How to Manage Payment Data Security in Healthcare

By: Sully Perella, Senior Manager at Schellman

While most healthcare providers don’t recognize that managing and securing payment data follows the same notions as managing and securing protected health information (PHI), from concept to implementation, these can, and should, work hand in hand.

Though the first thing that springs to most people’s minds in healthcare are the conditions and treatment options—paying for those things does come second. But what’s often missed is how that often adds to the complications for the provider because when a patient needs to make their payment, many of the same systems used to collect or report patient data tie to or include credit card options.

Whether your patients are paying for healthcare at the receptionist desk through terminals or if they’re making online payments using the same card, it’s important that healthcare providers align these payment channels using some common, secure tactics (especially since, in our experience, this is typically not the case).

As experienced PCI assessors, we can provide some insight here. In this article, we’ll explain how you can get started in applying the same payment security concepts to your healthcare transactions. That way, you can streamline the management of this critical aspect of your practice while also keeping patient data secure.

The Importance of Universal Payment Security Concepts in Healthcare

To more easily understand why this is important, consider doctors themselves.

Specialty physicians with specific training for treating unique aspects of the human body are normal in the healthcare industry. In support of this, the staff often use software directly tied to that specific field that records the details from the relevant specialized instrumentation being used in examinations.

Different doctors will use different things to diagnose different conclusions, but no matter what your specialist says about the issue you’ve gone to see them for, most medical professionals will always provide the same generalized guidance that you always hear:

  • “Drink more water.”
  • “Eat more vegetables.”
  • “Lay off the salt.”

Just as physicians provide the same overall guidance for improved health, data hygiene uses concepts that apply across the board. These universal concepts—the ones that all healthcare organizations should take to better manage their payment security—include limited access and data protection.

If you’re not already, having your IT staff take action to implement these will make your management of multiple payment channels a more simple event.

3 Challenges of Streamlining Payment Security in Healthcare

But applying these concepts across both card-present transactions by front-desk personnel and the e-commerce options for online payments isn’t without its hurdles.

Our experience in the healthcare industry and PCI shows that it’s a threefold struggle:

  1. The number of locations makes universal processes difficult to implement and follow up upon.
  2. Configuration and update/patch management become backburner issues for IT staff.
  3. ‘Other’ payment channels can exist that are tied to unique software that is not under your universal umbrella (e.g., those used by pharmacies or call center personnel).

How Healthcare Providers Can Streamline Their Payment Security

  1. Get Familiar with How It All Works.

To work these challenges to achieve the desired efficiency, you need to behave as any doctor would—they understand that knowing the problem is the first step to assisting the patient, and it’s true for your data security too. Because as any IT professional will tell you, knowing the environment is the first step to managing it.

Platitudes aside, have your IT team do the necessary investigatory work to know how your organization is taking payments. Ask the basics:

  1. How are payments taken at each location?
  2. What systems and software are at each location?
  3. Can an in-person visit by IT staff address multiple issues regarding patching, updates, configuration management, and inventory control so that multiple visits are not necessary?
  4. What remote-management options are available and how do we secure that access?

(You may find that, at a single location, they’re using two different platforms to take payments in person, which means two different accounts managed by two different teams. Of course, should that be the case, your first step should be to reconcile those two accounts into a single one that will make the work easier in the future.)

  1. Cure the Cause, Not the Symptoms.

The answers to your investigation should be used to alter and/or support the further alignment of your IT staff regarding payment security. However, take care to not fall into an easy trap—it will always be tempting to address the minor headaches in repetition before going after the root issue.

Also, take care not to fall into a worse trap. Sometimes—and by “sometimes,” we mean “almost always”—the changes for improved security and simplification will also create a change in your healthcare professionals’ routine operations, so be sure to remain transparent and communicate the need clearly to minimize confusion.

In your messaging, you can explain that change must occur to protect both patient and payment data. The updated processes can prevent repeat issues which will ultimately save a lot of heartache for everyone.

  1. Apply Universal Principals Across the Board.

Before you can tell people you’ve changed things, you’ll need to actually change them by implementing the aforementioned universal concepts of limited access and data protection for more comprehensive coverage across the board.

Look into measures such as:

  • An enterprise-wide assessment to identify the systems, services, platforms, and data flows used.
  • A risk assessment that addresses the security and privacy requirements/obligations for a healthcare provider.
    • As a part of the risk assessment, talk with staff about the processes they use daily and their operational hurdles, as their involvement and improvement will increase staff buy-in.
  • Application of the same patching/update schedule across systems.
  • Using the same concepts for authentication and access.
  • A training plan that addresses current threats and disclosure points for privacy, PHI, and payment data so that staff can attend one training that covered all three.
  • Soliciting feedback after making changes, since sometimes the first process change is not the best. 

Not only will taking action like this improve your payment security, but getting such comprehensive coverage on payment data will also give your IT team means to address larger concerns over PHI, including possible ransomware attacks that have crippled providers in the past.

Other Considerations for Your Payment Security

Healthcare is of course the #1 priority for providers—that being said, it’s common for this sector to miss some opportunities for efficiency when it comes to data protection within their payment security. But now that you know what foundational steps to take in laying common groundwork across your different credit card payment channels, you can move to start taking advantage.

As you work to make it so that your security considerations accommodate all your digital payment options, ensure you stay compliant with HIPAA by reading our other blogs that can help:

About Sully Perella
Sully Perella is a Senior Manager at Schellman who leads the PIN and P2PE service lines. His focus also includes the Software Security Framework and 3-Domain Secure services. Having previously served as a networking, switching, computer systems, and cryptological operations technician in the Air Force, Sully now maintains multiple certifications within the payments space. Active within the payments community, he helps draft new payments standards and speaks globally on payment security.