PCI Compliance Has Never Been More Important
The large and complex nature of the financial environment at health systems means that maintaining financial security is an ever evolving challenge. Even though a patient might make a single payment, for instance, that payment can exchange hands through vendor relationships, departments, contracts, and more: “Some payments are so seamless, consumers might not even realize a complex series of transactions is taking place. There are many opportunities in large, integrated healthcare delivery networks for Cardholder Data (CHD) to be handled, transmitted or stored improperly.” The healthcare sector saw 41.4 million patient records breached in 2019, representing a 49 percent increase in successful hacking.
The rapid onset of digital adoption due to the current pandemic means that healthcare providers now have more access than ever before to sensitive patient information. Health systems are also under more strain making them an even more tantalizing environment for hackers. Check Point Research stated that in the month of October health systems experienced a 71% increase in ransomware attacks. One of those attacks was against UVM Health Network which rendered their MyChart patient portal services unusable across six of their hospitals, denying access to health information and forcing them to reschedule elective procedures.
2020 has also seen a number of high profile data breaches in healthcare, including breaches for BJC Healthsystem, PIH Health, and Aveanna Healthcare. The total volume of patients affected in just those three breaches alone was 653, 501.
Stolen personal health information, personally identifiable information, and card holder data can be used by criminals in a variety of ways from acquiring medical services to prescriptions, from fraudulently receiving government aid to funding lavish shopping sprees. Therefore, ensuring that your health system remains committed to the highest level of financial security has never been more important. Anticipating the growing need for standards around the protection of consumer data, in the early 2000s, credit card behemoths like Visa and MasterCard “began developing standards for secure payment processing. This eventually gave rise to PCI, which is now recognized worldwide as the industry standard for protecting cardholder data.”
Established in 2006 and headed by the PCI Standards Security Council, the handling of PCI compliance is broken into six core components:
The most stringent rules apply to category 3 and deal with the protection of cardholder data. Known as PCI-DSS, these rules are applied across the credit card lifecycle. The penalties for not being found PCI compliant can be costly: “Risks of noncompliance can be significant—particularly in the event of a breach—including reputational damage, class-action lawsuits, fines from card providers, credit monitoring costs, insurance claims and even cancellation of merchant accounts." Health systems can be subject to a fine of $500k from each major credit card company involved if they are found to be non-PCI compliant during the breach incident.
Obtaining and preserving PCI compliance can be as complex as the payments it hopes to protect and often necessitates a cross-organizational approach. While the directive to maintain PCI compliance largely falls on the financial department- in other words, the financial department bears the cost if their organization should face fines for falling out of compliance and suffering a data breach, the IT department is responsible for the leg work to become PCI compliant. So, PCI compliance often represents a co-responsibility of both IT and Revenue Cycle.
Protecting the Patient
The demand for PCI compliance is now so high that banks and credit card processors have begun asking individual hospitals to provide compliance validation. Maintaining PCI compliance is not just about avoiding fines, however. “Demonstrating your compliance is an important way to show your patients that you care about the security of their personal information, and do everything in your power to protect it.”
Much like the consequence of instituting HIPAA guidelines on the care side, PCI Compliance imbues financial care with a deep sense of protecting the vulnerable:
Not all customers in a transaction are patients, but all patients ultimately become customers or consumers when a payment for care is made with either a credit or debit card. This calls for even greater responsibility when handling, transmitting or storing CHD, Personally Identifiable Information (PII), Protected Health Information (PHI) and electronic Protected Health Information (ePHI), including the risk associated with third-party expo.
With high deductibles now averaging $1655 per person annually, more patients are paying out-of-pocket and turning to credit to meet their responsibilities. According to a 2016 Kaiser Family Foundation poll, over a quarter of Americans with high deductible plans had trouble meeting their financial responsibility. Of those who reported problems, 38% said their credit card debt had increased.
The Importance of finding vendors that share the same dedication to security as you do
The largest data breach in 2020 to date is the Health Share of Oregon affecting 654,000 patients. The breach is an interesting case because it highlights the need for health systems to not only make sure that they themselves are adhering to the highest standards of PCI compliance but also making sure that the vendors that they work with are approaching security with the same seriousness: “The theft of a laptop owned by the transportation vendor of the Health Share of Oregon, shows that physical security controls and vendor management need equal attention as cybersecurity priorities.” The laptop contained patient names, contact details, dates of birth, and Medicaid ID numbers.
To maintain PCI compliance necessitates the institution of key operational mandates like network segmentation, point-to-point encryption, and continuous monitoring but in order to reduce much of the scope for health systems, it also means relying on vendors with a high standard of security and a deep knowledge base set in PCI compliance rules.
Ultimately, the goal between vendors and the health system's they serve should be to drive to what is called an SAQ-A which means that health systems are not responsible for PCI compliance but rather the vendor takes on that responsibility themselves. Flywire helps health systems reduce scope around PCI compliance by eliminating the necessity for health systems to touch the card data at all. Instead all card data is housed remotely via Flywire. Our level 1 compliance with PCI-DSS, the highest level of compliance possible, let’s you know that you can trust us to do it correctly.
What follows is an interview with Flywire’s CTO David King around Flywire’s background in secure payments, our commitment to the security of our clients, and important information that your health system should consider when tackling PCI compliance.
A deep background in secure payments
Caleb B: You’ve personally been involved in PCI compliance standards for a long time. Can you give a history of how you first became involved with payment security standards and what that entailed?
David K: I have been involved with payment processing and card security since 1997. Before the Payment Card Industry Security Standards Council (PCI SSC) existed, each card association had their own rules to which a merchant or service provider would have to attest. Visa had its Card Information Security Program, MasterCard had its Site Data Protection, American Express had its Data Security Operation Policy, Discover had its Information Security and Compliance program, and JCB had its Data Security Program. In the “early days” you had to complete and attest to each one of these. It was a very painful process to essentially do the same thing five times over.
The intention of each was similar: to create and ensure a level of protection for cardholder data managed by merchants and service providers. Everyone realized that it would be beneficial to have a single comprehensive standard. The very first version of the Payment Card Industry Data Security Standard (PCI DSS) came out in December 2004. This was primarily driven by the card brands combining their standards.
After PCI DSS V1.0 was released, it was clear there would be a need for a governing body to manage the PCI DSS, and the PCI SSC was formed in September of 2006. The PCI SSC was an independent group that would manage the PCI DSS. This is when I got deeply involved and started contributing to the PCI standards.
Caleb B: You’ve said in the past that healthcare is a “target rich” environment for hackers. Can you explain what that means and what you feel should be the top concerns for providers?
David K: The healthcare market has the “dirtiest” of all data and we must be constantly vigilant to protect it. Healthcare has personally identifiable information (PII), such as name, address, and date of birth, to name a few; protected health information (PHI), which is procedure-related information; and finally, patient financial information from the patient who has to pay the bill. In short, healthcare has all the data that a hacker would love to get their hands on—thus making it a “target rich” environment. The image below is the average makeup of data within a healthcare system. As you can see, 61% of it is PII and financial. This combination makes it extremely valuable to a hacker.
The 2019 Verizon Breach Report indicates that, in healthcare, 83% of the breaches in healthcare data were for financial gain—meaning the attacker was after PII and financial data to exploit in the dark web.
With the rising cost of healthcare, more patients are paying their bills by credit cards, further increasing the richness of the data that could be stored in an EHR. According to the Ponemon Institute, in 2019, the average cost of a data breach to healthcare was $429 per record. According to Revenue Cycle Advisor, there were over 41 million healthcare records stolen in 2019, costing healthcare $17 billion in damages.
Providers have to take measures to reduce the amount of “toxic” data they store. They will need to store PII/PHI, but they should move all financial related data to a service provider. It is the coupling of the PII/PHI and financial data that makes their environments so ripe for attack. If you distribute this data, it makes it harder for the attacker to get a full financial profile to exploit on the dark web.
Solving the PCI Problem
Caleb B: Can you give some examples of how Flywire solves PCI compliance for our users?
David K: Flywire has been involved in securing financial data since the beginning. We know that our customers rely on us to protect their data with extreme vigilance. We not only treat credit card data according to, and beyond, the PCI standards, but we also apply the same methodologies to ACH/Banking data. Speaking of ACH/Banking data, there are some significant changes coming out in 2021 that will impact healthcare providers, but that is for another blog post.
Flywire is a Participating Organization (PO) of the PCI SSC giving us deep insight into developing PCI standards above what other vendors might have access to. Our solution provides separation, yet a seamless user experience, from PII/PHI and card data to our providers. As a Level 1 Service Provider our customers can drastically reduce their PCI compliance costs and ensure their data is protected so they can serve their patients.
Caleb B: Can you provide more details on our role in setting PCI standards and the benefit it brings to our clients as we look to maintain the highest security standards for their organizations?
David K: As a participating organization on the PCI SSC, Flywire gets to globally influence payment security. As Flywire’s representative, I recommend, review, and provide guidance and input to emerging standards. As an example, PCI DSS V4.0 has been in the works since 2018 and I have been involved in reviewing and providing feedback on the emerging standard. This not only allows Flywire to impact payment security, but provides us early insight to the emerging standard so we can begin implementing the new security protocols ahead of time. V4.0 of the standard is expected to be released in Q2 of 2021.
Additionally, I participate in special interest groups on the PCI DSS. Special interest groups focus on specific payment security challenges and provide guidance to the payment community. For example, as cloud computing has become the norm, the PCI SSC had a special interest group that developed standards and guidelines for cloud computing.
Caleb B: Flywire has always taken a proactive approach to solving PCI issues for our clients. In that spirit, we rolled out a secure checkout feature for Epic users available on the App Orchard. Can you give an overview of the history of Secure Checkout for Epic, and how it greatly helps reduce risk for providers?
David K: At Flywire we always have a security first mindset. We go to great lengths to protect our data and to reduce the burden of meeting the onerous requirements of the PCI DSS for our customers by providing them with unique solutions that create a seamless payment experience while removing the challenges of managing payment data.
In late 2017, a major healthcare provider came to us asking if we could help them with a payment challenge. The way that Epic MyChart processed payments at that time put the client squarely in PCI scope and they wanted to provide a seamless payment experience to their patients while reducing their cost to implement all the PCI controls necessary if they continued to process payments the way they were.
Epic had created their App Orchard in 2017, but it was in its infancy. After many conversations with the healthcare provider and a lot of research on various Epic protocols, we found a way to leverage various Epic protocols to embed our Secure Checkout solution into MyChart. This allowed for our solution to manage the entire payment process with no card data going across the provider’s network or back into Epic and provide real-time payment posting on the patient account. Ultimately, this allowed the provider to reduce their PCI scope from an SAQ-D to an SAQ-A.
As the App Orchard matured, we worked with Epic and migrated our Secure Checkout solution into the App Orchard where any Epic client can now download and install it to begin seamlessly and safely processing payments.