4 most dangerous misconceptions about credit card data security and compliance in health care

David King
David King
is CTO at Flywire.

With deductibles soaring, even insured consumers are turning to credit cards to pay for health care. More credit card use means more data flowing through hospitals’ networks, increasing the risk of a breach and sharpening the scrutiny on hospitals’ compliance with data security regulations.

To get a handle on this issue, hospital leaders need to dispense with some dangerous misconceptions.

Misconception 1. Health care is only a minor target for hackers; financial services and banking are the real targets.

WRONG. Data breaches have exploded in recent years, and health care has attracted a disproportionate amount of this unwanted attention.

In 2015, there were 780 data breaches across all industries in the US, and these breaches accounted for 177 million exposed records, including credit card data and personal identifiable information.1 The health care sector received 35% of these attacks. This year, health care data breaches rose sharply after the first half of 2016.2 While the increase in attacks from one quarter to another is alarming, the overarching trend is more troubling still: “Between 2012 and 2014, cybercrim[in]als started to ramp up attacks on the health care industry, which remarkably suffered more than the business, military, and government sectors. In fact, the number of health care service provider victims has grown almost fourfold in 2014 from when it was first observed in 2005.”3

The primary reason health care providers have been targeted so relentlessly? They hold the mix of data most valuable to hackers: credit card data plus the personal identifiable information that can’t simply be “cancelled,” such as social security numbers, addresses, and birthdates.

Misconception 2. Over-the-phone and in-person transactions are not a major threat for card data theft.

WRONG. According to the Identity Theft Resource Center, 90% of all data breaches are accomplished through malware—malicious code installed on people’s computers without them knowing. Most often, malware gets installed via phishing emails, which appear to be from a reputable source. (Studies indicate that a quarter of all recipients open these malicious emails; in the US there are currently, on average, 971 unwitting downloads of malware per hour.4) Phishing emails, for instance, can transmit and install “keylogger” software that detects when someone is typing in a credit card number and then siphons the data off to the originator of the malware.

The important point here is that because keyloggers and other malware are installed on a customer service representative’s computer, it doesn't matter whether that person is using a web payment application or entering a patient’s credit card number received over the phone. Any transaction that passes through that computer terminal is at risk.

Misconception 3. Our health system/hospital has an active IT department and firewalls, so we’re safe.

WRONG. Network segmentation, firewalls, and an IT department’s self-audits are all positive steps toward securing credit card data. But they fall short of the security necessary to keep up with modern threats. (German independent IT security institute AV-Test observed 12 million new variants of malware per month.5) Even in a segmented network, hard data is often transmitted in the clear—and with just one of the network’s computers infected with malware, that data is vulnerable to hackers.

As the PCI Standards Security Council demonstrates with its tiered audit system, the only way to truly prevent credit card data theft is to never have credit card data touch a personal computer in the first place—and to encrypt all data at the point where it’s entered so there’s no clear data to target.

The Security Council has concluded that point-to-point encryption (P2PE), where customer service representatives or patients themselves enter credit card information into a tamper-resistant encryption device, is the only way for organizations to achieve the lowest risk profile possible.

When one hospital security executive learned that his hospital was running a non-validated P2PE, he remarked, "I know it’s not validated—but I checked, and my auditor's okay with it."

Of course the auditor is “okay” with a non-validated solution; that means more business for him. With a validated P2PE system, auditors only have to review 26 questions, not 320. By moving to a validated device, hospitals increase their security, decrease their monitoring costs, and complete much-abbreviated audits.

Misconception 4. We’re in compliance with the PCI Data Security Standards (PCI DSS), so we must be using our financial resources efficiently and wisely.

WRONG. You can comply with PCI DSS by expending resources maintaining scrupulous network segmentation, attempting to defend against those 12 million new variants of malware, and hiring an auditor to review the results of the segmentation and help answer a 300+ question audit each year.

But you can also comply with PCI DSS by moving all credit card transactions to a PCI-validated P2PE device. This option actually lets you unwind your network segmentation, reducing network complexity, eliminating the extra work associated with segmentation, and allowing organizations to answer a PCI audit with 26 questions instead of 320 or so.

Both options put an organization in compliance—but only one fulfills the imperative to use financial resources wisely.

A Better Concept

The PCI Standards Council has, in a sense, done hospital CIOs’ job for them. The Council has “validated” certain service providers who are using the strictest security measures to protect against data breaches. PCI-validated service providers and PCI-validated P2PE devices simplify a hospital’s setup, maintenance costs, and auditing burden significantly. This designation ensures both the highest-level security available and the narrowest auditing scope.

1 Identity Theft Resource Center, “2015 Data Breach Category Summary.” http://www.idtheftcenter.org/images/breach/ITRCBreachStatsReportSummary2015.pdf.
3 Trend Micro, “Medical Data in the Crosshairs: Why is Healthcare an Ideal Target?” http://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/medical-data-in-the-crosshairs-why-is-healthcare-an-ideal-target.
4 2015 Check Point Security Report. https://www.checkpoint.com/resources/security-report/.
5 See http://securityaffairs.co/wordpress/32352/malware/av-test-statistics-2014.html.