10. 14. 21
If you were to perform triage on the competing priorities of managing a healthcare office, the security of your patients’ personal, health, and financial data would sit at a very urgent level.
Healthcare is consistently at the top of the list of industries affected by data breaches because patient information, with its wide array of data points, is highly valuable and can be vulnerable to misuse. This is the eleventh consecutive year healthcare had the highest cost of a breach.1 Data thieves are becoming more creative and advanced, and the numbers of healthcare organizations attacked–plus the fees associated–continue to rise.2 These high costs are often associated with new software implementation, legal fees, PR and communication, reputation repair, and governmental fines.
The security of patient data, including payment information, is critical to your patients’ privacy, your organization’s reputation among patients and peers, and to your financial well-being. This e-book covers the state of healthcare payment data threats and measures you can take to better protect your practice.
Healthcare organizations interact with a massive amount of data, ranging from Protected Health Information (PHI) to sensitive financial information, that is susceptible to exposure from human error, internal leaks, and hackers. While the healthcare industry is becoming more and more reliant on technology and connected devices, many provider offices also still depend on simple email and physical mail to distribute billing statements, test results, and more.
Due to the combination of these factors, plus the large number of employees and contractors who have access to systems, healthcare is consistently ranked among the top verticals for data breaches and hacking instances.
In 2020, COVID-19 stretched healthcare offices thin and forced new policies and remote operations into place. In some offices, security was overshadowed by the daily demands of keeping doors open, and data hackers capitalized on the upheaval with large numbers of attacks. In 2020, cyberattacks on healthcare more than doubled.2 The average cost of a data breach in the healthcare industry in 2021 was $9.23 million, a 29.5% increase from 2020.1
The biggest breaches are typically the ones that make the news—large organizations with millions of patient PHI and financial information records compromised—but data breaches in healthcare are not limited to a certain practice size. While large organizations have more records to compromise, they also tend to have advanced technology, tighter security measures, and bigger cybersecurity teams, making them a tougher target.
Small- to medium-sized healthcare organizations also store large amounts of sensitive data, yet their networks tend not to be as well protected, which makes cyberattacks much easier to achieve and still highly profitable for the thief. In Q3 of 2020, More than 70% of ransomware attacks on healthcare organizations were conducted on practices with fewer than 1,000 employees.4 In Q4 2020, 65.9% of healthcare ransomware attacks were on small- and medium-sized practices.4
In 2021, human error occupied the top spot for the most common data breach threat in the healthcare industry. “The most common error continues to be misdelivery (36%), whether electronic or of paper documents.”6 The two main categories of misdelivery are emails that are sent to the wrong address and mass mailings with envelopes addressed to recipients who do not match the contents of the mail.7 While this type of error can have serious repercussions, it is also possible to reduce or avoid these circumstances by taking preventative measures that include verifying recipient information before sending.
73% of health system, hospital, and physician organizations report that their infrastructures are unprepared to respond to a data breach.8
With the clear threat of cyberattacks and other data breaches, and the potentially catastrophic consequences of being affected by one, it’s imperative to choose healthcare technology partners that understand the risks, that continuously take measures to protect your organization’s data, and that make it easier for you to meet compliance requirements.
A significant number of healthcare organizations are planning to either keep certain employees remote, or to keep processes in place that will allow an easier transition to remote work in the future.
There is a shift from on-premises operations for functions such as revenue cycle management, scheduling, and even healthcare visits through telehealth. Moving to a work-from-anywhere model can open the door to new security vulnerabilities.9
Cloud-based technology is enabling the new flexible workforce paradigm. Cloud computing not only allows users to access information remotely, but it also includes backup automation and disaster recovery options. In the case of a breach, healthcare providers can use cloud computing so they won’t lose any data and can minimize downtime for their staff.
Most current cloud providers offer security, risk management, and monitoring services to protect their users from unauthorized access and breaches.9
As a part of the healthcare sector, you are already familiar with HIPAA and the importance of staying compliant. Can your technology providers say the same? If your office and patient technology does not specify that it is HIPAA-compliant, sensitive patient health information could be at risk of being exposed. According to the standards set forth by the U.S. Department of Health and Human Services, PHI covers all “individually identifiable health information,”12 which specifically includes demographic information such as name and address, as well as credit card numbers. Any piece of information that can be traced back to an individual is subject to HIPAA regulations.
The Payment Card Industry (PCI) Data Security Standards (DSS) is a set of policies and procedures that businesses must adhere to when these organizations accept credit or debit cards for payment. It is the ongoing responsibility of healthcare organizations to confirm their PCI compliance with yearly assessments. A payment processing partner that understands PCI requirements and guarantees their own compliance makes it easier for your organization to become and stay compliant and can even complete compliance requirements on your behalf.
To meet P2PE requirements, payment card data must be encrypted immediately at the point-of-sale terminal, and it cannot be decrypted until after it is securely transported to and processed by the payment processor. PCI-validated P2PE solutions minimize the burden that practices must bear on an annual basis to obtain PCI compliance by “reducing PCI scope,” which means decreasing the amount of cardholder information that a practice possesses. P2PE solutions help to cut down the “scope” or range of data that can be compromised. This level of encryption prevents clear-text cardholder data from being available in the point-of-sale device or in the practice’s system, where it could be exposed to malware.
We are committed to routine compliance assessments and work with a leading outside security advisor that is certified by the PCI Security Standards Council. Rectangle Health is one of only roughly a dozen healthcare payment solution providers that protect data with true point-to-point encryption.14
As healthcare cyberattacks and breaches continue to pose a significant threat, medical and dental offices’ awareness and security efforts need to remain vigilant. As healthcare offices are striving to regain what was lost in 2020 and potentially settle into longer term work-from-home and flexible location policies, now is the time to build proactive policies and procedures for data security to protect your reputation and your patients.
Investing in cloud-based technology that offers advanced security and compliance assurance will pay off. Combined with cybersecurity and best-practice training efforts for staff, secure technology can guard you from costly breaches.
Partner with technology providers that have robust security accreditations and that make it easier for your practice to verify compliance. Including proven partners like Rectangle Health in your practice will give your staff–and your patients–confidence and peace of mind that PHI and payment data is protected.
Rectangle Health, a leading healthcare technology company, empowers medical, dental, and specialty practices with seamless and secure technology to drive revenue by increasing patient payments and streamlining practice management and payment processing. Since 1993, the company’s innovative solutions have reduced administrative burden and rebalanced the ledger for its thousands of healthcare providers in the United States, reliably processing billions of dollars in payments annually.