This article first appeared on LinkedIn.
Everyone in the retail, security, and banking business has probably been fielding a lot of questions about the “Target Breach” recently.
For those who have not heard, in December 2013 and January 2014 Target announced that hackers had gained access to the internal servers of the chain of stores, and had used that access to install a virus on Target’s point of sale credit card swipers. The virus collected credit card and PIN (Personal Identification Number) information, and stored it secretly on the servers where the hackers could later go back in and retrieve it. Once the hackers had that in place, they were also able to gain access to other Target databases with email, address and phone records. In all, 40 million credit card numbers and 70 million personal records were compromised.
The fallout has been ugly. Last week, Target’s CIO Beth M. Jacob resigned over the failures. In February the chain announced quarterly earnings were down 46% in the 4th quarter, and on a personal note, a new debit card just arrived in my mailbox.
Medical practices are used to having to secure information under HIPAA laws, and should already have policies in place for any credit card information they come into contact with. It is easy to see why a retail chain would garner a lot of attention from cyber criminals, but as loopholes are tightened and more people are aware of the dangers of hacking and the need for security, smaller businesses will begin to show up on hackers’ radar.
So how do you avoid being the next, ahem, Target? Here are five ways your practice can protect itself.
1. Start a Credit Card on File System
We probably get more questions about credit card security than most consultants because we are such big proponents of medical practices using a credit card on file program. However, we think keeping the patient’s card on file, offsite, in an encrypted payment gateway reduces the liability for the practice because there are less human touches in the process that can invite fraud. Consider: If you let patients swipe their cards at every checkout for time of service payments, then their card data is exposed at every visit. If the card is handed to an employee to swipe, not only is the card exposed magnetically, it’s exposed to another human being. With a credit card on file system, after the initial swipe, any employee can never see more than the last four digits, and the patient doesn’t even have to bring the credit card to the visit, or enter the PIN during the visit.
On top of that, when you no longer send out statements, you provide extra protection to patient financial and health data by not sending it through the mail.
2. Review your financial and security policies.
Audits reviewing breaches of Protected Health Information (PHI) and protected Payment Card Industry (PCI) data focus less on the actual events that led to the breach, and more on the culture, policies and environment the breach occurred in, and how that contributed to the incident. If a breach was disclosed tomorrow, how could your organization prove to an external reviewer that you had “fostered a culture of compliance”?
The best place to start is with policies. Annual HIPAA, OSHA and billing compliance training, data security, physical and administrative safeguards, how information is stored and retained – all of these are critical ways that your organization sets the tone for compliance, and defines in clear, black and white terms what is expected of the employees.
3. Create a culture of compliance, privacy and respect.
This is a no-brainer for medical practices and entities that have to comply with HIPAA, but this has to be extended to financial data as well. More than individual policies, rules and regulations, an office’s culture is the accumulation of norms, practices and relationships that guide how things are done in any given situation. If you have great policies in place, but the culture of the office dictates that they aren’t followed, or are only followed under ideal conditions, you are still at a great risk for a breach.
Consider this question: How often would you say “policy” is completely followed by employees, down to the letter? 75%? 80%? 90%? Culture is the difference between intention and execution, and as Peter Drucker famously said – “Culture eats strategy for lunch”.
4. Talk to your vendors.
Credit card processing for medical practices, whether traditional or in an “on file” system, is a very competitive business. Average sales are high, volume is steady, and there is less fraud than usual. So not only should you make sure you are negotiating for the best possible rate, you should also be making sure your credit card gateway and processor are giving you all the tools you need to keep your patient financial data safe.
Ask your vendors what else you can be doing to stay secure and compliant. Do they have training materials or other resources you can use to keep your staff sharp? These vendors are thrilled to have your business – use them!
5. Talk to your customers.
Be proactive! Most patients think privacy notices and HIPAA documents are “just paperwork” that gets shuffled to them on visits when all they really want to do is see the doctor! With the breaches at Target and elsewhere, this is the perfect time to start a conversation with your patients about how you can do more to communicate with them, and involve them in their security.
After reviewing your policies, let your patients know what you are doing to keep their information safe. Talk about new developments or changes in the framework of their protection, but most of all, have the conversation before a breach – not in response to one.
The battle between network security and hackers will probably never end. As attacks and defenses become more sophisticated, the playing field may change, but good habits ingrained by culture will always set the table for success. Use these five tips as a jumping off point, and start taking security seriously today.