a right to expect that their confidential information is being protected. Now, more than ever it is important for businesses in the healthcare sector to take the necessary steps to ensure PCI compliance for the protection of both their customers and the financial health of their businesses.

What is PCI Compliance?

PCI (Payment Card Industry) Compliance, is a security standard that was developed by major credit card brands nearly twenty years ago to help assist service providers and merchants in better protecting the credit card data as it’s transmitted and stored in their organization. All industries - including healthcare - are required to comply with PCI. If your organization doesn’t know what level of compliance fits your transaction volume, there are four (4) different levels and you can get additional information about these levels from your credit card processor.

The steps you will need to take to become PCI compliant will depend in part on what method or methods that patients are using to pay their bills. For example, if you are sending out bills by mail and allowing patients to mail back payments with their credit card numbers enclosed, you need to be aware of the risks associated with this particular practice. While many have phased out this method, others have not. For those that still collect payments in this manner, there are important things that they need to consider. For starters, PCI Compliance standards do NOT just apply to digital data. PCI Requirement #9 contains many compliance requirements related to paper records and the need to secure those records properly. It includes among other things references to data retention, data disposal, cross-cut shredding, limited access and secure transmission. Credit details on paper have been susceptible to fraud and theft long before digital payments were even an option, so that concern has always been there and it’s not going away.

Another common method of receiving and processing payments is having patients call in to settle their bills by talking to a live employee and giving him or her their credit card information. There are certain security-related pitfalls associated with this method as well. First off, how secure is the environment in which an employee or employees enter payment information? Are their computer stations locked down i.e. are they only set up to be used for entering information in one spot, as opposed to people having multiple windows open to perform a variety of other tasks? Are the people entering the credit card information allowed to have their smartphones at their desks? Pens and notepads?

Other factors to consider more from a customer service and efficiency standpoint are convenience and opportunity for error. Chances are, the pay over the phone option is only available during certain set working hours as opposed to 24/7. As a result, customers may feel frustrated by long wait times when they call in as well as the fact that they have jobs and other duties during the day which make it difficult to be put on hold for who knows how long, only to discover when they finally reach a live human being, they need to be transferred to a different department. As well, in a lot of healthcare organizations, processing payments is just one of the duties performed by their staff and during those times when the workload is heavy, errors can and do occur which end up diverting time and energy away from other necessary activities to fix.

Why is PCI Compliance Important?

It’s not just the really big organizations that are subject to PCI Compliance anymore. In the not-so-distant past, if you were only doing five to ten transactions a month you didn’t have to worry about PCI compliance. Now, ANY merchant that accepts card payments must comply with PCI mandates. Failure to do so can leave you vulnerable to data breaches and the bad publicity associated with those; as well as potentially significant financial consequences, in the form of fines, related fees and lost business.

Even if this has yet to happen to you there are other ramifications to consider for businesses that are not PCI compliant. These include significantly higher transaction fees from both acquirers (the financial institutions that process credit and/or debit card transactions) and processors (the companies that communicate with the issuing banks to facilitate transactions and ensure payment). Sometimes these take the form of fines or extra processing fees that can be upwards of thousands of dollars more per month just for processing one particular credit card brand. Multiply that by all the credit cards that your patients are using and that’s a potentially big financial hit, irrespective of the bigger one you can take in the aftermath of a data breach. In extreme cases, a credit card brand will just refuse an organization permission to accept their credit card, but this is (so far) quite rare for the simple reason that the credit card companies themselves don’t want to cut themselves off from these revenue streams.

How Can You Become PCI Compliant?

Many options exist today to help you become PCI compliant. Obviously, there is online credit card processing which is widely used (perhaps too widely in the opinion of some security experts). Other options are Point of Sale terminals at the actual health care institute or organization where you just come in with your credit card or debit card and process it right there on the spot as well as direct bill payments via your bank.

IVR Payments (Interactive Voice Response) also known as Automated Pay By Phone is another excellent option that is both compliant and cost-effective and therefore worth exploring because it can be done either internally or outsourced to a certified third party. Often outsourcing is the preferable option since many of these companies have platforms in place that can significantly reduce the overall scope of your PCI compliance. This technology allows your patients to make bill payments over the telephone via an automated phone system, as opposed to interacting with a live person. Protecting the confidentiality of your patients’ financial info is one of the key advantages to be gained by installing an IVR PBP system for your healthcare organization. Not only can they make a bill payment anytime that it’s convenient to them (even if that time is outside of your normal operating hours), by removing the need for interaction with a live person when paying their bill, your patients can rest assured that their sensitive personal information has not been compromised.


Ensuring PCI compliance need not be an onerous and stressful thing. All you need to do is to work with your acquirer, work with your bank, or with your credit card firm. Make sure they aren’t assuming that you’re PCI compliant or that you’re not aware that you need to be. The best way to avoid the fines and to keep the acquirers happy is usually just to engage with a PCI assessor (often referred to as a Qualified Security Assessor or QSA) in order to perform a GAP assessment. Find out how much security you already have or how much you need to become PCI compliant and try to keep up to date on emerging threats and make sure that your systems are not susceptible to them.

At Datatel, we help healthcare providers automate and secure payment transactions that take place over the telephone. Our Automated Pay-By-Phone and Payment Reminder services are comprehensive, cost-effective, and simple to implement and maintain, and will save you thousands in operational costs.

We’re Here to Help

Call 1 800 831 6660

What our clients are saying about us

I want to command you and your team at Datatel on the job just completed for Tele-Response Center. The attention to detail and professionalism with which you approached the project was exemplary and greatly appreciated especially considering the several applications that needed to be implemented on short notice. Thanks again for your assistance getting this project off the ground so smoothly.

Joe Grossman
Sr. Vice President, 121 Direct Response