Chief Security Officer
Do you think Halloween is scary? If you’re not protecting healthcare payment data at your organization, then I promise you that witches, goblins and ghouls will not be the scariest things you encounter this month. Security threats lurk everywhere for the healthcare industry, and without proper technology and best practices in place, you are putting your organization at risk of a breach.
In the spirit of Halloween, here are a few spookified tips to help you improve healthcare payment security at your organization.
Securely Serve Up the Whole Payments (Pumpkin) Pie
Do you have a friend that always wants the largest piece of pie? Do you have another friend that turns down a slice unless it’s as thin as possible? People have different preferences, especially when it comes to how they want to pay their bills.
Rising patient payment responsibility and innovations in payment technology have created new opportunities for healthcare providers to collect payments from patients. That means more healthcare organization are opening up more payment options. The best approach to offering your patients more payment options is to offer them every payment option. Take a look at your payments pie; are you missing out on payments? Even if most of your patients prefer to pay a certain way, don’t exclude those patients who like other options, such as bank bill pay.
Opening up more payment channels will result in increased payments from patients who weren’t paying before. Of course, when you decide to expand your payment options, make sure you work with a vendor who can keep all of those channels secure.
Carve a Jack-O-Lantern – Not Your Network
We’ve talked a lot about the importance of security and PCI compliance. With so much payment data in healthcare, it can be difficult for organizations to reduce their PCI scope. This is especially true as healthcare organizations offer more payment options for patients, such as a patient portal. When you integrate payment functionality into your patient portal, how is sensitive patient payment information being stored? One option is for your IT team to carve out your networks to limit the exposure of payment data to your servers, thus reducing PCI scope. However, this type of project can cost tens of thousands to millions of dollars, especially for large, complex organizations.
Leave the carving for that pumpkin you picked out last weekend. When it comes to protecting data on your network, leverage the InstaMed Secure Token to keep cardholder data off your servers. Not only does the InstaMed Secure Token improve the security of your patient portal, but it can deliver a better patient experience, too.
A Latte People Have Chip Cards – Can You Accept Them?
Did you know there’s hardly any actual pumpkin in Starbucks’ Pumpkin Spice Latte? (Before 2015, there wasn’t any pumpkin at all.) It’s sort of like when a payment vendor says they can support EMV, but they really can’t.
Visa reports that over 3.5 million merchant locations are now accepting chip cards with 75 percent of U.S. storefronts now accepting chip cards. Additionally, the number of active chip cards increased from 159M in September 2015 to 509M as of March 2019. That’s a 219 percent increase since September 2015. Yet many businesses – including healthcare organizations – are still unable to accept this kind of payment transaction. Why?
The reality is that EMV is hard. There are plenty of expensive devices available for purchase that support chip card transactions, but having an EMV-capable device is not enough to actually process EMV transactions. Your merchant processing solution needs to be able to support EMV as well. In order to do so, your vendor needs to become EMV-certified with every processor they work with, every card brand and every device they offer. Not only is the certification process difficult and time-consuming, it also costs hundreds of thousands of dollars each time a vendor goes through the process. Ultimately, a lot of roadblocks can pop up, usually as a result of handoffs between your gateway, processor and acquirer.
When it comes to EMV, you’re really at the mercy of your payment vendor. By 2020, Mastercard and Visa will require that all U.S. merchants can accept contactless payments. Take control by working with a partner who can keep up with the latest payment innovations.
Don’t Be Fooled By a Great Costume
Hackers are targeting healthcare organizations more than ever before. A common tactic of hackers is social engineering, a non-technical method of human intrusion that relies on human interaction and often involves tricking people into divulging confidential information or breaking security procedures. Social engineering is difficult to protect against, partly because social engineers are usually in disguise. They are experts at acting like they belong in whatever environment they are trying to hack.
The best defense against this ever-growing threat is to train staff to be on the lookout for common social engineering tactics. More than 95 percent of past breaches were a result of human error, so develop your training with the assumption that your staff will make mistakes.
Here are some best practices to prepare your staff in the event of social engineering:
- Question strangers and always verify someone’s identity before revealing any confidential information.
- Keep an eye out for suspicious emails requesting information.
- Do not be afraid to involve a manager.
- Be skeptical!
- Know who your vendors are and always ask to see ID from anyone claiming to be your vendor.
Check Behind Every Door in a Haunted House
The creepiest parts of a haunted house are the unknowns hiding behind closed doors and down dark hallways. Just because you don’t see anything scary in the middle of a room does not mean you feel safe – you know something is lurking in the shadows! Apply this same level of alertness and skepticism to your organization’s security program. Make sure you always apply security patches when they are released and that you are regularly scanning your networks for vulnerabilities. If you don’t, hackers could exploit these vulnerabilities, get your data, and spook you, your business partners, and your patients.