Healthcare IT pros prioritize secure payment processes, but see gaps

Healthcare organizations are all about patient outcomes, but there are lots of other operational priorities that need to be managed to support that goal. One of those is ensuring secure payment processes.

When it comes to payments, healthcare organizations are like any other entity that accepts card payments. They have to follow PCI DSS (Payment Card Industry Data Security Standards) set by the PCI Security Standards Council to protect cardholder data. These standards continue to evolve to address new security concerns and IT teams need to keep up to protect patients as well their own organizations.

According to Verizon’s 2022 Payment Security Report, in 2020, only 43% of organizations globally were fully compliant with the current version (v3.2.2) of PCI DSS. Compliance rates varied by specific requirements – some are as high as 91% – but the data demonstrates the challenge of staying current.

PCI DSS v4.0, published in March of 2022, will go into effect in March, 2024. It introduces important new requirements. These include:

  • standards for multi-factor authentication (MFA), password lengths and protection
    requirements aimed at protecting against phishing and social engineering attacks
  • new methods to implement and validate PCI DSS requirements
  • defined roles and responsibilities mapped to major PCI DSS requirements

There is a lot more detail in the PCI v4.0 update. It will require a concerted effort by any organization to comply, including healthcare organizations.

In our latest research report: Behind the EHR: Healthcare's hidden heroes of patient experience, we had a chance to survey more than 200 healthcare IT professionals about a variety of healthcare IT topics, including payment security and PCI. While the respondents expressed confidence that their senior leaders understand the importance of PCI compliance, they are less sure that their organizations are doing everything they can to ensure it. Here are a few of the specific things we learned:

  • 67% believe IT is the department most responsible for the security of payments and payment processing. And they see that role increasing in the future.
  • Almost all healthcare IT professionals (98%) believe their technology leaders are aligned with them in regard to what the organization needs to maintain a high standard of security and PCI compliance. 50% say they are “very aligned.”
  • But they need more. 75% say their organization needs to invest more to ensure PCI compliance. Only 23% believe they have the right amount invested.

The increased focus on payment security is representative of broader data security challenges across healthcare organizations, as captured by one of the survey respondents:

“There are massive security concerns. As data becomes more accessible at more locations, there will be a stronger emphasis on security and integration, and pressure to ensure constant updates of technology operations and security.”

There is a lot more in the free report which you can view here.