The growing complexity of the healthcare payment environment means that the act of protecting your assets and your patients has never been more difficult or more important. Healthcare, whose “networks are vaults for credit card data, personal identifiers like social security numbers, and health records”, represents an extremely target rich environment for hackers trying to procure sensitive information they can profit over.
Compounding the problem exponentially, health systems “often struggle to find room in tight budgets to invest in new IT systems, leaving them vulnerable.” In 2019 alone, 41.4 million patient records were compromised accounting for a 49% increase in malicious activity.
2020 saw a number of high profile security breaches in the healthcare industry, including Aveanna Heathcare, which affectedover 166,000 patients. The Georgia based pediatric home care provider suffered a successful phishing attack in late 2019, but didn’t begin notifying patients until the following February. The phishing attack resulted from compromised employee email accounts with lost data including “patient names, Social Security numbers, State IDs, medical information, health insurance details, financial information, and driver’s licenses.” The security breach led to a joint lawsuit from over 100 breach victims for alleged HIPAA violations as well as assertions that their private information was “maintained on Aveanna’s computer network in a condition vulnerable to cyberattacks” .
The need to combat the increasing vulnerability of companies handling sensitive information has given rise to numerous sets of security standards over the course of the past few decades. One set of standards specific to payments, known collectively as PCI, aims to protect the healthcare industry, and others, from cyber attacks by applying protocols that encourage the safe storage of financial information and secure merchant payment behaviors: “To certify compliance, the PCI Standards Security Council conducts rigorous, annual audits for its partners. With more than 300 questions, these audits trace the handling of credit card data, from how it’s entered to where it’s stored. Every step is accounted for, from the remote call center employee taking card details to encryption in the network’s storage.”
Maintaining PCI compliance can be both time consuming and costly, but the penalties for being found non-compliant during a security breach can be far more costly when taking into account things like “reputational damage, class-action lawsuits, fines from card providers, credit monitoring costs, insurance claims and even cancellation of merchant accounts." Health systems found non-compliant during a breach are subject to a fine of $500k from each major credit card company involved.
However, ensuring that your organization is PCI compliant does not mean that you’ve eliminated risk from your payment environment, only that you are PCI compliant and won’t be subject to additional fines. As exemplified in the Aveanna breach, healthcare environments are extremely high risk, not only because of the types of information that they deal with, but also because of how that information is typically stored. Most hospitals “are capturing cardholder data via web services on their local PCs, making them vulnerable to hackers.” The only way to maintain an environment that is risk free is to take the steps to ensure that sensitive financial data never touches your network in the first place.
What follows is an interview with Dan Eckoh, President of US Operations, at Eckoh about the keys to removing risk from the payment experience in healthcare. With over a decade of consumer and payment expertise, Dan provides guidance on how to have meaningful patient interactions within a safe and secure environment.
Caleb B: For readers who might not be familiar with Eckoh, can you give an overview of the company, its history, and the value you bring to your clients?
Dan Arntz: Absolutely, Eckoh’s a publicly traded company that’s been in business for about the last 21 years. Prior to payment security, we started out really in the customer experience space doing a lot of things to help our customers have better conversations with their customers.
And, then, about 10 or 11 years ago, many of our customers started taking payments online. And as we all know the EU has always been substantially ahead of the US market in terms of data security, so when we started having to worry about our own compliance efforts- in terms of what we were doing with our customers- we thought what a great idea to take this forward as a product and Nik Philpot, our president and CEO being a visionary in his dealings every day, said, “Why don’t we take this to the US?”. And so, about five and a half years ago, we brought this product to the US. We had all of about three people over here, and now we’re just shy of 60.
So, really, if I net it down, what are we all about? We’re about bringing great customer experiences to our customers and then giving them a payment platform in which they can securely take payments across a number of different channels and different spectrums for their customers.
And so, that’s our history. That’s how we got into the secure payment piece, and that’s the value that we bring our clients. Everybody is familiar with the Target breach. People are familiar with the Home Depot breach.These were big, newsworthy events, where people’s information was getting out in the open. Our timing was maybe a little early, but when we came out in the market, companies’ reputations were at stake, because the last thing you want is something out in the ether that says, “They’re not watching my information.” So, that was important.
People were spending an immense amount of money on a yearly basis, meeting certain criteria for saying, “We’re keeping people’s secure payment information safe.” So, when we entered the market, we were able to tell people two things: “One, we’ll keep you secure.” And two, “We’ll make that process of validating that you’re working in a secure environment much, much simpler.” People found value in that.
And what we’ll do over time is start to bring more and more of those voice solutions, and other channels into the US, expanding that environment even further.
Caleb B: I think that’s a great example of how companies can start along a certain track, and then not necessarily pivot, because it was along the same lines of what you’re doing, but really, that value that you can get when you start listening to clients and their scenarios, and what it is that they actually need served from you. So, I think that’s a really great story.
Dan Arntz: Good.
Caleb B: I thought we might shift gears, and talk about the healthcare environment a little bit. Flywire CTO David King calls healthcare a “target rich” environment for hackers and security breaches because of the types and volume of data that they handle. Can you describe how Eckoh approaches the healthcare industry and helps reduce security risks by contributing to things like PCI compliance?
Dan Arntz: Absolutely. And I would agree with David’s comments around it being a target-rich environment for hackers. If you look at a lot of the legislation in healthcare that’s happened over the last 10-15 years – HIPAA comes to mind – it’s about trying to keep people’s information secure, and that it can’t be sold or transmitted to other folks.
In healthcare, you’ve got a dynamic, where you have a lot of PII data, or personally identifiable information that in a normal course of business is traversing between the patient and that healthcare employee. And in the markets today, if I have stolen a credit card, I can get X dollars in the marketplace selling that information out there. But, if I have combined data, which is perhaps a credit card with the person’s social security number, or a health payer ID number, or whatever else the case may be, that dollar amount goes up in multitudes. And when you’re dealing with people's health- first of all, they’re probably in that hospital, or in that doctor’s office, because there’s something bad going on in their life to begin with- the last thing they want to worry about is having their information stolen.
So, it’s really an important market. And, unfortunately, when you start talking about payments- and you guys are familiar with this- it’s something that they know they have to do, but perhaps they’re not always looking ahead.
So, people come to us to help keep them on the straight and narrow about what is important to keep in terms of information being secure. We’ve seen a lot of healthcare environments in the last two years contacting us, and others, about what they can do around this all-important piece.
Today, we can secure any numeric data, but if there’s other data that a large hospital environment, or a healthcare provider would want to keep secure, there’s other ways that we’re exploring, or are doing today, where we can also take that information in a secure environment, as well, so that that agent on the phone does not have access to it.
Caleb B: We’ve seen, over the same kind of period of time that you described, this really large increase in the idea of consumerism around healthcare. How do we create the best possible experience for our patients? And then, how do we leverage that as a differentiator?
And it seems to me it’s almost starting to become, because of the amount of security breaches that we’re seeing in healthcare, a differentiator, too- a healthcare system being able to say, “We’ve never had a breach,” or, “These are the steps that we’re taking to secure patient information,”. Because, you’re right, patients they’re dealing with health issues on top of the financial side of it, as well. So, it’s really important for them, as they focus on getting healthy to be able to have that peace of mind that their information is also secure. Would you agree with that?
Dan Arntz: I would absolutely agree, Caleb. As a matter of fact, one of our very first clients, a large insurance company on the East Coast- 6,000 agents across their call center environment- this was a big deal to them. It took many months of planning to go live. They went live, and they did, as they’ve always done, call recording. And they sent back to us, of course, not the real recordings, but excerpts from recordings, where in the first hour a dozen people or so said, “I am so glad you’re taking my payments this way. I was always nervous giving my financial information in a way that wasn’t secure.”
I could be at an airport; I could be at a theme park. I could be calling somebody to get some information. I need to schedule an appointment, whatever the case could be. And I’m giving that information out, where somebody could overhear what I’m saying, and in the case of us bringing this solution to bear, customers appreciate it, and also, I think, the people at the other end, the agents on the phone, appreciate it for multiple reasons.
Caleb B: That is awesome. I think that leads us really nicely into talking a little bit more about the agents, themselves, in the call centers. As you know, the healthcare industry is one that is heavily reliant on call center models, particularly the clients that Flywire works with, some of the larger health systems in the United States. Obviously, security within call centers is a huge concern. And so, I just wanted to highlight some of the advice and benefits that Eckoh brings to that type of environment. How does it change the role of those call centers in the healthcare process?
Stay tuned for part 2 of our interview with Dan Arntz where we dive into the evolving security around call centers, Covid-19, and what advice he would give to health systems as they look to evaluate and set their security protocols for the year.