Securing payments is much simpler than securing medical data in many ways because payment processors are centralized entities with established protocols for data transmission, where communication is largely many (vendors) to one or few (the processors), and where only one type of data is being moved. Health care organizations are HIGHLY decentralized entities where authentication is extremely difficult; where orgs employ many different protocols and software stacks; where many different types of data need to move freely between many orgs, with various levels of sophistication, in many different directions (patient to provider, provider to patient, provider to provider, provider to payer, payer to provider, patient to payer, payer to payer, provider to regulator, provider to researcher, provider to vendor, etc), with few established standards for how that is done (paper, phone, email, web application, fax, API, snail mail, CD, hard drive, USB, etc), with many people having access; and where organizations need to be porous, with high turnover by design. It should also be realized that a failure to access payment data or process a payment results in lost business and headaches. A failure to access medical data may kill someone, so tradeoffs between confidentiality and availability are much more nuanced.
In the medical world you have standards (HL7, DICOM, XDS) which are all about throwing large amounts of data around hospital networks (and in the case of XDS - outside). It's a castle with moat model of security - everything within the network is trusted and they focus on keeping the bad guys out.
Obviously that's a horrible strategy and it delivers the expected results..
Also your standards aren't entirely useful if you lack the inter-connectivity to employ them, the UIDs to be able to properly specify the data you are requesting, or restrictions on what data you are allowed to put within fields of the standardized data structures to make it easy to interpret by a program (believe it or not, with some standards this can also be a problem).
Good comment, especially WRT trade off between confidentiality and availability. Nonetheless, I do feel that many of these items (few standards, little interchange, often old tech, data decentralization) are primarily problems because the vendors and hospitals don’t really have strong incentive to solve them. I do appreciate that the problem is non-trivial, but I don’t think that the problem would be unsolvable should the appropriate incentives be put into place.
