Guest Blogger: Jeff Lin, Senior Vice President of Product Management, InstaMed
The Washington Post has deemed 2015 “the year of the healthcare hack” with multiple large-scale breaches already compromising the data of more than 100 million U.S. consumers. An issue compounding healthcare’s vulnerability is the rapid increase of consumer payment responsibility since the Affordable Care Act (ACA).
Healthcare organizations are seeking ways to connect electronically with consumers to streamline the payments process, improve cash flow and ensure data security, which can significantly reduce risks of a data breach and security risks. By accepting consumer payments electronically, healthcare organizations must comply with strict and complex financial and healthcare compliance and security regulations that can be costly and time consuming. Furthermore, without enterprise-level security, healthcare organizations leave sensitive payment information exposed for anyone to access at any point.
Based on my experience as the Senior Vice President of Product Management at a healthcare payment technology company, I have listed below the essentials to payment security in healthcare, so that you can quickly understand the risks and ways to mitigate them.
1. New Technology in Payment Collection
Challenge: Consumer payments in 2011 made up $400 billion of the total U.S. healthcare payments market, which is expected to reach $5 trillion by 2022. Payers and providers are looking for new ways to allow consumers to better manage their healthcare payments to maintain revenue and improve cash flow. As access to electronic payment channels increases, healthcare providers must be aware of the resulting implications to data security. In fact, one major company alone saw a 46 percent drop in profits after experiencing a breach to their payment data.
Opportunity: So, how can you defend against potential breaches? Payment data must be encrypted as soon as it is captured at the time of payment and not decrypted until it reaches a secure end point, a process called point-to-point encryption (P2PE). Encryption isolates the payment data to ensure that sensitive data is not leaked or accessed at any point, thus reducing the risk of a breach.
2. Financial Regulations are Evolving Quickly
Challenge: Healthcare payments are the most regulated and scrutinized transactions in the U.S. economy, so healthcare merchants must meet high levels of compliance to accept and process payments from consumers. Staying current with compliance regulations can require a great deal of resources, especially with the EMV fraud liability shift In October 2015 and updates to the Payment Card Industry Data Security Standards (PCI-DSS).
Opportunity: Healthcare merchants can select a secure platform for payments that has achieved and maintains certification for the highest standards in handling both protected health information (PHI) and maintaining security of financial data exchange. Trusting vendors that self-attest to being “compliant” can be dangerous. Instead, ask to see the vendor’s security credentials, which must be independently validated by reputable security firms or industry organizations.
3. Minimize the Costs of Compliance and Reduce Risk of Liability
Healthcare merchants need to understand the challenges and opportunities of two important regulations that minimize the costs and risks of a breach – right now.
EMV Fraud Liability Shift: As of October 2015, healthcare organizations that have not implemented EMV acceptance will assume liability for accepting a counterfeit card at the point of sale. Healthcare organizations that accept payments at the point of service should ensure they have devices and a POS solution that can read chip cards.
Updated PCI Standards: PCI version 3.0+ went into effect in January 2014 and contains 20 evolving requirements from the previous version, including regarding penetration testing and vendor relationships. Healthcare merchants can reduce or even eliminate the costs of compliance for PCI with seamless payment integration across existing processes and systems, so that merchants do not have clear text credit card information flowing through their networks.
Conclusion: Security risks and compliance requirements for healthcare payments are an important part of any organization’s risk management strategy; however, managing them does not need to be a drain on your organization’s resources. Download our white paper for the most comprehensive guide on compliance and security to promote efficiency and help healthcare organizations to thrive with innovative and secure payment solutions.