As the kids say, haters are gonna hate. We can add to that: hackers are gonna hack, and thieves are gonna thieve. While healthcare organizations have no control over the actions of criminals, they do have a responsibility to anticipate that those bad actors will attempt to penetrate IT systems. In the event that the first line of defense fails in protecting patient data, it is critical to have contingency measures in place to mitigate the damage bad actors can do.
Healthcare organizations continue to be an attractive target for data thieves. Healthcare organizations collect payment card information, social security numbers, birth dates, and other sensitive information that can be sold on the black market. A 2017 report from InstaMed makes the devastating consequences clear: “Once a healthcare organization’s data is exposed, a figurative dam has been broken and the data is available to any hacker or thief to put on the black market for sale to the highest bidder. At present time, there is no way to make exposed data secure again or to take it off of the black market.”
Data breaches are devastating for both the affected organization and the clients the organization failed to protect. Consumers pay attention to issues of security and are rightly concerned about how other parties safeguard their sensitive data. The InstaMed report also found that 59 percent of consumers surveyed held significant concerns about the security of making online medical payments. These concerns also translate to action, with almost half of patients willing to leave providers after a breach, and two-thirds willing to change their behavior for a safer online payment experience. Smart, up-to-date security practices and infrastructure are essential for protecting patient data and therefore maintaining consumer confidence.
One of the best ways to mitigate the damage from a security breach is to make sure that if a bad actor intercepts data, the data will be useless. Kind of like opening a vault only to find another vault. There are two major ways to achieve this goal using security technology: with encryption and with tokenization.
Point-to-point encryption (P2PE) protects customer payment card information from the point of entry until the payment processor decrypts the information. With P2PE, the healthcare organization itself never sees the unencrypted financial data.
Tokenization works by replacing patient payment card information with a token, which functions as a substitute for the payment card information. Sensitive credit card information is not stored on internal networks when tokens are used. These tokens cannot be reverse-engineered to recover the original credit card data, so if an intruder takes possession of them, there will be no market for the captured information and patient financial information will remain safe.
We can’t prevent bad actors from attempting their despicable deeds, but we can frustrate them and block them from reaching their end goal of stealing patient information. Our patients trust us to be placing as many barriers as possible between their sensitive information and those who would do them harm by stealing it. The patients don’t just appreciate it—they demand it.