As a rule, "compliance" is taken seriously in healthcare. Adhering to regulations ensures patient safety, maintains patient privacy, shields hospitals from financial penalties, and protects institutional reputations. For a number of reasons, though, hospitals have been slower to comply with regulations protecting credit card data.
Here are 5 things hospitals need to know to get up to speed with credit card security compliance:
1. Noncompliance is attracting more attention
Any location where a credit card is keyed in or swiped, and any network on which card data is stored or transmitted, is obligated to meet the Payment Card Industry Data Security Standards (PCI-DSS). Retail merchants have historically attracted the most attention for noncompliance with these security standards, but American hospitals have begun to attract similar scrutiny, for two reasons. First, more healthcare consumers are putting balances on credit cards. Second, most hospitals are capturing cardholder data via web services on their local PCs, making them vulnerable to hackers.
As Anthony Hernandez explains in New Perspectives, a publication of the Association of Healthcare Internal Auditors: "While the standard has been in place for some time, banks and credit card processors are only now beginning to reach out to individual hospitals, asking them to provide validation of their compliance. Risks of noncompliance can be significant—particularly in the event of a breach—including reputational damage, class-action lawsuits, fines from card providers, credit monitoring costs, insurance claims and even cancellation of merchant accounts."1
2. "Out of pocket" often means "charged to plastic"
The increase in High Deductible Health Plans (HDHPs) means rising out-of-pocket medical expenses for people who can't afford to pay for healthcare outright. According to a 2016 Kaiser Family Foundation poll, about one in four Americans with higher deductible plans said they had problems paying their medical bills.2 Of those who reported problems, 38% said their credit card debt had increased because of medical expenses.3
3. Data breaches are on the rise
Likely due to increases in credit card payments in medical settings, hospitals have become a greater target for hackers, resulting in an increased number of security breaches and associated costs. The healthcare industry has had the second largest number of security breaches of any segment in the last 12 months: there were 781 publicized data breaches in 2015, with 277 of these occurring in healthcare settings. (Over 112 million records were exposed as a result of these breaches.)4
4. The two traditional options for compliance are burdensome
Complete Enterprise Audit: In this first option for compliance, hospitals leave their existing network as is but must audit it comprehensively, from staff's mobile devices to executives' laptops, to identify vulnerabilities and breaches.
Because the enterprise option is prohibitively expensive for most healthcare facilities, more hospitals turn to the second option: Network Segmentation. In this option, hospitals must "segment" their network, meeting PCI-DSS only on the portions of the network where credit cards are processed and transmitted. This requires hospitals to take credit card payments on dedicated terminals, while processing on a distinct network that must be maintained separately from ordinary operations like email. While less expensive than the first option, the costs here remain substantial, including paying an FTE to manage the segmented network (e.g., securing configurations, maintaining firewalls, restricting access, protecting stored data and data in transit). Network segmentation maintenance typically costs upwards of $300,000 per annum as well.
Regardless of the compliance path, hospitals will still need to undergo a yearly audit of more than 300 questions (the Self-Assessment Questionnaire, Level D) and have an external auditor in to validate their SAQ.
For a sample SAQ, Level D, see: https://www.pcisecuritystandards.org/documents/SAQ_D_v3_Merchant.pdf.)
5. New solutions are emerging
In a March 2016 blog post, International Director of the PCI Security Standards Council (PCI SSC) Jeremy King (no relation to the author) describes his favored security solution: "Point-to-Point Encryption (P2PE) renders card data useless from the moment it enters a merchant's system all the way through the transaction cycle. This means it's of no value to anyone without the proper key to decrypt it. It secures the original data, and if it is stolen in transit, makes it really difficult for criminals to do anything with it. This would have significantly devalued the cardholder data stolen in compromises we've seen in recent months." According to King, combining the use of an EMV chip at the point-of-sale, tokenization, and P2PE "provides the best protection for payment data" as well as simplifying compliance efforts. Further, he writes, "A security expert recently described P2PE to me as 'the cheapest, easiest and most secure way to remove cardholder data from your systems.'"5
OnPlan Health and Bluefin Payment Systems recently launched healthcare's first end-to-end payment protection solution to utilize PCI-validated P2PE. Because the solution has been vetted and approved by the PCI SSC, hospitals that adopt it are insulated from potential fines or penalties from noncompliance, and can replace the lengthy SAQ Level D questionnaire with a 14-question alternative. Most important from a financial perspective, PCI-validation allows hospitals to avoid the two costs long associated with credit card security compliance: the cost of complete enterprise audits and the cost of maintaining network segmentation.
Conclusion
With the influx of credit card data into healthcare, hackers' strategies to steal that data are proliferating. The PCI SSC recognizes the new dangers and is turning its attention toward health systems and hospitals, validating solutions that can help everyone maintain cardholder privacy and payment security.
***
About the Author
David King, co-founder and CTO of OnPlan Health, has over 20 years of experience in the payments space including in healthcare and higher education. He was on an advisory group to the PCI Security Standards Council from 2006 through 2010 and also served as a member of the National Automated Clearing House Association (NACHA) Council for Electronic Billing and Payments. David has presented extensively across the US and Australia as an expert in data security and compliance.
1 “Healthcare Organizations and PCI Compliance: Get Ready for Scrutiny,” by Anthony Hernandez, Association of Healthcare Internal Auditors - New Perspectives (Spring 2012).
https://www.grantthornton.com/staticfiles/GTCom/Health%20care%20organizations/New%20Perspectives%20Spring%202012.pdf.
2 “The Burden of Medical Debt: Results from the Kaiser Family Foundation/New York Times Medical Bills Survey,” by Liz Hamel, Mira Norton, Karen Pollitz, Larry Levitt, Gary Claxton, and Mollyann Brodie. Jan. 5, 2016. http://kff.org/report-section/the-burden-of-medical-debt-section-1-who-has-medical-bill-problems-and-what-are-the-contributing-factors/.
3 “The Upshot: ‘I Am Drowning.’ The Voices of People With Medical Debt,” by Margot Sanger-Katz, Jan. 11, 2016.
http://www.nytimes.com/interactive/2016/01/11/upshot/12up-medicaldebt.html?rref=upshot&smid=tw-upshotnyt&smtyp=cur.
4 http://www.idtheftcenter.org/images/breach/DataBreachReports_2015.pdf.
5 “Devaluing Data with Point-to-Point Encryption: 3 Tips for Merchants.”
http://blog.pcisecuritystandards.org/devaluation-data-with-point-to-point-encrytion-3-tips-for-merchants.
The views, opinions and positions expressed within these guest posts are those of the author alone and do not represent those of Becker's Hospital Review/Becker's Healthcare. The accuracy, completeness and validity of any statements made within this article are not guaranteed. We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with them.