Editor’s Note: The following post will be of particular interest to our clients in the healthcare industries.
In 2014, Anthem, Inc., a managed care provider, was the victim of a cyber-attack which compromised the identities over 80 million customers. The breach constituted a serious HIPAA violation, exposing the provider to substantial potential legal liability.
Unfortunately, this sort of healthcare provider breach is becoming ever more common. According to Ponemon Institute’s Sixth Annual Benchmark Study on Privacy and Security of Healthcare Data, we saw a 125 percent growth in healthcare cyber-attacks from 2010 to 2015, and the numbers are still trending in the wrong direction. The reason that healthcare providers are being targeted is that the information they maintain to provide care for their patients is often substantial enough that cyber criminals can use the data from a single healthcare provider to engage in identity theft. Additionally, cyber criminals target healthcare data because they recognize that many healthcare providers do not have the resources or technologies to prevent or to detect attacks. In essence, the fraudsters are betting that healthcare businesses are focusing on things other than payments security.
While the need to protect electronic health records and the information contained within these records is obvious, an often-overlooked point of vulnerability is credit card processing. Payment Card Industry Data Security Standard (PCI DSS) and Health Insurance Portability and Accountability Act (HIPAA) rules require entities to maintain reasonable and appropriate safeguards for protecting credit card payments. How this actually translates into actionable steps is less clear. To that end, here are a few things to keep in mind when accepting credit card payments to ensure that you’re meeting HIPAA/PCI-mandated or suggested compliance guidelines:
Ensure Your Processor Doesn’t Send SMS Credit Card Receipts
Some credit card processors send electronic receipts to your customers via text or SMS. Because these receipts contain “protected health information,” they must only be transmitted over secure technologies, which SMS is not. Therefore, if you want to provide receipts, either make sure they are delivered via secured email or are exclusively provided in paper form.
Any Physically Stored Card Numbers Must Be Secured
All businesses, not just healthcare entities, must comply with PCI DSS. One of the most basic requirements is that if you’re going to keep a written copy of a credit card authorization that lists the customer’s credit card number, it always be secured under lock and key.
Secure Your Swiping Hardware
Traditionally, credit card payments were swiped via a countertop terminal. These devices come off the OpenEdge shelf very secure, so the only concern there is ensuring that the internet connection that terminal uses to communicate is PCI-compliant. But if you’re using a Bluetooth device that converts existing hardware like an iPad or your cellphone into a card-accepting device, that hardware must be made secure. If you received this device from OpenEdge, then rest assured - it’s secure.
Ensuring you, as a healthcare provider, are complying with both HIPAA and PCI guidelines can be a daunting task. If you have questions about whether or not your payment processing solution is compliant, please reach out to our OpenEdge customer service department.