Healthcare workers and medical professionals are acutely aware of their obligation to keep protected health information (PHI) confidential, thanks to the Healthcare Insurance Portability Accountability Act (HIPAA) enacted in 1996. The media reports, almost daily, on stories of PHI left unprotected, resulting in fines and settlements. Due to those facts, many businesses are focus on protecting PHI data, which is good, but often patient financial data, such as credit card information, ends up becoming less of a priority.
Security for the PCI newbie: Cyber criminals and other nefarious individuals seek to exploit both PHI and a patient’s financial data.
According to Verizon’s 2013 Data Breach Investigations Report (1), cyber criminals are increasingly focusing their attention on healthcare payment systems rather than electronic health records. Hackers today appear more interested in accessing your patients’ personal financial records than the results of their last medical exam.
The Payment Card Industry – Data Security Standard (PCI-DSS) is a decade younger than HIPAA, but is much more prescriptive in its requirements. While notenforced by federal regulation, PCI is considered a “standard of care” for any business or organization which stores, processes or transmits Visa, MasterCard, Discover Card, American Express, or JCB cardholder data (CHD). But really, should you store full credit card numbers?
Some words of caution for healthcare organizations who store patient CHD – scrutinize your business processes and really question the need to store CHD. Storing credit cards only increases your risk exposure of experiencing a data breach. There are a number of headlines where healthcare providers that stored patient information (health and financial records) have been breached by criminals, compromised due to a lost USB drive, missing backup tapes or a malicious employee perpetrating fraud with patient financial information.
A Sample of Healthcare Data Breaches so far…in 2013(2):
January 2013 Texas Health and Human Services – Austin, TX
A dishonest employee was arrested on suspicion of misusing client information to apply for credit cards. The employee was able to pose as different clients seeking immunizations and other services. She was charged with fraudulent use or possession of identifying information and credit card abuse.
September 2012 Wounded Warrior Project, Jacksonville, FL
An office burglary resulted in the theft of at least 33 laptops and iPads. The personal information of an unspecified number of former employees may have been affected. The laptops contained employee names, Social Security numbers, addresses, dates of birth, passport numbers, credit card information, bank account numbers, and possibly life insurance dependent information. The IT department remotely locked access to the devices after discovering they had been stolen earlier in the same day.
August 2012 Arizona Oncology, Oro Valley, AZ
A dishonest employee obtained and misused the personal information of patients during her employment. She pleaded guilty to one count of aggravated identity theft and will be sentenced in October. She faces between two and 8.75 years in prison for using the credit card information of cancer patients to make fraudulent purchases.