November is a time to reflect and give thanks for all the good things in our lives. As a security officer, I am additionally thankful for accomplishments in the field of security and compliance that help us better protect payment data and prevent data breaches in healthcare. Around this time four years ago, we were not so thankful for the massive breach that affected Target stores and compromised the credit and debit card information of 110 million consumers – right at the start of the holiday season. Consumers were not made aware of the incident until the end of the holiday season after their holiday purchases were made and their data was already exposed.
The attackers responsible for the Target breach used a phishing email to access one of Target’s third-party vendors and install a variant of the Zeus banking Trojan on their computers. The malware eventually gave the hackers access to login credentials for the third-party vendor, which they used to find an entry point into Target’s internal network. Target suffered significant repercussions for the breach, including – most recently – a settlement requiring Target to pay $18.5 million to 47 states.
If any good came out of the Target breach, it’s that it taught the industry a few valuable lessons on how we must ensure that we are protecting our networks at every entry point – and, that we’re only as secure as our third-party vendors. In the four years since the Target breach, new security technologies and compliance regulations have emerged to better protect data and to try and stay ahead of the next big breach.
In the spirit of Thanksgiving, here are the payment security accomplishments for which I give thanks.
Give Thanks for Point-to-Point Encryption (P2PE)
P2PE encrypts a consumer’s payment card information at the point of entry, where the risk of data breach loss is especially high and makes it unreadable until it is decrypted by the payment processor. P2PE significantly reduces Payment Card Industry (PCI) scope on merchant networks and systems that healthcare organizations use to collect payments, as well as the likelihood of a payment card data breach.
Many payment vendors support P2PE, but only solutions listed on the PCI SSC website have been audited and approved by the PCI Council as P2PE Validated solutions. To offer a PCI P2PE Validated Solution, a vendor must complete the detailed security requirements and testing procedures outlined by the PCI Council to ensure that their solution meets the necessary requirements to protect payment card data.
When healthcare organizations leverage a P2PE Validated solution, they benefit from the highest level of security for payment card data stored and processed on their systems. Plus, they reduce PCI compliance effort(healthcare organizations using a PCI-validated P2PE solution can leverage a simplified 35-question SAQ P2PE, a significant reduction in effort compared to the 300+question SAQ D), and they have the ability to expand payment channels with the confidence that they are processing payment card information securely.
Give Thanks for EMV
EMV (short for Europay, Mastercard and Visa) is a global standard for authenticating chip-based debit and credit card transactions and is very effective in preventing card-present fraud. In October 2015, the major processing banks implemented a shift that transferred fraud liability to merchants who accept fraudulent chip card transactions, unless they use EMV-capable point of sale (POS) devices. This fraud liability impacts healthcare organizations as well. After the liability shift, millions of merchants, including healthcare providers, reacted by purchasing new card reader devices that could support EMV transactions. According to Visa, there are 1.46 million chip-enabled businesses across the U.S. Since the migration to EMV in the U.S., merchants with EMV-enabled terminals have seen a drop in counterfeit fraud by 58%, and financial losses from fraud have dropped by 28%.
I’m not so thankful to know that some organizations are still struggling to support EMV.
Give Thanks for Apple Pay and Android Pay (NFC)
Have you ever been in line behind someone at a Starbucks who paid for their latte by holding their phone up to a small device on the check-out counter? That’s near-field communication (NFC). NFC lets two devices communicate when each device is close to each other, often within inches. Apple Pay and Android Pay leverage NFC to create a simple payment experience, so everyday purchases like coffee and lunch are incredibly convenient. Why not deliver that same level of convenience to patients paying healthcare bills? Apple Pay and Android Pay are available for healthcare payments (in fact, InstaMed was the first to bring Apple Pay to healthcare). With the growing popularity of integrated health applications and wearable technology, it is likely that these payment options will continue to be relevant to healthcare payments.
I am thankful that these payment options are very secure.
Give Thanks for HITRUST
The HITRUST CSF is a certifiable framework that offers organizations a comprehensive, flexible and efficient approach to regulatory compliance and risk management. By including federal and state regulations, standards and frameworks, and incorporating a risk-based approach, the HITRUST CSF helps healthcare organizations address these challenges through a comprehensive and flexible framework of prescriptive and scalable security controls. Healthcare organizations should look to work with third-party vendors who have achieved HITRUST CSF Certified status. When a vendor obtains CSF Certified status, it indicates that their organization has met industry-defined requirements and is appropriately managing risk, and is part of an elite group of organizations worldwide that have earned this certification.
I am thankful to hear many healthcare organizations specifically seeking out HITRUST certified partners when looking to work with third-party vendors.
Give Thanks for the InstaMed Secure Token
The InstaMed Secure Token enables healthcare organizations to deliver a seamless and secure online consumer payment experience within their existing portals with cardholder data never touching their servers. As a result, consumers can make one-time payments and also have full access to their digital wallet for future or recurring payments while using any device. Likewise, healthcare organizations significantly reduce their PCI compliance efforts and ensure that cardholder data is protected.
I am thankful that we at InstaMed created a seamless and consumer-friendly online payment option that also helps healthcare organizations reduce their PCI scope by up to 90%.
Give Thanks for the Sunsetting of TLS 1.0
For almost twenty years, TLS has been the secure communications protocol of choice for a large part of the Internet. TLS is a cryptographic protocol used to establish a secure communications channel between two systems. Used by banking sites, ecommerce sites, email providers, bill payment, social media platforms and more, TLS is used to protect the confidentiality and integrity of information that passes between systems and can also be used with public-key cryptography to authenticate one or both systems.
In April 2015, as a result of Heartbleed Bug and other discovered vulnerabilities, the Payment Card Industry Security Standards Council (PCI SSC) removed early versions of Transport Layer Security (TLS) as an example of strong cryptography from the PCI Data Security Standard (DSS) version 3.1 and decided that early TLS v1.0 cannot be used as a security control after June 30, 2016. This meant that organizations with systems and applications using early versions of TLS had to have a formal Risk Mitigation and Migration Plan in place. However, as of December 2015, PCI SSC extended the completion date to June 30, 2018 to give organizations more time to complete their migration. This means that in order to be PCI compliant, all entities must migrate from TLS 1.0 to a secure version of TLS (as defined by NIST) by June 30, 2018.
I am thankful that InstaMed has a plan for sunsetting TLS v1.0.
Give Thanks for a Greater Awareness of Security Threats in Healthcare
Healthcare organizations are complex, especially now as we see more mergers and acquisitions of health systems. When organizations expand or merge, they are often bringing together multiple systems and third-party vendors and trying to get them to all work together. Not only is this a complicated process, but involving multiple systems and third-party vendors can greatly increase an organization’s risk of a data breach, as evidenced by the Target breach. When data flows between multiple disparate systems, it is much more difficult for an organization to protect itself, as accountability for the data varies depending on which part of the process or which system it is currently living on.
As a result, awareness about security threats has risen significantly in the healthcare industry. No healthcare organization wants to be the next data breach headline. I’m thankful that when I speak with healthcare providers today, I hear many more questions about security and compliance for healthcare payments. Security threats are not going away, and they shift and evolve constantly. That’s why it’s so important to continue to educate the industry and raise awareness. I am thankful that I have the opportunity to raise awareness through this blog.
Give Thanks That Security and Compliance Has a Seat at the Table
When there was less awareness about serious security threats in healthcare, it felt the industry was trying to ignore security and compliance discussions – as if we put security and compliance at the kid’s table for Thanksgiving dinner. Now, more healthcare organizations are incorporating security and compliance into every decision they make.