By John Shin
Paying for medical costs “out of pocket” seems to always mean charging it to a credit card.
Healthcare costs have historically risen to the point that incidents of people having to pay sudden medical expenses constitute 62 percent of bankruptcies in the US. As a result, healthcare organizations have vast stores of information on their customers to help professionals in making informed diagnoses and write effective prescriptions. And the business arm depends on credit card numbers in order to process transactions and get paid.
That simple detail — that hospitals accept credit cards — means they join the burgeoning ranks of companies that need to adhere to certain PCI compliance standards. As they generally excel at collecting people’s data, healthcare organizations need to become cybersecurity-competent. Too many hospitals are noncompliant with current regulations, and those in compliance are usually in it unnecessarily high. People are either overprotecting their digital infrastructure or not protecting it enough.
Here’s what every medical business that accepts credit card payments needs to know about the PCI compliance they should be upholding.
Data breaches are generally on the rise.
PCI compliance is a cybersecurity standard that renders a wide variety of malicious cyberattacks null and void. As hospitals have only experienced more breaches and increased costs in the wake of those breaches, PCI compliance is a key standard to aim for as your first line of self-defense against an unknown internet threat.
This medical and payment data may be central to restoring someone’s health, but it might also be worth lots of money on the dark web if your inclinations are more sinister.
Noncompliance can be expensive and embarrassing.
Businesses operating outside the bounds of PCI compliance leave themselves vulnerable to public relations damage and major expenses related to cybersecurity. Just consider what happened to Home Depot, or to a specific office of the government.
Home Depot suffered a malware breach that ended up affecting 56 million cards and had to pay a $19.5 million settlement for the breach. And hackers stole 4.2 million personnel files on government employees from the U.S. Office of Personnel Management (as well as security clearance background investigation information).
Pursuing compliance can be painful.
There’s the complete enterprise audit, in which organizations leave their network in exactly its current state and subject it to a wide variety of tests. From employee’s mobile phones to the executive laptops, every piece of technological infrastructure gets examined for potential vulnerabilities. But this option is not only highly elaborate, it’s out of budget for many healthcare facilities.
That’s why others turn to network segmentation. Segmentation calls for getting compliance on the parts of the network where credit cards are processed and transmitted. The rest can be overlooked while the relevant portion of the system achieves a kind of compliance.
Best practices make it easy to stay compliant.
This is about reverse engineering the routine makes compliance a repeatedly achievable feat. Employees need to claim some ownership of cybersecurity issues in order to make your company more resistant to the associated threat.
Best practices should reveal themselves over time, like: train your people in the aspect of compliance most necessary at a given moment; stick to strong IT security measures; encrypt data end-to-end so that even if it’s lost or stolen, its content remains inaccessible; and don’t store or copy payment card data.
New solutions are emerging to take us there.
Point-to-point encryption (P2PE) is probably a pet innovation among those paying attention to PCI compliance. This mechanism renders card data useless from the moment it enters a merchant’s system all the way through the transaction cycle. This means it’s of no value to anyone unless you have the proper key to decrypt the number.
P2PE is the kind of compliance-friendly cybersecurity solution that 2019 calls for. This exact mechanism would have been useful in making stolen cardholder data less valuable to hackers in search of profit. But combining an EMV chip at the point-of-sale, with tokenization and P2PE allows for a user-friendly way to achieve niche PCI compliance. It’s generally getting easier, not harder, to operate within a PCI-compliant environment.
John Shin is the Managing Director at RSI Security and has 18 years of leadership, management and Information Technology experience. He is a Certified Information Systems Security Professional, CISM, and Project Management Professional (PMP), and the principal author on multiple Internet privacy and security technology papers.