Healthcare Providers More Vulnerable Than Ever to Cyber Attacks
The Case for PCI Compliance Now

Health care providers have never been more vulnerable to data breaches and cyber attacks. Healthcare is the second largest industry in the U.S. and is even more vulnerable in the sense that not only is hacker meddling costly in terms of time and money, it can threaten lives as well. In 2017, the healthcare sector in the U.S. experienced more than twice the number of cyber attacks of other industries – an average of 32,000 intrusion attacks per day per organization compared to 14,300 per organization in other industries. [Techcrunch]

While cyber attacks present a very real and growing threat to every kind of organization, they pose a particular danger to healthcare providers because typically such organizations have a very low tolerance for service outages and downtime, and of course hackers are well aware of this and leverage this vulnerability to hold them to ransom. Hackers these days are looking for a wide variety of potentially valuable information including health care information, personal information, and of course credit card data.

Given this type of environment, healthcare providers have an obligation to ensure that their security systems and procedures are up to date and their patients have a right to expect that their confidential information is being protected. Now, more than ever it is important for businesses in the healthcare sector to take the necessary steps to ensure PCI compliance for the protection of both their customers and the financial health of their businesses.

What is PCI Compliance?

PCI (Payment Card Industry) Compliance, is a security standard that was developed by major credit card brands just a little over ten years ago to help assist service providers and merchants better protect the credit card data as it’s transmitted and stored in their organization. All industries – including healthcare- are required to comply with PCI. If your organization doesn’t know what level of compliance fits your transaction volume, there are four (4) different levels and you can get additional information about these levels from your credit card processor.

The steps you will need to take to become PCI compliant will depend in part on what method or methods that patients are using to pay their bills. For example, if you are sending out bills by mail and allowing patients to mail back payment with their credit card #s enclosed, you need to be aware of the risks associated with this particular practice. While many have phased out this method, others have not. For those that still collect payments in this manner there are important things that they need to consider. For starters, PCI Compliance standards do NOT just apply to digital data. PCI Requirement #9 contains many compliance requirements related to paper records and the need to secure those records properly. It includes among other things references to data retention, data disposal, cross cut shredding, limited access and secure transmission. Credit details on paper, have been susceptible to fraud and theft long before digital payments were even an option, so that concern has always been there and it’s not going away.

Another common method of receiving and processing payments is having patients call in to settle their bill by talking to a live staffer and giving him or her their credit card information. There are certain security- related pitfalls associated with this method. First off, how secure is the environment in which a staffer or staffers are entering payment information? Are their computer stations locked down i.e. are they only set up to be used for entering information in one spot, as opposed to people having multiple windows open to perform a variety of other tasks? Are the people entering the credit card information allowed to have their smartphones at their desk? Pens and notepads?

Other factors to consider more from a customer service and efficiency standpoint are convenience and opportunity for error. Chances are, the pay over the phone option is only available during certain set working hours as opposed to 24/7. Customers may feel frustrated by long wait times when they call in as well as the fact that they have jobs and other duties during the day which make it difficult being put on hold for who knows how long, only to discover when they finally reach a live human being that they need to be transferred to a different department. As well, in a lot of healthcare organizations, processing payments is just one of the duties performed by their staff and during those times when the workload is heavy errors can and do occur which end up diverting time and energy away from other necessary activities in order to fix.

Why is PCI Compliance Important?

It’s not just the really big organizations that are subject to PCI Compliance anymore. In the not so distant past, if you were only doing five to ten transactions a month you didn’t have to worry about PCI compliance. Now, ANY merchant that accepts card payments must comply with PCI mandates. Failure to do so not leaves you vulnerable to data breaches and the bad publicity associated with those as well as their significant financial consequences in the form of fines, related fees and lost business.

Even if this has yet to happen to you there are other ramifications to consider for businesses that are not PCI compliant. These include significantly higher transaction fees from both acquirers (the financial institutions that processes credit and/or debit card transactions) and processors (the companies that communicate with the issuing banks to facilitate transactions and ensure payment). Sometimes these take the form of fines or extra processing fees that can be upwards of thousands of dollars more per month just for processing one particular credit card brand. Multiply that by all the credit cards that your patients are using and that’s a potentially big financial hit, irrespective of the bigger one you can take in the aftermath of a data breach. In extreme cases a credit card brand will just refuse an organization permission to accept their credit card, but this is (so far) quite rare for the simple reason that the credit card companies themselves don’t want to cut themselves off from these revenue streams.

How Can You Become PCI Compliant?

Many options exist today to help you become PCI compliant. Obviously, there is online credit card processing which is widely used (perhaps too widely in the opinion of some security experts). Other options are Point of Sale terminals at the actual health care institute or organization where you just come in with your credit card or debit card and process it right there on the spot as well as direct bill payments via your bank.

IVR Payments (Interactive Voice Response) also known as Automated Pay By Phone is another excellent option that is both compliant and cost-effective and therefore worth exploring because it can be done either internally or outsourced to a certified third party. Often outsourcing is the preferable option since many of these companies have platforms in place that can significantly reduce the overall scope of your PCI compliance. This technology allows your patients to make bill payments over the telephone via an automated phone system, as opposed to interacting with a live person. Protecting the confidentiality of your patients’ financial info is one of the key advantages to be gained by installing an IVR PBP system for your healthcare organization. Not only can they make a bill payment anytime that it’s convenient to them (even if that time is outside of your normal operating hours), by removing the need for interaction with a live person when paying their bill, your patients can rest assured that their sensitive personal information has not been compromised.


Ensuring PCI compliance need not be an onerous and stressful thing. Work with your acquirer, work with your bank, or you credit card firm. Make sure they aren’t assuming that you’re PCI compliant or that you’re not aware that you need to be. The best way to avoid the fines and to keep the acquirers happy is usually just engage yourself with the PCI assessor (often referred to as a QSA) and just do a GAP assessment. Find out how much security you already have or how much you need to become PCI complaint and try to keep up to date on emerging threats and making sure that your systems are not susceptible to them.

At Datatel, we help healthcare providers automated and secure payment transactions that take place over the telephone. Our Automated Pay-By-Phone and Payment Reminder services are comprehensive, cost-effective, and simple to implement and maintain, and will save you thousands in operational costs.

We’re Here to Help

What our clients are saying about us

“Never any issues with you guys! Things just work.”

Gerry Henstra, CEO, Henstra Business Solutions

“Customer service is a really big deal to us, and I am glad to do business with a company that obviously takes it as seriously as we do.”

Jeff Boatman, Global Client Solutions

“We’re happy with the IVR Payment system and it has been working well for us. Recently we also setup your newest SMS (text) receipts and found it to work great.”

IT Manager

“I want to command you and your team at Datatel on the job just completed for Tele-Response Center. The attention to detail and professionalism with which you approached the project was exemplary and greatly appreciated especially considering the several applications that needed to be implemented on short notice. Thanks again for your assistance getting this project off the ground so smoothly.”

Joe Grossman, Sr. Vice President, 121 Direct Response

“My team and I would like to commend Datatel on creating an IVR application that adds great value to our new Travel product. Your knowledge, input and expertise in IVR scripting, call flow management and overall IVR logistics made the development and implementation stages extremely easy to manage. Thank you for a well executed campaign that was launched on time and on budget.”

Ryan McCullough, Marketing Manager, Aegon Direct

“Great team to work with. I look forward to utilizing some additional capabilities in the future.”

Bob Griffin, VP of Operations, MedA/Rx

“We are very grateful for many years of mutually beneficial business relationship with Datatel and for impeccable customer service we have received during these years.”

Director of Student Accounts

“We, Standard Life, very much appreciated Datatel’s expertise, knowledge and support as we worked through the development and implementation stages. Our Clients appreciate the simplicity of the capability, while gathering very valuable feedback. Thanks for making this a very positive experience.”

Anne Pennell, VP, Customer Services Operations, Standard Life

“This was one of the best implementations I have been a part of. The communication was excellent and everything was responded to and dealt with swiftly. A real pleasure. We are looking forward to the impact this will have on our patient payments! Thank you!”

Kim Pace, Director Patient Accounts and Revenue, Chatham-Kent Health Alliance