March Madness begins this month and I’ve been busy studying bracketology as closely as I examine healthcare payment security. In doing so, I can’t help but notice that the science and logic behind selecting the right NCAA basketball teams for your March Madness bracket is similar to the attention that needs to be given to security and compliance decisions in healthcare.
Now, I’m no Joe Lunardi and these picks won’t be featured on ESPN, but it’s important for healthcare organizations to realize that selecting the vendors they work with is a serious process that should not be taken lightly. You’re not selecting a vendor for one month like March Madness but rather a vendor that you will work with for many years to come. A major factor in your decision process should be the security and compliance certifications that your eligible vendors have earned. You want to make sure that the vendors you decide to work with have the right certifications to meet the security and compliance standards that your business demands, and that these certifications are current and updated on a regular basis.
In the spirit of March Madness, I’d like to better illustrate this point with a basketball analogy. As a Wisconsin-native and a graduate of the University of Wisconsin-Madison, I’m a Badgers fan. In 2008, the Badgers were upset by Davidson and that little known sophomore, Stephen Curry. (What ever happened to him?) Just like Steph Curry warming up dribbling two basketballs, you want to make sure that your vendor keeps their own two basketballs – healthcare and payments – under control.
Here are the certifications – and certificationology – you need to consider when selecting a healthcare payment vendor:
The HITRUST CSF is a certifiable framework that offers organizations a comprehensive, flexible and efficient approach to regulatory compliance and risk management. When a vendor obtains CSF Certified status, it indicates that their organization has met industry-defined requirements and is appropriately managing risk, and is part of an elite group of organizations worldwide that have earned this certification. By including federal and state regulations, standards and frameworks, and incorporating a risk-based approach, the HITRUST CSF helps healthcare organizations address these challenges through a comprehensive and flexible framework of prescriptive and scalable security controls.
A vendor must go through a multi-step process to achieve HITRUST certification. After the initial certification process, vendors must go through interim assessments to ensure they are maintaining the levels of security that enable them to uphold HITRUST certification.
Certificationology: You definitely want to look for HITRUST certification when selecting a healthcare vendor.
The Payment Card Industry (PCI) Data Security Standards (DSS) apply to all persons and entities that are associated with payment cards, including merchants of all sizes, financial institutions, point-of-sale vendors and hardware and software developers who create and operate the global infrastructure for processing payments. With credit card payments, including the steady increase in consumer out-of-pocket healthcare costs, healthcare organizations and the vendors they work with are included in the reach of the PCI DSS.
Healthcare organizations need to ensure they are PCI compliant, meaning they are able to accept payment card payments in compliant way. The best way to ensure PCI compliance is to pick a payment vendor that is PCI Level One Certified. This ensures their PCI compliance. To become PCI certified, a vendor needs to be audited by a third-party quality security assessor (QSA).
Certificationology: PCI certification is a must-have when you’re selecting a payment vendor.
PCI P2PE v2.0
Healthcare organizations that collect payment at point-of-sale locations need to leverage point-to-point encryption (P2PE) to ensure payment card data is protected. P2PE is a methodology for securing credit card data by encrypting it from the time a card is swiped or keyed until it reaches a secure endpoint where it is decrypted. Without P2PE, payment card data is vulnerable to breaches as it is in transit during the payment process. Additionally, leveraging P2PE will significantly reduce your PCI scope.
Certificationology: A lot of payment vendors talk about P2PE as it’s a must-have for healthcare organizations. However, keep in mind that only solutions listed on the PCI SSC website have been audited and approved by the PCI Council as a P2PE Validated solution.
If it’s time for your organization to consider a new healthcare payment vendor, don’t forget about certificationology. Choosing a vendor with the above certifications will ensure that you’ve made the best decision for payment security and compliance at your organization.