If you’re an MSP whose areas of vertical specialization include healthcare, you’ve no doubt had many extensive discussions with clients about compliance with the Health Insurance Portability and Accountability Act, or HIPAA. You’ve probably implemented some technology and services pertaining to that compliance. However, healthcare players of all stripes also need to pay equal attention to compliance with the Payment Card Industry Data Security Standards (PCI DSS), as those that don’t can suffer a multitude of consequences.
In addition to ruining or heavily damaging their relationships with patients, incurring stiff penalties and possibly paying the price for patient credit monitoring, healthcare providers that aren’t PCI compliant could find themselves banned by the card associations from processing transactions, which has a high potential for causing patient attrition.
As a trusted advisor to your clients, it’s up to you and for the good of your client relationships that you impart to healthcare providers three golden PCI compliance-related rules.
Rule #1: Put down that pen (and have patients do the same)!
Recording patients’ financial transaction data on paper opens payment details to repeated risk of exposure What do we mean? In many healthcare practices and facilities, patients and/or administrators put credit or debit card details on patient registration forms and the like. This data is subsequently entered into a computer, but frequently, paper forms leave patients’ credit card data (and perhaps other financial information) circulating around the office for extended periods of time—for example, sometimes, forms are kept around in order to process recurring charges or payment plan installments. Each time a credit card transaction is made, the data are exposed to risk from parties inside the organization (e.g., dishonest employees) as well as from outside (e.g., dishonest building employees rifling through stacks of paper on a receptionist’s desk after hours). You get the idea.
Let healthcare clients know that it’s better to avoid recording any of patients’ financial data on paper. If this can’t be avoided, the paper should be under lock and key (in a safe). All forms should also be shredded as soon as they’re no longer needed by the healthcare provider, either because the data is stored in a computer with the appropriate security controls or the patient in question is no longer receiving services at the office, hospital, lab or other establishment.
Rule #2: Strengthen all defenses.
This means end-to end-encryption of all data from financial transactions, no matter how extensive (or brief). Clients should have a business associate agreement (BAA) in force with every vendor whose technology plays a role in these transactions (but that BAA extends to HIPAA compliance only). Consequently, any vendors whose technology offerings “touch” the transactions executed by your healthcare clients–from the moment information is captured at the point of payment (we won’t say “point of sale,” lest there be confusion)–should be PCI compliant. Don’t take vendors’ word–vet them for PCI compliance instead, because with every vendor involved in patient financial transactions that comes to the table, there also comes yet another element of risk.
Additionally, while not a requirement, it’s a good idea for healthcare providers to make the transition to point of sale equipment that accommodates chip-enabled credit cards. Under the umbrella of the Europay/Mastercard/Visa liability shift, which went into effect in October of 2015, liability for fraudulent card present transactions shifts from issuers’ shoulders to merchants’ shoulders—unless those merchants (healthcare providers among them) have migrated to point of sale technology that’s EMV-compliant (e.g., it can handle transactions initiated with chip-enabled cards). You might want to point out to healthcare providers that consumers are becoming increasingly cognizant of the security benefits of EMV-compliant technology—so they may be much more likely to trust (and continue on the patient rolls at) providers that have replaced their older credit card readers with the EMV version.
Rule #3: Just say ‘yes’ to PCI compliance training and audits
Despite the extensive training they devote to HIPAA compliance, some healthcare players ignore PCI DSS or give it short shrift—even though HIPAA doesn’t necessarily cover the risks associated with processing credit card transactions. Let your clients know why it’s important to train their employees on PCI DSS compliance—and offer to help them do so. They should also consider a PCI compliance audit and make financial transactions a part of their breach plan—and again, you can play a role here while opening new revenue streams.
These rules aren’t complicated or difficult to follow—but they’re important. It’s incumbent on you to treat them as such, and to help your clients do the same.