As an industry professional, you're eligible to receive a printed copy of the journal.

Fill out your address below.

Please reset your password to access the new
Reset my password
Welcome aboard, !
You're all set. We've send you an email confirmation to
just to confirm you're you.

Welcome to DRJ

Already registered user? Please login here

Existing Users Log In

Create new account
(it's completely free). Subscribe

Healthcare is a prime target for malicious data attacks. Healthcare organizations transmit highly personal and sensitive information as part of the normal course of business, from eligibility verification between the provider and payer, and all the way to consumer payments to the provider. The value for healthcare data on the black market is high. Data particularly at risk includes social security numbers, birth dates, payment card information and insurance coverage identification.

The COVID-19 pandemic has increased the volume of sensitive data now shared digitally in healthcare. Many healthcare organizations have turned to digital channels to connect in lieu of options that require close and/or in-person contact. Without the proper considerations upfront, these channels could pose considerable vulnerabilities for an organization’s data and increase the risk of a data breach. In an industry where margins were already slim before COVID-19, the ever-looming threat of a data breach creates an unnecessary burden of cost to an organization’s bottom line.

The healthcare industry does not have to slow down or stop its digital transformation in the wake of COVID-19 to mitigate the risks of a breach. Instead, security and compliance must always be top of mind for healthcare organizations when considering and implementing new technology. The COVID-19 pandemic only amplifies this critical requirement for healthcare organizations.

How COVID-19 Accelerates Healthcare’s Digital Transformation

Before 2020, rapid tech adoption connected consumers for entertainment, such as Instagram reaching 100 million active users in two years or Fortnite hitting 100 million monthly active users in 18 months (Mary Meeker). Now during the COVID-19 pandemic, technology has become a vital tool that connects consumers for everything, proven by the rapid adoption of platforms like Zoom, which went from 10 million to 200 million daily meeting participants in three months (Mary Meeker).

The healthcare industry is adapting to the “new normal” presented by social distancing guidelines, stay-at-home orders and other efforts to slow the spread of the COVID-19 pandemic. In particular, provider organizations have turned towards virtual options to connect with and treat patients for care that does not necessarily require an in-person appointment. In the first couple months of the pandemic, 16.5 million consumers started using telehealth options with 80 percent saying they would use it again (PwC Health Research Institute).

The surge in telehealth usage reflects the ability for the industry to react and adapt to change in the industry, as well as patients’ appetite for digital in healthcare. The increased options to connect with patients will be crucial for the future of many organizations as the pandemic continues. More than a third of consumers have changed or plan to change spending on healthcare visits due to COVID-19 with the majority of those consumers skipping non-essential appointments such as a well visit or recommended screening (PwC Health Research Institute).

High Costs of Compromised Data in Healthcare

The recent surge of digital channel adoption in healthcare creates vulnerabilities for an organization’s data and increases the risk of a breach. Any fallout from a data breach takes a considerable toll on impacted organizations in any industry. There is the incident investigation, remediation and countless hours of ensuring the vulnerability is eliminated. Downtime from a data breach results in costs related to lost productivity, which can be significant depending on the severity of the attack and the organization’s ability to recover.

In healthcare, there is an added layer of consumer trust and loyalty that may be lost, which ultimately cannot be quantified or replaced. The reputational loss and customer attrition related to data breaches compounds the already significant impacts and costs that organizations must mitigate after a breach – endangering their ability to thrive in the future.

Healthcare has the highest industry average cost for a data breach at $7.13M, which is up more than 10 percent from the previous year (IBM Security). As the impacts from COVID-19 continue to unfold, it is likely that the costs of breaches will remain this high or increase more continuing to damage the financial wellbeing of healthcare organizations.

Security and Compliance Must Be a Priority

Healthcare organizations need to adopt a “not if, but when” mindset when it comes to data breach threats and adequately prepare a defense against such threats, especially as the industry responds to COVID-19 with the accelerated adoption of digital channels.

Leveraging Secure Online Payments to Collect

Payment collection via the phone is not always convenient for consumers or a scalable channel for organizations. Healthcare organizations may look to quickly implement online payment options for consumers to pay without staff intervention. However, without the proper considerations, online payment channels can increase scope for PCI compliance and put data at risk of a breach.

Healthcare can leverage tokenization to help build a digital wallet. Tokenization works much the same way as a casino chip, which represents a monetary value but have none outside of the casino. In essence, chips help casinos keep track of money being exchanged and deter theft as they cannot be used outside of the casino, not even at other casinos.

In healthcare, when a payment card enters a secure payment application with tokenization, the card information gets converted to something like a casino chip – or token – that is associated with the organization only. This does not necessarily prevent data theft, but it does prevent someone from using the stolen token to pay for something else. The token has no value outside of the payment transaction it was being used for because it is exclusively associated with a healthcare provider’s merchant ID.

Healthcare organizations can use tokenization to significantly enhance the security and convenience of their online patient payment experience. With tokenization, consumers can securely save payment methods on file within a healthcare organization’s patient portal and use those payment methods again in the future for recurring payments, like payment plans. In fact, tokenization is key to automating the payment process to simplify the consumer experience and help providers achieve payment assurance.

Protecting Payments Made Over the Phone

Shutdowns and social distancing guidelines due to the COVID-19 pandemic forced many organizations to create a remote workforce in a matter of days. For healthcare payments, this required staff that would normally collect payments in person to connect through other channels such as taking payments over the phone. If staff are doing this from home, it is important to consider who might be overhearing the conservation and where staff might inadvertently or intentionally writing down credit card numbers. 

If staff are taking payments over a corporate-issued phone (ex: Cisco, Avaya, etc.) they often leverage VoIP which is an acronym for Voice over Internet Protocol, or in more common terms, phone service over the internet. When staff take payment card information over the phone, an organization’s entire VoIP network including the servers, switches, firewalls, and phones are potentially now all part of the cardholder data environment (CDE). This can dramatically increase the scope of your cardholder data environment and increase the financial and operational costs of PCI compliance.

VoIP protection technology sits on the edge of an organization’s network and masks cardholder data before it is transmitted. The technology allows consumers to enter payment information on their phone’s keypad, instead of relaying it directly to staff. The dial tones created by the keying in of the credit card number are intercepted and then sent back to the call center agent as flat notes via a process known as dual-tone multi frequency (DTMF) masking. VoIP protection minimizes exposure of payment data and dramatically reduces the cardholder data environment and PCI scope.

Prioritizing Payment Security in Healthcare

Many organizations, in healthcare and beyond, are doing their best to adapt to the impacts of the COVID-19 pandemic. The accelerated adoption of digital channels is building pathways to connect without the need to be in-person; however, as more leverage digital channels, the risks to data increases as well. Payment data is particularly at risk in healthcare. This is why security must be a particular focus during the pandemic and remain a high priority. VoIP protection and tokenization are two critical ways that an organization can protect data.


Noah Dermer

Noah Dermer is security officer at InstaMed where he works to inform and educate the industry and InstaMed customers about compliance and security in healthcare payments. He authors the Security Corner, a monthly blog where important topics in compliance and security are explored and speaks nationally on all things health IT, security, privacy, compliance, accreditation and certifications as related to healthcare payments.

Ensuring SQL Server Availability for Business Continuity
By DAVE BERMINGHAM From an IT perspective, ensuring business continuity involves much more than building out a disaster recovery infrastructure...
Why Scalability And Security Are More Critical To Businesses Than Even Before
The COVID-19 global pandemic has changed our lives in just a few short months. The way we work, spend our...
Why You Can’t Gamble on Data Protection
With major data breaches like Marriott’s making headlines and Facebook’s data privacy scandals shaking consumer confidence, data protection should be...
DRJ Mentor Program Kicks Off at DRJ Fall 2019
While many have spent the summer enjoying much-needed downtime, we’ve been hard at work at DRJ. Right now, we’re finishing up plans for our most amazing conference yet. 

DRJ Fall 2019 will be held at the award-winning and captivating JW Marriott Desert Ridge Resort & Spa in Phoenix. The resort, complete with breathtaking mountain views, beautifully maintained grounds, excellent dining options, and superb service, is the perfect place for our conference.

We’re working hard now to plan DRJ Fall 2019 to include more than 65 sessions, 85 speakers, 80 exhibitors, and more spread over four fabulous days, from Sept. 29-Oct. 2.