By Jennifer Nieto, Best Card
From the Spring 2015 Journal of the Colorado Dental Association
Dentists protect their patients’ personal information for obvious ethical reasons and HIPAA compliance. Many times, however, they may not realize that preventing identity theft is another very important reason behind this practice. Processing credit card transactions in a safe manner is crucial in protecting patients from cyber attack. Whether it’s their health record or credit card information, no one is completely safe. Dentists can take steps, however, to ensure this information is as secure as possible for their patients.
Health Records Under Attack
In 2014, articles in business and medical publications cited alarming statistics regarding electronic breaches in healthcare. They often referred to a McAfee Labs report from November, a February SANS Institute report and an FBI Private Industry Notification issued in April. The reports revealed the following:
• Cyber criminals are selling health record information on the black market at a rate of $50 per partial health record. That’s astronomical in comparison to the $1 black market rate a single stolen credit card number garners. Electronic health records are used in filing fraudulent insurance claims, obtaining prescription medication and conducting other identity theft activities.
• A 600% increase in healthcare-record breaches occurred in the first 10 months of 2014 as compared to 2013 incidents.
• The highest concentration of healthcare organizations with compromised records was found in California, Texas, New York and Florida—states known for having the highest rates of medical fraud.
• According to the FBI, the healthcare industry “is poorly protected and ill-equipped to handle new cyber threats exposing patient records, billing and payment organizations and intellectual property.” In healthcare, almost all things digital are being compromised: radiology imaging software, medical devices, faxes, printers, virtual private networks and routers. To make matters worse, healthcare-industry IT professionals believe their defenses are adequate “when clearly the data states otherwise.”
You might want to shrug your shoulders, hope your IT folks are doing a good job and check your insurance coverage should your records be compromised via a hack attack. But that’s not always good enough.
Compromising Credit Cards
Just because stolen credit card numbers bring in a low black market rate doesn’t mean they aren’t sought-after. If you process credit cards online or via Ethernet-based connectivity, your patients’ information is at risk. Even offices that swipe credit cards at a terminal using an analog telephone line could be at risk. To find out how vulnerable your system really is to cyber attack, follow the payment card industry (PCI) security standards, which require quarterly scans of your network if using an online swipe system. More than half of the Best Card dental offices getting these network scans fail their first scans—despite having malware software, antivirus protection and a separate wireless network. Why? The reasons for failure are numerous and can include:
• Not updating to Windows 7 or higher.
• Having unused ports left open that need to be closed with their Internet service providers or firewalls.
• Having outdated firmware routers.
• A lack of patches or updates for software.
It could happen to you, so it’s important to correct any weaknesses you have identified. The good news is getting scans shouldn’t break the bank. Rates can vary for this service, so be sure to inquire about the cost in advance. (Best Card, as an example, charges $36 annually for the mandatory PCI self-assessment questionnaire completion and $20 more for practices that are required or choose to do quarterly scans.)
Meeting the EMV Deadline
By October 2015, the payment card industry wants your processing equipment to accept credit cards containing integrated-circuit chips. Europay, MasterCard and Visa (EMV)-compliant technology is considered safer technology than the traditional magnetic stripe (magstripe) on credit cards. Come October, your existing equipment won’t cease to function—new terminals will continue to read magstripes. However, if your processing equipment isn’t EMV-compliant by then, your practice might be liable for fraudulent charges. Fortunately, it shouldn’t cost a great deal of money to get updated terminals. They say the future is now, and that’s no exception with new services like Apple Pay. When purchasing EMV-compliant equipment, make sure it’s Near Field Communication-capable to accommodate Apple Pay.
For more information about the material presented in this article or literature on preventing embezzlement in your practice, contact CDA-endorsed Best Card at 877-739-3952 or visit www.bestcardteam.com/faqs.
Jennifer Nieto is president of RJ Card Processing Inc. (d/b/a Best Card). Formerly, Jennifer was the director of finance for the Colorado Dental Association and an FDIC Bank Examiner/CPA.