Guest post by Rich McIver, founder, MerchantNegotiators.com.
In January of this year, Anthem, Inc. a managed care provider, learned of a cyber attack to their IT system. This attack, which occurred over several weeks beginning in December, 2014, compromised the identities over 80 million customers. The breach, in which the healthcare information of millions were compromised, constitutes a serious HIPAA violation, exposing the provider to potentially devastating legal liability.
Unfortunately, this sort of breach perpetrated against healthcare providers is becoming ever more common. The Ponemon Institute, along with ID Experts, issued a report in May this year that showcased healthcare data breaches. The Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data calculates a 125 percent growth in healthcare cyber attacks over the past five years. Although employee negligence and lost or stolen devices still result in many data breaches, a shift is occurring from accidental loss to intentional targeting of data that reveals individuals’ names, Social Security numbers, and other personal information.
The reason that healthcare providers are being targeted is that the information they maintain to provide care for their patients is often substantial enough that cyber criminals can use the data from a single healthcare provider to engage in identity theft. Moreover, cyber criminals target healthcare data because they recognize that many healthcare facilities, including insurance companies, don’t have the resources or technologies to prevent or to detect attacks.
Anthem is a large corporate entity that can afford and use the technology required to protect HIPAA sensitive data, and yet the breach still occurred. What can other healthcare businesses do to prevent or detect a cyber attack on HIPAA sensitive data?
Meeting Standards, Avoiding Fines
The growing use of electronic health records and electronic protected health information (ePHI) accounts for the need to protect information contained in these records. But while these records are often well secured, an often overlooked vulnerability point is credit card processing. Payment Card Industry Data Security Standard (PCI DSS) and HIPAA rules require entities to maintain reasonable and appropriate safeguards for protecting credit card payments. What this actually translates into actionable steps, however, is less clear. To that end, here are four rules to follow when accepting credit card payments to ensure that you’re meeting HIPAA/PCI mandated or suggested compliance guidelines:
- Ensure Your Processor Doesn’t Send SMS Credit Card Receipts: Some credit card processors, like Square, send electronic receipts to your customers via text or SMS. Because these receipts contain “protected health information” they must only be transmitted over secure technologies, which SMS is not. Therefore, if you want to provide receipts, either make sure they are delivered via secured email, or are exclusively provided in paper form.
- Obtain a Business Associate Agreement With Your Processor: If your credit card processor only provides credit card processing, there is an exception in HIPAA that means you don’t need a typical Business Associate Agreement with your credit card processor. That exception, however, is very narrow and only applies to actual credit card processing. That means that if they are providing account analysis, reporting, or any of the ancillary services that processors offer like creating gift cards, etc. you likely need a Business Associate Agreement. That means you have two choices: either limit the services that your merchant account services provider gives you, or obtain a valid Business Associate Agreement with them.
- Any Physically Stored Card Numbers Must Be Secured: All businesses, not just healthcare entities, must comply with PCI DSS. Visa, MasterCard, Discover, American Express, and JCB mandate this compliance to protect the customer’s data against theft and fraud. One of the most basic requirements is that if you’re going to keep a written copy of a credit card authorization that lists the customer’s credit card number, that it always be secured under lock and key.
- Secure Your Swiping Hardware: Traditionally, credit card payments were swiped via a countertop terminal. Those come off the shelf very secure, so the only concern there is ensuring that the internet connection that terminal uses to communicate is PCI compliant. But if you’re using a new type of swiper like the Clover Station, that converts existing hardware like an iPad or your cellphone into a card accepting device, then that hardware must be made secure.
If your healthcare organization isn’t following the above guidelines, don’t feel alone. In fact, the Ponemon Institute study estimates that less than half of all healthcare organizations and their business associates fully comply with either PCI DSS or HIPAA. The fact that other healthcare providers aren’t fully compliant, however, shouldn’t discourage action on your part. Since 91 percent of healthcare operations and 59 percent of business associates experienced a data breach within the past five years, it’s not if, but when, it will happen to you and your patients.