More Ways To Pay Bring More Security Concerns: 3 Tips To Enhance Payment Protection

By Noah Dermer, Security Officer, InstaMed

Consumerism and increasing patient responsibility are driving healthcare organizations to expand their options for patients to make payments. As providers look to new payment options to meet consumer demands and increase their collections, they need to carefully consider payment security.

Healthcare data breaches can bring serious financial and reputational repercussions. The Ponemon Institute reports a data breach has an average economic impact of more than $2 million to a healthcare organization, and the annual cost of all healthcare data breaches exceeds $6 billion dollars. Providers must aim to enhance security and protect sensitive payment information. Consider these three opportunities to improve payment security at your practice.

1. Point-Of-Service: Accepting credit cards at the point-of-service is a great way to increase patient payment collections, but providers must make sure they invest in EMV-ready devices that support point-to-point encryption.

• EMV (Europay, Mastercard, and Visa) is the global standard for authenticating credit and debit card transactions with chip cards at capable point-of-sale (POS) terminals. The chip on the card creates a dynamic piece of data that is sent to the card issuer during a transaction to recognize a card and authenticate it, inhibiting the creation of cards made with stolen data. As of the October 1, 2015 fraud liability shift, providers that accept fraudulent cards on a non-EMV capable device may not be reimbursed for that fraudulent transaction.
  • While EMV offers additional security, it does not necessarily protect cardholder data moving over your network. Look for a solution that couples EMV with point-to-point encryption (P2PE). P2PE offers the most secure method of payment card security, encrypting data from the initiation of a transaction until it arrives at a secure endpoint (the payment processor). P2PE isolates payment data to ensure it remains protected and unavailable to access at any point before the processor, reducing the risk of a breach.

2. Online And Mobile: Patients continue to use these payment options in other industries and now expect healthcare to follow suit.

• For providers already using a practice management system, look for an integrated payment solution option which supports existing systems. Integrated payment solutions allow providers to embed payment capabilities into their existing applications and securely collect payments online and from mobile devices without multiple logics or multiple credit card data transmissions.

• Some providers might hesitate to offer mobile payment options due to concerns about mobile security, but mobile payment options can be a very secure platform leveraging both encryption and tokenization.

3. Payment Plans And Automatic Payments: Maximizing patient collections in the increasingly consumer-driven healthcare industry remains important for providers.

• Embrace this trend and ensure the collection of large balances with payment plans. Implementing a payment plan includes saving a patient’s card on file to incur charges in a series of installments; however, many providers fail to save credit card information in a secure and compliant way — including writing down information on paper and simply storing it in a folder. Providers can leverage technology to store patient card information securely online. This not only reduces the risk of stolen or lost payment information but also allows providers to use these saved payment methods to automate the collection of future payments, which meets consumer demands for simplicity.

Payments in healthcare continue to feel the impacts of consumerism, and providers can help adapt to the changing tide by enhancing payment security for improved patient experience with less risk: a benefit for them and their patients.

About The Author
Noah Dermer is InstaMed’s Security Officer. Prior to joining InstaMed, Noah was Epic’s Chief Privacy and Security Officer. Noah also managed Epic’s security R&D team, which develops software that helps hospital organizations ensure the confidentiality, availability, and integrity of healthcare data. Prior to his work on the security team, Noah worked at Epic on clinical applications where he designed, coded and maintained computerized physician order entry software. He has also been a network administrator and worked for a large financial technology services company and a technology consulting firm. Noah is a licensed attorney in Illinois and Wisconsin.