By Jennifer L. Nieto, Best Card
“The year 2014 will be remembered as the year of shaken trust.” Vincent Weafer, senior vice president, McAfee Labs.
Most dentists prefer not to think about how they protect their patient’s information. However, in today’s litigious world, it’s important that you do. You must ensure your office is processing credit card transactions in a safe manner, and that your patients’ medical information is protected from cyber-attack.
Healthcare-Record Privacy Is Under Attack.
In 2014, articles in business and medical publications cited alarming statistics regarding electronic breaches in healthcare. They often referred to McAfee Labs’ report from November, a February SANS Institute report, and an FBI Private Industry Notification (PIN) issued in April; and revealed the following:
- Cyber criminals are selling health record information on the black market at a rate of $50 per partial health record (versus $1 for a stolen credit card or social security number). These electronic records are used in filing fraudulent insurance claims, obtaining prescription medication, and for conducting other identity theft activities.
- There was a 600% increase in healthcare-record breaches in the first 10 months of 2014 over 2013 incidents.
- The highest concentration of healthcare organizations with compromised records was found in California, Texas, New York and Florida (states known for having the highest rates of medical fraud).
- According to the FBI, the healthcare industry “is poorly protected and ill-equipped to handle new cyber threats exposing patient records, billing and payment organizations, and intellectual property.” In healthcare, almost all things digital are being compromised: radiology imaging software, medical devices, faxes, printers, virtual private networks, and routers. To make matters worse, healthcare-industry information technology (IT) professionals believe that their defenses are adequate, “when clearly the data states otherwise.”
You may want to shrug your shoulders, hope your IT folks are doing a good job, and check your insurance coverage, should your records be compromised via hack attack or malicious employee. But consider this: if you shopped at Home Depot, Target or K-Mart; or dined at PF Chang’s or Dairy Queen last year, odds are you have a couple new credit cards in your wallet. You were likely told that your account “may have been compromised,” and that you could get a free credit report to ensure no identity theft occurred. All of these merchants use online systems for processing credit cards.
How can I protect my practice?
Quarterly Network Scans
If your practice swipes credit cards using an online system/Ethernet-based connectivity, then payment card industry (PCI) security standards require quarterly scans of your network.
Of the thousands of [TDA Perk Program partner] Best Card dental offices using online/Ethernet-based systems and getting network scans, more than 50% fail their first scan. These practices have malware software, anti-virus protection, and a wireless network that is separate; and they do a fairly good job of trying to secure their systems. But reasons for failure are numerous and can include:
- Not updating to Windows 7 or higher
- Having unused ports left open that need to be closed with their internet service provider or firewalls
- Having outdated firm-ware routers
- A lack of patches or updates for software
Be aware it could happen to you, and that it’s important to correct any weaknesses identified. The good news is that getting scans shouldn’t break the bank. (Best Card charges $36 annually for the mandatory PCI self-assessment questionnaire completion and $20 more for practices that are required or choose to do quarterly scans.) Even offices that use a terminal are often paying for the scans, because they feel it’s a good business practice to check for system weaknesses.
Swiping a credit card on a terminal using an analog telephone line is what Best Card feels is the safest method for accepting credit cards. (We’re not aware of any breaches that occurred with merchants using this good old fashioned technology.) While it’s probably the most secure way to process credit cards, processing over a phone line isn’t always the most efficient way. Digital and voice over IP (VoIP) telephone lines can make transmitting difficult; and if your practice has a lot of recurring payments, an online system can save hours of staff time.
What’s this EMV Deadline I Keep Hearing About?
By October 2015, the payment card industry wants your processing equipment to accept credit cards containing integrated-circuit (IC) chips. (Europay, MasterCard and Visa [EMV]-compliant technology is considered safer technology than the traditional magnetic stripe [magstripe] on credit cards.)
Come October, your existing equipment won’t cease to function—new terminals will continue to read magstripes. However, if your processing equipment isn’t EMV-compliant by then, your practice may be liable for fraudulent charges. Fortunately, it shouldn’t cost a great deal of money to get updated terminals.
One more thing: when purchasing EMV-compliant equipment, you should make sure it’s Near Field Communication (NFC)-capable, because Apple Pay is here to stay.
For more information about the material presented in this article, or literature on preventing embezzlement in your practice, contact TDA Perks Program’s endorsed credit card processor Best Card at 877-739-3952 or visit http://www.bestcardteam.com/faqs/. Additional reading material can be found online:
TDAPerks.com, Oct. 21, 2014, Best Card: “Accept Credit Cards? You Need to Know This.” [About Apple Pay] http://www.tdaperks.com/Eblasts/Perks_Blast_BestCard_102114.aspx
TDAPerks.com, Oct. 21, 2014, Best Card: “Credit-Card Processing Sales Calls: Separating Fact from Fiction” http://www.tdaperks.com/Portals/1/Images/Perks_PDFs/Perks_Value_0714_BestCard.pdf
FlashCritic.com, April 22, 2014, Bill Gertz; “FBI: Health Care Related Cyber Crime Expected to Increase Amid Shift to Electronic Records” http://flashcritic.com/fbi-health-care-related-cyber-crime-expected-increase-amid-shift-electronic-records/
Bloomberg.com, June 4, 2013; Jordan Robertson: “States’ Hospital Data for Sale Puts Privacy in Jeopardy” http://www.bloomberg.com/news/2013-06-05/states-hospital-data-for-sale-puts-privacy-in-jeopardy.html
Jennifer Nieto is president of RJ Card Processing Inc. (d/b/a Best Card). Jennifer was CPA and director of finance for Colorado Dental Association, and an FDIC Bank Examiner. Best Card offers excellent rates and customer service to TDA members. As of November 2014, the average effective rate (total fees paid divided by total dollars processed) for TDA members was 2.06%.